lix/doc/manual/rl-next/cve-fod-fix.md
Jade Lovelace dcc7ea5498 release notes: add a bunch of them
Also fix typos introduced by the commits I read.

I have run the addDrvOutputDependencies release note past Ericson since
I was confused by what the heck it was doing, and he was saying it was
reasonable.

Change-Id: Id015353b00938682f7faae7de43df7f991a5237e
2024-05-22 21:13:56 +02:00

1,023 B

synopsis cls credits category
Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37) 266
puck
jade
thufschmitt
tomberek
valentin
Fixes

Since Lix fixed-output derivations run in the host network namespace (which we wish to change in the future, see lix#285), they may open abstract-namespace Unix sockets to each other and to programs on the host. Lix contained a now-fixed time-of-check/time-of-use vulnerability where one derivation could send writable handles to files in their final location in the store to another over an abstract-namespace Unix socket, exit, then the other derivation could wait for Lix to hash the paths and overwrite them.

The impact of this vulnerability is that two malicious fixed-output derivations could create a poisoned path for the sources to Bash or similarly important software containing a backdoor, leading to local privilege execution.

CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37