Critical correctness bug in Lix

32 points by FedericoSchonborn

tngl

Here’s what I did on aarch64-darwin:

# check I was indeed affected
$ nix --version

# find last-known-good version. NOT 2.91.2, 2.92.2, or 2.93.1
$ ls /nix/store | grep '\-lix'

# 'up'grade nix to a previous, unaffected version
$ sudo nix upgrade-nix --store-path /store/path/to/old/abc123-lix-2.xx.x

# now you can follow the instructions to verify/repair
$ sudo su
(root) $ nix-store --version # just to be sure you are on the right version
(root) $ nix store ping # double check
(root) $ NIX_REMOTE=local nix-store --verify --repair

# In theory you can now upgrade nix. How you do this depends on whether
# you're on `nix-darwin`, `home-manager`, or a bare install. I am on a bare
# install, so I did:

$ nix upgrade-nix

# and to double check:
$ nix --version
nix (Lix, like Nix) 2.93.2
System type: aarch64-darwin

In practice, I ran into one (I think) unrelated bug which I’ve documented here.

ilyagr

Does this affect nix as well (e.g. nix 2.28.4), or is this lix-only?

tonyfinn

I had a look at the commit history of both the relevant nix (2.29.1) and lix (2.91.2) releases and as far as I can tell there, while Lix and Nix both used the same fix for the underlying CVE, there were additional changes later added on the Lix side to attempt to mitigate the wider class of problems that caused this correctness bug. These changes never made it to Nix, so Nix was never affected.
asymmetric

AFAIU this is Lix only.