Nix is a package manager and build system for Unix-like systems. Lix is
a community-maintained fork of Nix. Both provide a daemon used in
multi-user installations to perform privileged build and store operations.
The Nix and Lix projects are issuing a coordinated security advisory for
vulnerabilities in their daemon implementations.
A buffer overflow in the daemon may allow a local attacker with access
to the daemon interface to achieve arbitrary code execution as the
daemon user (root in typical multi-user installations).
CVE assignment is pending.
Fixes are available, and users are strongly encouraged to upgrade.
For full details (affected versions, fixed releases, mitigations), see:
https://discourse.nixos.org/t/security-advisory-local-privilege-escalation-in-lix-and-nix/77407
Martin
