CVE-2024-27297

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-27297
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-27297.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-27297
Aliases
  • GHSA-2ffj-w4mj-pg37
Related
Published
2024-03-11T22:15:55Z
Modified
2024-11-22T05:46:26.193055Z
Summary
[none]
Details

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / guix

Package

Name
guix
Purl
pkg:deb/debian/guix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.0-4+deb11u2

Affected versions

1.*

1.2.0-4
1.2.0-4+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / guix

Package

Name
guix
Purl
pkg:deb/debian/guix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-3+deb12u1

Affected versions

1.*

1.4.0-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / guix

Package

Name
guix
Purl
pkg:deb/debian/guix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0-6

Affected versions

1.*

1.4.0-3
1.4.0-4
1.4.0-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:11 / nix

Package

Name
nix
Purl
pkg:deb/debian/nix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.7+dfsg1-1
2.3.10+dfsg1-1
2.6.0+dfsg-1
2.6.0+dfsg-2
2.6.0+dfsg-3
2.7.0+dfsg-1
2.7.0+dfsg-2
2.7.0+dfsg-3
2.7.0+dfsg-4
2.7.0+dfsg-5
2.8.0-1
2.8.0-1.1
2.16.1+dfsg-1
2.16.1+dfsg-2
2.16.1+dfsg-3
2.17.1+dfsg-1
2.18.1+dfsg-1
2.22.1+dfsg-1
2.23.3+dfsg-1
2.23.3+dfsg-2
2.24.8+dfsg-1
2.24.9+dfsg-1
2.24.9+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / nix

Package

Name
nix
Purl
pkg:deb/debian/nix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.8.0-1.1
2.16.1+dfsg-1
2.16.1+dfsg-2
2.16.1+dfsg-3
2.17.1+dfsg-1
2.18.1+dfsg-1
2.22.1+dfsg-1
2.23.3+dfsg-1
2.23.3+dfsg-2
2.24.8+dfsg-1
2.24.9+dfsg-1
2.24.9+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nix

Package

Name
nix
Purl
pkg:deb/debian/nix?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.22.1+dfsg-1

Affected versions

2.*

2.8.0-1.1
2.16.1+dfsg-1
2.16.1+dfsg-2
2.16.1+dfsg-3
2.17.1+dfsg-1
2.18.1+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/nixos/nix

Affected ranges

Type
GIT
Repo
https://github.com/nixos/nix
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

1.*

1.0
1.1
1.10
1.11
1.11.1
1.2
1.3
1.4
1.5
1.5.1
1.5.2
1.5.3
1.6
1.6.1
1.7
1.8
1.9

2.*

2.0
2.2
2.20.0
2.20.1
2.20.2
2.20.3
2.20.4