Nix and Lix Buffer Overflow Vulnerability Leading to Local Privilege Escalation

A buffer overflow vulnerability has been identified in Nix versions prior to 2.34.7 and in Lix versions 2.93.0 and prior. This vulnerability allows local attackers to execute arbitrary code as the daemon user, which is root in multi-user installations. The issue arises in the Nix daemon when it unpacks archives containing absolute paths, leading to directory traversal and the potential for writing to arbitrary files. This vulnerability requires access to the Nix daemon and the use of ASLR weakening techniques to exploit effectively.

Impact

Exploitation of this vulnerability could lead to unauthorized arbitrary code execution as the daemon user, with root privileges in multi-user environments.

Reproduction

The vulnerability can be reproduced by running the 'nix-prefetch-url --unpack' or 'nix store prefetch-file --unpack' commands on untrusted archives that contain absolute paths. This will cause the Nix daemon to write files outside of the intended extraction directory, taking advantage of the directory traversal flaw.

Remediation

Users can upgrade to Nix versions 2.34.7, 2.33.6, 2.32.8, 2.31.5, 2.30.5, 2.29.4, or 2.28.7. For Lix, the fixed versions are 2.93.4, 2.94.2, or 2.95.2.