Two popular package managers, Nix and Lix, have recently been found to have vulnerabilities that could potentially allow attackers to execute code with the privileges of a background process running as root on NixOS and multi-user installations. The issue, for which a CVE has not yet been assigned, stems from the background process nix-daemon, which is responsible for granting unprivileged users access to build operations and package storage.
The vulnerability in the Nix package manager arises from a lack of restrictions on recursive directory processing in the NAR (Nix Archive) parsing code. This loophole can lead to coroutine stack exhaustion and the overwriting of heap allocated memory following the stack without guard pages, potentially allowing malicious actors to gain unauthorized access to escalate their privileges. The issue has been addressed by limiting recursion levels, introducing memory guard pages, and implementing additional symlink checks in NAR.
According to reports, the vulnerability in Nix first appeared in version 2.24.4 and was subsequently rectified in releases 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, and 2.28.7. Similarly, in Lix, the vulnerability was introduced in release 2.93.0 and was fixed in updates 2.93.4, 2.94.2, and 2.95.2. Fortunately, the Guix package manager is not affected by this particular vulnerability.
In addition to the above, the recent Nix updates also addressed another vulnerability of medium severity (4.3 out of 10) that allowed files to be written outside the root directory during archive extraction. This second issue, present in Nix since version 2.24.7, enabled attackers to exploit absolute file paths in tar files, causing the extraction of files with absolute paths without conversion