[rstarast]

This is fixed in 2.24.6: https://github.com/NixOS/nix/releases/tag/2.24.6

See also https://discourse.nixos.org/t/vulnerability-in-nix-2-24/5190... for updates.

Can someone link to the actual fix? It's a bit hard to navigate the git history for me...

[SSLy]

I think it is https://github.com/NixOS/nix/commit/12fa019ae558641df0a23a79...

[pablo1107]

How can such a simple code change fixes such a big vulnerability?

[SSLy]

Or maybe it's https://github.com/NixOS/nix/commit/35575873813f60fff26f27a6...

the commit log is tad unclear and the GHSA writer didn't bother themselves with linking the offending code

[rstarast]

Thanks, that one seems likely.

Hmm, though this seems to affect the case-hack thingy only, which seems like a macos-specific feature...