Background On Friday, March 29th, 2024, a historical and sophisticated security vulnerability (CVE-2024-3094) was discovered in the XZ Utils package and liblzma api in version 5.6.0 and 5.6.1. While this vulnerability mostly affects Debian and RedHat distributions, there was some interesting discussion regarding xz and Nix. How did this affect Nix and NixOS? The truth is not a whole lot in reality. I saw conflicting reports, but supposedly, the tarballs of xz that Nix downloads were not infected.
    • starmanOPEnglish
      61·
      11 months ago

      That’s true, but you have to know there was a backdoor first. If someone doesn’t know, and they use the latest version, they’re vulnerable to attack

          • λλλEnglish
            2·
            11 months ago

            I believe the point they were making is that if you are techy enough to use nix, they are likely the type to keep up to date with news like this.

      • pbsds@lemmy.mlEnglish
        4·
        11 months ago

        If the issue had been critical, then the branch head could be rolled back, causing everyone to downgrade

        • Atemu@lemmy.mlEnglish
          2·
          11 months ago

          That’s a nice idea in theory but not possible in practice as the last Nixpkgs revision without a tainted version of xz is many months old. You’d trade one CVE for dozens of others.

    • Atemu@lemmy.mlEnglish
      1·
      11 months ago

      That works for leaf packages but not for core node packages. Every package depends on xz in some way; it’s in the stdenv aswell as bootstrap.

        • Atemu@lemmy.mlEnglish
          1·
          11 months ago

          Those packages themselves depend on xz. Pretty much all of them.

          What you’re suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That’s actually the only currently known attack vector; inject malicious code into SSHD via liblzma.