Nix and Lix package managers contain buffer overflow vulnerabilities that could allow local attackers to gain root privileges. The vulnerabilities have been patched in recent releases, with all users urged to update immediately.
The Nix and Lix package manager ecosystems face a significant security challenge with the discovery of buffer overflow vulnerabilities in their respective daemon implementations. These vulnerabilities, tracked as GHSA-vh5x-56v6-4368 for Nix (with CVE pending), could allow local attackers to execute arbitrary code with the privileges of the daemon user—effectively gaining root access on multi-user installations.
Technical Analysis of the Vulnerabilities
The buffer overflow vulnerabilities exist in the daemon components of both Nix and Lix. For an attacker to successfully exploit these issues, several conditions must be met:
- The attacker must have local access to the system
- The attacker must be permitted to communicate with the Nix/Lix daemon (either through allowed-users or trusted-users configuration)
- The attacker must employ ASLR (Address Space Layout Randomization) weakening techniques
- For substituters, while they could theoretically trigger the issue, they lack sufficient attempts to mount practical attacks
This layered approach to exploitation requirements reduces the severity somewhat compared to completely unrestricted vulnerabilities, but remains serious for multi-user environments where trust boundaries exist.
Affected Systems and Versions
The vulnerabilities impact the following package manager versions:
- Nix: All versions ≥ 2.24.4 are affected
- Lix: All versions ≥ 2.93.0 are affected
- Guix: Not affected by this vulnerability
Notably, this is a coordinated disclosure between the Nix and Lix projects, demonstrating a commitment to responsible security practices across related open-source projects.
Available Fixes and Mitigations
Both projects have released patched versions addressing these vulnerabilities:
Nix Fixed Versions
2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, 2.28.7
The Nix security release includes additional patches for an unrelated path traversal vulnerability (GHSA-gr92-w2r5-qw5p, CVE pending). Users can update through the standard Nix channels, with specific pull requests available in the NixOS/nixpkgs repository for various branches including 25.11 and unstable.
Lix Fixed Versions
2.93.4, 2.94.2, 2.95.2
Lix users should update to these patched versions, with updates available through the Nixpkgs repository as well.
Defense-in-Depth Measures
Beyond patching the specific vulnerabilities, NixOS has implemented additional hardening measures to increase the effectiveness of ASLR, making exploitation of similar vulnerabilities more difficult in the future. This defense-in-depth approach demonstrates a mature understanding of security challenges in package management systems.
Implications for the Nix Ecosystem
This vulnerability highlights the critical security considerations in package management systems that operate with elevated privileges. The Nix daemon's design, which requires running as a privileged user to perform system-wide installations, creates a significant attack surface that must be carefully protected.
For organizations and individuals using Nix or Lix in multi-user environments, this advisory underscores the importance of:
- Regularly updating to the latest patched versions
- Carefully configuring access controls for the daemon
- Monitoring for suspicious activity that might indicate exploitation attempts
- Considering the principle of least privilege when configuring user access
Acknowledgments
The security community has played a crucial role in identifying and addressing these vulnerabilities. Special thanks to:
- @edef with assistance from Sander (@sandydoo) for reporting the issues and working with development teams
- eldritch horrors (@pennae) and Raito Bezarius (@RaitoBezarius) on the Lix side for mitigation efforts
- @xokdvium on the Nix side for implementing fixes
- @hexa and @tgerbet on the NixOS security team for coordinating the response
This collaborative approach to security is essential for maintaining the integrity of critical infrastructure components like package managers.
Conclusion
While the exploitation requirements for these vulnerabilities limit their immediate impact, the potential for privilege escalation in multi-user Nix and Lix environments necessitates prompt action. System administrators and users should prioritize updating to the patched versions and review their access configurations to ensure only trusted users can interact with the package manager daemons.
The coordinated response from both Nix and Lix projects demonstrates the value of security collaboration in related open-source ecosystems. As more organizations adopt Nix-based systems for reproducible builds and declarative configurations, such security considerations become increasingly critical to maintaining trust in these infrastructure tools.
Comments
Please log in or register to join the discussion