Nix, Lix, and Guix Package Managers Temporary Directory Vulnerability Allowing Unauthorized Actions

A vulnerability exists in the Nix, Lix, and Guix package managers due to the use of temporary build directories in a location that is world-readable and world-writable. This configuration allows standard users to manipulate the package manager into using directories with pre-existing content, which could lead to unauthorized actions or data manipulation. The issue is present in Nix versions prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix versions prior to 2.91.2, 2.92.2, and 2.93.1; and Guix versions prior to 1.4.0-38.0e79d5b.

Impact

Exploitation of this vulnerability could result in unauthorized actions or data manipulation within the package management process, potentially leading to privilege escalation.

Reproduction

The vulnerability can be reproduced by creating a malicious Nix or Lix derivation that takes advantage of the temporary directory handling. This can be done by predicting the path of a temporary directory and using a derivation to place a symbolic link or a file that will be processed by the package manager, effectively tricking it into executing commands or actions based on the manipulated content.

Remediation

Users are advised to upgrade to Nix versions 2.24.15, 2.26.4, 2.28.4, or 2.29.1; Lix versions 2.91.2, 2.92.2, or 2.93.1; and Guix version 1.4.0-38.0e79d5b.