diff options
Diffstat (limited to 'doc/manual/rl-next/cve-fod-fix.md')
| -rw-r--r-- | doc/manual/rl-next/cve-fod-fix.md | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/doc/manual/rl-next/cve-fod-fix.md b/doc/manual/rl-next/cve-fod-fix.md new file mode 100644 index 000000000..4499f639b --- /dev/null +++ b/doc/manual/rl-next/cve-fod-fix.md @@ -0,0 +1,21 @@ +--- +synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)" +cls: 266 +credits: [puck, jade, thufschmitt, tomberek, valentin] +category: Fixes +--- + +Since Lix fixed-output derivations run in the host network namespace (which we +wish to change in the future, see +[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open +abstract-namespace Unix sockets to each other and to programs on the host. Lix +contained a now-fixed time-of-check/time-of-use vulnerability where one +derivation could send writable handles to files in their final location in the +store to another over an abstract-namespace Unix socket, exit, then the other +derivation could wait for Lix to hash the paths and overwrite them. + +The impact of this vulnerability is that two malicious fixed-output derivations +could create a poisoned path for the sources to Bash or similarly important +software containing a backdoor, leading to local privilege execution. + +CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 |