Nix, Lix, and Guix Package Managers Race Condition Vulnerability Allowing Arbitrary File Deletion

A race condition vulnerability has been identified in the Nix, Lix, and Guix package managers, allowing local users to delete files from arbitrary directories. This issue arises from a flawed recursive deletion function that fails to properly manage temporary file paths, creating a window for exploitation. The vulnerability affects Nix versions prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix versions prior to 2.91.2, 2.92.2, and 2.93.1; and Guix versions prior to 1.4.0-38.0e79d5b.

Impact

Exploitation of this vulnerability can lead to unauthorized deletion of files, including sensitive system files such as '/etc/passwd', when the Nix daemon is running as root.

Reproduction

The vulnerability can be reproduced by initiating a build process with a user who has access to the Nix daemon. During the build, the process can predict the temporary directory path and use malicious derivations to smuggle out file descriptors. This manipulation takes advantage of the Nix daemon's recursive file deletion process, allowing the interception and modification of files before they are fully owned by the intended user.

Remediation

Users are advised to upgrade to Nix versions 2.24.15, 2.26.4, 2.28.4, or 2.29.1; Lix versions 2.91.2, 2.92.2, or 2.93.1; and Guix version 1.4.0-38.0e79d5b. Instructions for upgrading Guix on NixOS and other distributions are available on the Guix website.