| BDSA-2025-5790 |
|
Low |
Jul 01, 2025 |
Nix, Lix, and Guix are vulnerable to unauthorized actions or data manipulation due to the use of temporary build directories in a world-readable and wo
more...
Nix, Lix, and Guix are vulnerable to unauthorized actions or data manipulation due to the use of temporary build directories in a world-readable and world-writable location. This could allow an attacker to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation.
less...
|
|
| BDSA-2025-5789 |
|
Low |
Jul 01, 2025 |
Nix, Lix, and Guix are vulnerable to improper permission handling due to a failure in setting permissions when a derivation build fails. This could all
more...
Nix, Lix, and Guix are vulnerable to improper permission handling due to a failure in setting permissions when a derivation build fails. This could allow an attacker to modify the content of a store outside of the build sandbox, potentially compromising the integrity of the package management system.
less...
|
|
| BDSA-2025-5788 |
|
Medium |
Jul 01, 2025 |
Nix, Lix, and Guix are vulnerable to a race condition due to improper handling of file ownership changes during package builds. This could allow an att
more...
Nix, Lix, and Guix are vulnerable to a race condition due to improper handling of file ownership changes during package builds. This could allow an attacker to change the ownership of arbitrary files to the user ID and group ID of the build user, potentially leading to unauthorized access or privilege escalation.
less...
|
|
| BDSA-2025-5769 |
|
Low |
Jun 30, 2025 |
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g.,
more...
The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
**Note: CVE details have been utilized in generating this advisory. The details of the vulnerability have not been independently verified by Black Duck CyRC.**
less...
|
|
| BDSA-2025-5764 |
|
Low |
Jun 30, 2025 |
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26
more...
A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.
**Note: CVE details have been utilized in generating this advisory. The details of the vulnerability have not been independently verified by Black Duck CyRC.**
less...
|
|
| BDSA-2024-8838 |
|
High |
Dec 06, 2024 |
GNU Guix is vulnerable to privilege escalation due to improper handling of file metadata in the guix-daemon component. This could allow an attacker to
more...
GNU Guix is vulnerable to privilege escalation due to improper handling of file metadata in the guix-daemon component. This could allow an attacker to access build outputs before security measures for setuid and setgid programs are enforced.
**Note: The authoring of this BDSA has been AI-assisted. The full technical details of the vulnerability have not been independently verified by the Black Duck Cybersecurity Research Center (CyRC).**
less...
|
|
