Nix and Lix Stack-to-Heap Overflow Vulnerability in NAR Parser Allowing Privilege Escalation

A stack-to-heap overflow vulnerability has been identified in Nix versions prior to 2.34.7 and Lix versions prior to 2.95.2. The issue arises from unbounded recursion in the NAR (Nix Archive) parser, which can lead to a stack overflow that overwrites heap memory. This vulnerability can be exploited to execute arbitrary code as the Nix daemon, which runs as root in multi-user installations, if certain conditions are met. The vulnerability affects all users who can connect to the Nix daemon, with the default configuration allowing all users.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution as the Nix daemon user, with potential bypass of ASLR hardening, allowing for exploitation of the stack-to-heap overflow.

Remediation

Users are advised to upgrade to Nix versions 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7, and to Lix versions 2.95.2, 2.94.2, or 2.93.4.