CVE-2024-47174 Information
Description
Nix is a package manager for Linux and other Unix systems. Starting in version 1.11 and prior to versions 2.18.8 and 2.24.8 <nix/fetchurl.nix> did not verify TLS certificates on HTTPS connections. This could lead to connection details such as full URLs or credentials leaking in case of a man-in-the-middle (MITM) attack. <nix/fetchurl.nix> is also known as the builtin derivation builder builtin:fetchurl. It’s not to be confused with the evaluation-time function builtins.fetchurl which was not affected by this issue. A user may be affected by the risk of leaking credentials if they have a netrc file for authentication or rely on derivations with impureEnvVars set to use credentials from the environment. In addition the commonplace trust-on-first-use (TOFU) technique of updating dependencies by specifying an invalid hash and obtaining it from a remote store was also vulnerable to a MITM injecting arbitrary store objects. This also applied to the impure derivations experimental feature. Note that this may also happen when using Nixpkgs fetchers to obtain new hashes when not using the fake hash method although that mechanism is not implemented in Nix itself but rather in Nixpkgs using a fixed-output derivation. The behavior was introduced in version 1.11 to make it consistent with the Nixpkgs pkgs.fetchurl and to make <nix/fetchurl.nix> work in the derivation builder sandbox which back then did not have access to the CA bundles by default. Nowadays CA bundles are bind-mounted on Linux. This issue has been fixed in Nix 2.18.8 and 2.24.8. As a workaround implement (authenticated) fetching with pkgs.fetchurl from Nixpkgs using impureEnvVars and curlOpts as needed.
Reference
https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c
https://github.com/NixOS/nix/pull/11585
https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90
https://github.com/NixOS/nix/commit/5db358d4d78aea7204a8f22c5bf2a309267ee038
Nix
is
a
package
manager
for
Linux
and
other
Unix
systems.
Starting
in
version
1.11
and
prior
to
versions
2.18.8
and
2.24.8
<nix/fetchurl.nix>
did
not
verify
TLS
certificates
on
HTTPS
connections.
This
could
lead
to
connection
details
such
as
full
URLs
or
credentials
leaking
in
case
of
a
man-in-the-middle
(MITM)
attack.
<nix/fetchurl.nix>
is
also
known
as
the
builtin
derivation
builder
builtin:fetchurl.
It’s
not
to
be
confused
with
the
evaluation-time
function
builtins.fetchurl
which
was
not
affected
by
this
issue.
A
user
may
be
affected
by
the
risk
of
leaking
credentials
if
they
have
a
netrc
file
for
authentication
or
rely
on
derivations
with
impureEnvVars
set
to
use
credentials
from
the
environment.
In
addition
the
commonplace
trust-on-first-use
(TOFU)
technique
of
updating
dependencies
by
specifying
an
invalid
hash
and
obtaining
it
from
a
remote
store
was
also
vulnerable
to
a
MITM
injecting
arbitrary
store
objects.
This
also
applied
to
the
impure
derivations
experimental
feature.
Note
that
this
may
also
happen
when
using
Nixpkgs
fetchers
to
obtain
new
hashes
when
not
using
the
fake
hash
method
although
that
mechanism
is
not
implemented
in
Nix
itself
but
rather
in
Nixpkgs
using
a
fixed-output
derivation.
The
behavior
was
introduced
in
version
1.11
to
make
it
consistent
with
the
Nixpkgs
pkgs.fetchurl
and
to
make
<nix/fetchurl.nix>
work
in
the
derivation
builder
sandbox
which
back
then
did
not
have
access
to
the
CA
bundles
by
default.
Nowadays
CA
bundles
are
bind-mounted
on
Linux.
This
issue
has
been
fixed
in
Nix
2.18.8
and
2.24.8.
As
a
workaround
implement
(authenticated)
fetching
with
pkgs.fetchurl
from
Nixpkgs
using
impureEnvVars
and
curlOpts
as
needed.