lix/doc/manual/rl-next/cve-fod-fix.md

---
synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"
cls: 266
credits: [puck, jade, thufschmitt, tomberek, valentin]
category: Fixes
---

Since Lix fixed-output derivations run in the host network namespace (which we
wish to change in the future, see
[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open
abstract-namespace Unix sockets to each other and to programs on the host. Lix
contained a now-fixed time-of-check/time-of-use vulnerability where one
derivation could send writable handles to files in their final location in the
store to another over an abstract-namespace Unix socket, exit, then the other
derivation could wait for Lix to hash the paths and overwrite them.

The impact of this vulnerability is that two malicious fixed-output derivations
could create a poisoned path for the sources to Bash or similarly important
software containing a backdoor, leading to local privilege execution.

CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
release notes: add a bunch of them Also fix typos introduced by the commits I read. I have run the addDrvOutputDependencies release note past Ericson since I was confused by what the heck it was doing, and he was saying it was reasonable. Change-Id: Id015353b00938682f7faae7de43df7f991a5237e 2024-05-20 19:17:54 +00:00			`---`
			`synopsis: "Fix CVE-2024-27297 (GHSA-2ffj-w4mj-pg37)"`
			`cls: 266`
			`credits: [puck, jade, thufschmitt, tomberek, valentin]`
			`category: Fixes`
			`---`

			`Since Lix fixed-output derivations run in the host network namespace (which we`
			`wish to change in the future, see`
			`[lix#285](https://git.lix.systems/lix-project/lix/issues/285)), they may open`
			`abstract-namespace Unix sockets to each other and to programs on the host. Lix`
			`contained a now-fixed time-of-check/time-of-use vulnerability where one`
			`derivation could send writable handles to files in their final location in the`
			`store to another over an abstract-namespace Unix socket, exit, then the other`
			`derivation could wait for Lix to hash the paths and overwrite them.`

			`The impact of this vulnerability is that two malicious fixed-output derivations`
			`could create a poisoned path for the sources to Bash or similarly important`
			`software containing a backdoor, leading to local privilege execution.`

			`CppNix advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37`