In recent security advisories, vulnerabilities have been discovered in package managers GNU GUIX, NIX, and LIX, allowing for privilege escalation and the execution of code by users under which assembly tasks are launched. These vulnerabilities can be exploited to manipulate data in the assembly environment and make changes to the assembly process. The issues are present in the background processes guix-daemon and nix-daemon, which are used to manage access for unprivileged users during assembly operations.
The vulnerabilities stem from the improper use of file descriptors when accessing temporary assembly directories, instead of utilizing DirFD descriptors. This allowed attackers to replace the assembly directory located in the hierarchy/TMP with a symbolic link. Additionally, incorrect usage of Dirfd in recursive deletion functions created a race condition, enabling attackers to change the owner of the assembly directory during a specific window of time.
Updates have been released to address the vulnerabilities in LIX 2.93, nix 2.29, and guix 1.4.0-38.0e79d5b. To exploit these vulnerabilities, the attacker must have the ability to initiate arbitrary assembly work. For an attack leveraging CVE-2025-46415, the attacker only needs to create files in the /TMP directory on the assembly machine, while exploitation of CVE-2025-46416 requires launching code in the context of the main process and network namespaces.