Release 3.19.1 (2026-05-04)
- Based on upstream Nix 2.34.6.
What's Changed
Fix for GHSA-vh5x-56v6-4368: Coroutine stack-to-heap overflow via unbounded recursion in NAR directory parser
Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine stack. The stack was allocated without a guard page, which meant that a stack overflow could overwrite memory on the heap and could allow for arbitrary code execution as the Nix daemon (run as root in multi-user installations) if ASLR hardening is bypassed. This vulnerability can be exploited by all users able to connect to the Nix daemon (configurable via allowed-users setting - all users by default).
The vulnerability is present since 2.24.4.
For more details, see the upstream advisory GHSA-vh5x-56v6-4368.
Many thanks to edef for reporting this issue and to Sergei Zimmerman and edef for implementing the fix and several hardening improvements.
Fix for GHSA-gr92-w2r5-qw5p: Absolute path traversal when unpacking archives to disk
When an archive (e.g. a tarball) contains entries with absolute paths, nix-prefetch-url --unpack, nix store prefetch-file --unpack commands would write to a location outside the extraction root. This also affects builtin:unpack-channel builtin derivation builder, but it's sandboxed the same way as regular derivations builds, so in sandboxed builds it can't be used to achieve an arbitrary file write on the host filesystem.
Other archive unpacking (builtins.fetchTarball, builtins.fetchTree and tarball-based flake inputs) is not affected, since Nix stores the unpacked tarball in a bare git repository (.cache/nix/tarball-cache or .cache/nix/tarball-cache-v2).
This primarily affects packagers running nix-prefetch-url --unpack on untrusted archives.
The vulnerability is present since 2.24.7.
For more details, see the upstream advisory GHSA-gr92-w2r5-qw5p.
Many thanks to edef for reporting this issue and to Sergei Zimmerman for implementing the fix.
Bug fixes
- A fix for random crashes on exit in the
curlFileTransferdestructor. DeterminateSystems/nix-src#444
Full Changelog: v3.19.0...v3.19.1