Nix, Lix, and Guix Package Managers Improper Permission Handling Vulnerability

A vulnerability exists in the Nix, Lix, and Guix package managers due to improper permission handling when a derivation build fails. This flaw may enable arbitrary processes to alter store contents outside the designated build sandbox. The issue affects multiple versions across all three package managers: Nix versions prior to 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix versions prior to 2.91.2, 2.92.2, and 2.93.1; and Guix versions prior to 1.4.0-38.0e79d5b.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of store contents, potentially allowing for privilege escalation by manipulating build outputs or gaining access to sensitive files.

Reproduction

The vulnerability can be reproduced by initiating a derivation build with a user that has permission to access the Nix daemon's socket. This can be done on a multi-user system where untrusted code can reach the daemon's socket, typically located at '/var/guix/daemon-socket/socket'. During the build, the process can predict temporary directory paths and use malicious derivations to exfiltrate file descriptors, bypassing the intended build isolation.

Remediation

Users are advised to upgrade to Nix versions 2.24.15, 2.26.4, 2.28.4, or 2.29.1; Lix versions 2.91.2, 2.92.2, or 2.93.1; and Guix version 1.4.0-38.0e79d5b.