UBUNTU-CVE-2024-27297

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-27297

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-27297.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2024-27297

Related

CVE-2024-27297

Published

2024-03-11T22:15:00Z

Modified

2024-11-20T12:16:13Z

Summary

[none]

Details

Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another program running on the host (or another fixed-output derivation) via Unix domain sockets in the abstract namespace. This allows to modify the output of the derivation, after Nix has registered the path as "valid" and immutable in the Nix database. In particular, this allows the output of fixed-output derivations to be modified from their expected content. This issue has been addressed in versions 2.3.18 2.18.2 2.19.4 and 2.20.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Ubuntu:22.04:LTS / guix

Package

Name: guix
Purl: pkg:deb/ubuntu/guix?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.2.0-4

1.3.0-2

1.3.0-4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / nix

Package

Name: nix
Purl: pkg:deb/ubuntu/nix?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.10+dfsg1-1

2.3.10+dfsg1-1build1

2.6.0+dfsg-2

2.6.0+dfsg-3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / nix

Package

Name: nix
Purl: pkg:deb/ubuntu/nix?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.18.1+dfsg-1ubuntu5

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / guix

Package

Name: guix
Purl: pkg:deb/ubuntu/guix?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0-6

Affected versions

1.*

1.4.0-5

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.4.0-6",
            "binary_name": "guix"
        },
        {
            "binary_version": "1.4.0-6",
            "binary_name": "guix-dbgsym"
        }
    ]
}

Ubuntu:24.04:LTS / nix

Package

Name: nix
Purl: pkg:deb/ubuntu/nix?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.16.1+dfsg-3ubuntu1

2.18.1+dfsg-1ubuntu1

2.18.1+dfsg-1ubuntu2

2.18.1+dfsg-1ubuntu4

2.18.1+dfsg-1ubuntu5

Ecosystem specific

{
    "ubuntu_priority": "medium"
}