[24.05] olm: mark as vulnerable

pkgs/applications/networking/instant-messengers/cinny/default.nix

@@ -10,6 +10,7 @@
 , pango
 , stdenv
 , darwin
+, olm
 , conf ? { }
 }:
 
@@ -63,5 +64,6 @@ buildNpmPackage rec {
     maintainers = with maintainers; [ abbe ashkitten ];
     license = licenses.agpl3Only;
     platforms = platforms.all;
+    inherit (olm.meta) knownVulnerabilities;
   };
 }

pkgs/applications/networking/instant-messengers/fluffychat/default.nix

@@ -8,6 +8,7 @@
 , pulseaudio
 , makeDesktopItem
 , gnome
+, olm
 
 , targetFlutterPlatform ? "linux"
 }:
@@ -44,6 +45,7 @@ flutter319.buildFlutterApplication (rec {
     maintainers = with maintainers; [ mkg20001 gilice ];
     platforms = [ "x86_64-linux" "aarch64-linux" ];
     sourceProvenance = [ sourceTypes.fromSource ];
+    inherit (olm.meta) knownVulnerabilities;
   };
 } // lib.optionalAttrs (targetFlutterPlatform == "linux") {
   nativeBuildInputs = [ imagemagick ];

pkgs/development/libraries/olm/default.nix

@@ -27,5 +27,51 @@ stdenv.mkDerivation rec {
     homepage = "https://gitlab.matrix.org/matrix-org/olm";
     license = licenses.asl20;
     maintainers = with maintainers; [ tilpner oxzi ];
+    knownVulnerabilities = [ ''
+      The libolm end‐to‐end encryption library used in many Matrix
+      clients and Jitsi Meet has been deprecated upstream, and relies
+      on a cryptography library that has known side‐channel issues and
+      disclaims that its implementations are not cryptographically secure
+      and should not be used when cryptographic security is required.
+
+      It is not known if the issues can be exploited over the network in
+      practical conditions. Upstream does not believe such an attack is
+      feasible, but has stated that the library should not be used going
+      forward, and there are no plans to move to a another cryptography
+      implementation or otherwise further maintain the library at all.
+
+      You should make an informed decision about whether to override this
+      security warning, especially if you critically rely on end‐to‐end
+      encryption. If you don’t care about that, or don’t use the Matrix
+      functionality of a multi‐protocol client depending on libolm,
+      then there should be no additional risk.
+
+      Some clients are investigating migrating away from libolm to maintained
+      libraries without known vulnerabilities.
+
+      For further information, see:
+
+      * The CVE records for the known vulnerabilities:
+
+        * CVE-2024-45191
+        * CVE-2024-45192
+        * CVE-2024-45193
+
+      * The libolm deprecation notice:
+        <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
+
+      * The warning from the cryptography code used by libolm:
+        <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
+
+      * The blog post disclosing the details of the known vulnerabilities:
+        <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
+
+      * The statement about the deprecation and vulnerabilities from the
+        Matrix.org Foundation:
+        <https://matrix.org/blog/2024/08/libolm-deprecation/>
+
+      * A (likely incomplete) aggregation of client tracking issue links:
+        <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
+    '' ];
   };
 }

pkgs/servers/web-apps/jitsi-meet/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, nixosTests }:
+{ lib, stdenv, fetchurl, nixosTests, olm }:
 
 stdenv.mkDerivation rec {
   pname = "jitsi-meet";
@@ -34,5 +34,6 @@ stdenv.mkDerivation rec {
     license = licenses.asl20;
     maintainers = teams.jitsi.members;
     platforms = platforms.all;
+    inherit (olm.meta) knownVulnerabilities;
   };
 }