CVE-2024-51481 – Nix allows macOS sandbox escape via built-in builders
https://notcve.org/view.php?id=CVE-2024-51481
Nix is a package manager for Linux and other Unix systems. On macOS, built-in builders (such as `builtin:fetchurl`, exposed to users with `import <nix/fetchurl.nix>`) were not executed in the macOS sandbox. Thus, these builders (which are running under the `nixbld*` users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9, 2.19.7, 2.20.9, 2.21.5, 2.22.4, 2.23.4, and 2.24.10. Note that sandboxing is not enabled by default on macOS. • https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74 https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg • CWE-693: Protection Mechanism Failure •
CVE-2024-47174 – Credential leak when credentials are used with `<nix/fetchurl.nix>`
https://notcve.org/view.php?id=CVE-2024-47174
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8, `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue. • https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90 https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038 https://github.com/NixOS/nix/pull/11585 https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c • CWE-287: Improper Authentication •
CVE-2024-45593 – Nix affected by unsafe NAR unpacking
https://notcve.org/view.php?id=CVE-2024-45593
Nix is a package manager for Linux and other Unix systems. A bug in Nix 2.24 prior to 2.24.6 allows a substituter or malicious user to craft a NAR that, when unpacked by Nix, causes Nix to write to arbitrary file system locations to which the Nix process has access. This will be with root permissions when using the Nix daemon. This issue is fixed in Nix 2.24.6. • https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59 https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-45049 – Nix Hydra Missing authentication when triggering evaluations
https://notcve.org/view.php?id=CVE-2024-45049
Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. • https://github.com/NixOS/hydra/security/advisories/GHSA-xv29-v93r-2f5v https://github.com/NixOS/nixpkgs/pull/337766 https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 https://mastodon.delroth.net/@delroth/113029832631860419 • CWE-306: Missing Authentication for Critical Function •
CVE-2024-43378 – calamares-nixos-extensions LUKS keyfile exposure regression on legacy BIOS systems
https://notcve.org/view.php?id=CVE-2024-43378
calamares-nixos-extensions provides Calamares branding and modules for NixOS, a distribution of GNU/Linux. Users who installed NixOS through the graphical installer who used manual disk partitioning to create a setup where the system was booted via legacy BIOS rather than UEFI; some disk partitions are encrypted; but the partitions containing either `/` or `/boot` are unencrypted; have their LUKS disk encryption key file in plain text either in `/crypto_keyfile.bin`, or in a CPIO archive attached to their NixOS initrd. `nixos-install` is not affected, nor are UEFI installations, nor was the default automatic partitioning configuration on legacy BIOS systems. The problem has been fixed in calamares-nixos-extensions 0.3.17, which was included in NixOS. The current installer images for the NixOS 24.05 and unstable (24.11) channels are unaffected. • https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-vfxf-gpmj-2p25 https://github.com/NixOS/calamares-nixos-extensions/security/advisories/GHSA-3rvf-24q2-24ww https://github.com/NixOS/calamares-nixos-extensions/pull/43 https://github.com/NixOS/nixpkgs/pull/331607 https://github.com/NixOS/nixpkgs/pull/334252 • CWE-256: Plaintext Storage of a Password •