CVE-2024-51481 Information
Description
Nix is a package manager for Linux and other Unix systems. On macOS built-in builders (such as builtin:fetchurl exposed to users with import <nix/fetchurl.nix>) were not executed in the macOS sandbox. Thus these builders (which are running under the nixbld users) had read access to world-readable paths and write access to world-writable paths outside of the sandbox. This issue is fixed in 2.18.9 2.19.7 2.20.9 2.21.5 2.22.4 2.23.4 and 2.24.10. Note that sandboxing is not enabled by default on macOS. The Nix sandbox is not primarily intended as a security mechanism but as an aid to improve reproducibility and purity of Nix builds. However sandboxing can mitigate the impact of other security issues by limiting what parts of the host system a build has access to.
Reference
https://github.com/NixOS/nix/security/advisories/GHSA-wf4c-57rh-9pjg
https://github.com/NixOS/nix/commit/597fcc98e18e3178734d06a9e7306250e8cb8d74
Nix
is
a
package
manager
for
Linux
and
other
Unix
systems.
On
macOS
built-in
builders
(such
as
builtin:fetchurl
exposed
to
users
with
import <nix/fetchurl.nix>)
were
not
executed
in
the
macOS
sandbox.
Thus
these
builders
(which
are
running
under
the
nixbld*
users)
had
read
access
to
world-readable
paths
and
write
access
to
world-writable
paths
outside
of
the
sandbox.
This
issue
is
fixed
in
2.18.9
2.19.7
2.20.9
2.21.5
2.22.4
2.23.4
and
2.24.10.
Note
that
sandboxing
is
not
enabled
by
default
on
macOS.
The
Nix
sandbox
is
not
primarily
intended
as
a
security
mechanism
but
as
an
aid
to
improve
reproducibility
and
purity
of
Nix
builds.
However
sandboxing
can
mitigate
the
impact
of
other
security
issues
by
limiting
what
parts
of
the
host
system
a
build
has
access
to.