CVE-2024-29864: 
NixOS vulnerability analysis and mitigation

Distrobox before version 1.7.0.1 contains a command injection vulnerability that allows attackers to execute arbitrary code through exported executables. The vulnerability was discovered in March 2024 and affects the core functionality of Distrobox's executable export feature (NVD, MITRE).

The vulnerability stems from improper handling of command arguments in exported binaries, where the arguments are interpreted by the shell, leading to potential command injection. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a severe security risk. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD).

The vulnerability allows attackers to execute arbitrary code via command injection into exported executables, potentially leading to complete system compromise. The high CVSS score indicates that successful exploitation could result in a total loss of confidentiality, integrity, and availability of the affected system (NVD).

The vulnerability has been fixed in Distrobox version 1.7.0.1. The fix involves modifying how command arguments are handled in the distrobox-enter functionality to prevent shell interpretation of arguments (Distrobox Commit).