Source: nix X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for nix. CVE-2024-47174[0]: | Nix is a package manager for Linux and other Unix systems. Starting | in version 1.11 and prior to versions 2.18.8 and 2.24.8, | `<nix/fetchurl.nix>` did not verify TLS certificates on HTTPS | connections. This could lead to connection details such as full URLs | or credentials leaking in case of a man-in-the-middle (MITM) attack. | `<nix/fetchurl.nix>` is also known as the builtin derivation builder | `builtin:fetchurl`. It's not to be confused with the evaluation-time | function `builtins.fetchurl`, which was not affected by this issue. | A user may be affected by the risk of leaking credentials if they | have a `netrc` file for authentication, or rely on derivations with | `impureEnvVars` set to use credentials from the environment. In | addition, the commonplace trust-on-first-use (TOFU) technique of | updating dependencies by specifying an invalid hash and obtaining it | from a remote store was also vulnerable to a MITM injecting | arbitrary store objects. This also applied to the impure derivations | experimental feature. Note that this may also happen when using | Nixpkgs fetchers to obtain new hashes when not using the fake hash | method, although that mechanism is not implemented in Nix itself but | rather in Nixpkgs using a fixed-output derivation. The behavior was | introduced in version 1.11 to make it consistent with the Nixpkgs | `pkgs.fetchurl` and to make `<nix/fetchurl.nix>` work in the | derivation builder sandbox, which back then did not have access to | the CA bundles by default. Nowadays, CA bundles are bind-mounted on | Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a | workaround, implement (authenticated) fetching with `pkgs.fetchurl` | from Nixpkgs, using `impureEnvVars` and `curlOpts` as needed. https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90 https://github.com/NixOS/nix/pull/11585 https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47174 https://www.cve.org/CVERecord?id=CVE-2024-47174 Please adjust the affected versions in the BTS as needed.
