From 6f63fbf85a1dd1e25cbd789eba4fd0d12ff2eb55 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 14 Aug 2024 15:15:25 +0100 Subject: [PATCH 1/4] olm: mark as vulnerable See . (cherry picked from commit e4767b4727589567da29a90a71947c2bdbe43988) --- pkgs/development/libraries/olm/default.nix | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix index bb7553c2eb3eb2b..f95574198710912 100644 --- a/pkgs/development/libraries/olm/default.nix +++ b/pkgs/development/libraries/olm/default.nix @@ -27,5 +27,44 @@ stdenv.mkDerivation rec { homepage = "https://gitlab.matrix.org/matrix-org/olm"; license = licenses.asl20; maintainers = with maintainers; [ tilpner oxzi ]; + knownVulnerabilities = [ '' + The libolm end‐to‐end encryption library used in many Matrix + clients and Jitsi Meet has been deprecated upstream, and relies + on a cryptography library that has known side‐channel issues and + disclaims that its implementations are not cryptographically secure + and should not be used when cryptographic security is required. + + It is not known that the issues can be exploited over the network in + practical conditions. Upstream has stated that the library should + not be used going forwards, and there are no plans to move to a + another cryptography implementation or otherwise further maintain + the library at all. + + You should make an informed decision about whether to override this + security warning, especially if you critically rely on end‐to‐end + encryption. If you don’t care about that, or don’t use the Matrix + functionality of a multi‐protocol client depending on libolm, + then there should be no additional risk. + + Some clients are investigating migrating away from libolm to maintained + libraries without known vulnerabilities. + + For further information, see: + + * The libolm deprecation notice: + + + * The warning from the cryptography code used by libolm: + + + * The blog post disclosing the details of the known vulnerabilities: + + + * The Matrix.org project lead’s response to the disclosure: + + + * A (likely incomplete) aggregation of client tracking issue links: + + '' ]; }; } From 56e4b26ab18e0ebd3f08b07accdc52b41b751534 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 14 Aug 2024 15:15:25 +0100 Subject: [PATCH 2/4] {cinny,fluffychat,jitsi-meet}: inherit vulnerabilities from olm These vendor the libolm code. (cherry picked from commit bbfd5d10851a4953301e0373d8749b8fe41bc31f) --- .../networking/instant-messengers/cinny/default.nix | 2 ++ .../networking/instant-messengers/fluffychat/default.nix | 2 ++ pkgs/servers/web-apps/jitsi-meet/default.nix | 3 ++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/networking/instant-messengers/cinny/default.nix b/pkgs/applications/networking/instant-messengers/cinny/default.nix index f3ae1665fe3d993..c84b65d98e267b5 100644 --- a/pkgs/applications/networking/instant-messengers/cinny/default.nix +++ b/pkgs/applications/networking/instant-messengers/cinny/default.nix @@ -10,6 +10,7 @@ , pango , stdenv , darwin +, olm , conf ? { } }: @@ -63,5 +64,6 @@ buildNpmPackage rec { maintainers = with maintainers; [ abbe ashkitten ]; license = licenses.agpl3Only; platforms = platforms.all; + inherit (olm.meta) knownVulnerabilities; }; } diff --git a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix index 66d7abc0822d0ce..b5b0343b639f724 100644 --- a/pkgs/applications/networking/instant-messengers/fluffychat/default.nix +++ b/pkgs/applications/networking/instant-messengers/fluffychat/default.nix @@ -8,6 +8,7 @@ , pulseaudio , makeDesktopItem , gnome +, olm , targetFlutterPlatform ? "linux" }: @@ -44,6 +45,7 @@ flutter319.buildFlutterApplication (rec { maintainers = with maintainers; [ mkg20001 gilice ]; platforms = [ "x86_64-linux" "aarch64-linux" ]; sourceProvenance = [ sourceTypes.fromSource ]; + inherit (olm.meta) knownVulnerabilities; }; } // lib.optionalAttrs (targetFlutterPlatform == "linux") { nativeBuildInputs = [ imagemagick ]; diff --git a/pkgs/servers/web-apps/jitsi-meet/default.nix b/pkgs/servers/web-apps/jitsi-meet/default.nix index e7956b6c694ac53..f52c57bdf3e45e9 100644 --- a/pkgs/servers/web-apps/jitsi-meet/default.nix +++ b/pkgs/servers/web-apps/jitsi-meet/default.nix @@ -1,4 +1,4 @@ -{ lib, stdenv, fetchurl, nixosTests }: +{ lib, stdenv, fetchurl, nixosTests, olm }: stdenv.mkDerivation rec { pname = "jitsi-meet"; @@ -34,5 +34,6 @@ stdenv.mkDerivation rec { license = licenses.asl20; maintainers = teams.jitsi.members; platforms = platforms.all; + inherit (olm.meta) knownVulnerabilities; }; } From c59e18b238b8890e48d11c5c426e277cb568c284 Mon Sep 17 00:00:00 2001 From: Emily Date: Fri, 23 Aug 2024 19:09:46 +0100 Subject: [PATCH 3/4] olm: add more information to `knownVulnerabilities` CVE numbers were assigned, and This Week in Matrix included an announcement from the Matrix.org project lead. An official post from the Matrix.org Foundation is apparently still pending. (cherry picked from commit 069f7de1e790f0e4826609e3d2e0224360af4dfa) --- pkgs/development/libraries/olm/default.nix | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix index f95574198710912..3fda0206ace5781 100644 --- a/pkgs/development/libraries/olm/default.nix +++ b/pkgs/development/libraries/olm/default.nix @@ -51,6 +51,12 @@ stdenv.mkDerivation rec { For further information, see: + * The CVE records for the known vulnerabilities: + + * CVE-2024-45191 + * CVE-2024-45192 + * CVE-2024-45193 + * The libolm deprecation notice: @@ -60,8 +66,9 @@ stdenv.mkDerivation rec { * The blog post disclosing the details of the known vulnerabilities: - * The Matrix.org project lead’s response to the disclosure: - + * The announcement in This Week in Matrix from the Matrix.org + project lead: + * A (likely incomplete) aggregation of client tracking issue links: From 11e7332807fa4acf95d73c1a64c8723a9c41e678 Mon Sep 17 00:00:00 2001 From: Sumner Evans Date: Wed, 28 Aug 2024 13:30:21 -0600 Subject: [PATCH 4/4] olm: update vulnerability description Additional information has been published by upstream about why they believe the vulnerability to not be exploitable over the network: https://matrix.org/blog/2024/08/libolm-deprecation/ This commit * updates the text of the vulnerability warning to indicate that upstream does not believe the issues to be exploitable over the network, and * adds a link to the blog post. Co-authored-by: Emily Signed-off-by: Sumner Evans (cherry picked from commit 537d3c4b5a34815dca0d8b83cb3e379a9e1fa2a9) --- pkgs/development/libraries/olm/default.nix | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/pkgs/development/libraries/olm/default.nix b/pkgs/development/libraries/olm/default.nix index 3fda0206ace5781..f0a6c47d4ca7282 100644 --- a/pkgs/development/libraries/olm/default.nix +++ b/pkgs/development/libraries/olm/default.nix @@ -34,11 +34,11 @@ stdenv.mkDerivation rec { disclaims that its implementations are not cryptographically secure and should not be used when cryptographic security is required. - It is not known that the issues can be exploited over the network in - practical conditions. Upstream has stated that the library should - not be used going forwards, and there are no plans to move to a - another cryptography implementation or otherwise further maintain - the library at all. + It is not known if the issues can be exploited over the network in + practical conditions. Upstream does not believe such an attack is + feasible, but has stated that the library should not be used going + forward, and there are no plans to move to a another cryptography + implementation or otherwise further maintain the library at all. You should make an informed decision about whether to override this security warning, especially if you critically rely on end‐to‐end @@ -66,9 +66,9 @@ stdenv.mkDerivation rec { * The blog post disclosing the details of the known vulnerabilities: - * The announcement in This Week in Matrix from the Matrix.org - project lead: - + * The statement about the deprecation and vulnerabilities from the + Matrix.org Foundation: + * A (likely incomplete) aggregation of client tracking issue links: