Skip to content

Commit

Permalink
[24.05] olm: mark as vulnerable (#335189)
Browse files Browse the repository at this point in the history
  • Loading branch information
emilazy authored Sep 2, 2024
2 parents f778afc + 11e7332 commit cbff61b
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
, pango
, stdenv
, darwin
, olm
, conf ? { }
}:

Expand Down Expand Up @@ -63,5 +64,6 @@ buildNpmPackage rec {
maintainers = with maintainers; [ abbe ashkitten ];
license = licenses.agpl3Only;
platforms = platforms.all;
inherit (olm.meta) knownVulnerabilities;
};
}
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
, pulseaudio
, makeDesktopItem
, gnome
, olm

, targetFlutterPlatform ? "linux"
}:
Expand Down Expand Up @@ -44,6 +45,7 @@ flutter319.buildFlutterApplication (rec {
maintainers = with maintainers; [ mkg20001 gilice ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
sourceProvenance = [ sourceTypes.fromSource ];
inherit (olm.meta) knownVulnerabilities;
};
} // lib.optionalAttrs (targetFlutterPlatform == "linux") {
nativeBuildInputs = [ imagemagick ];
Expand Down
46 changes: 46 additions & 0 deletions pkgs/development/libraries/olm/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -27,5 +27,51 @@ stdenv.mkDerivation rec {
homepage = "https://gitlab.matrix.org/matrix-org/olm";
license = licenses.asl20;
maintainers = with maintainers; [ tilpner oxzi ];
knownVulnerabilities = [ ''
The libolm end‐to‐end encryption library used in many Matrix
clients and Jitsi Meet has been deprecated upstream, and relies
on a cryptography library that has known side‐channel issues and
disclaims that its implementations are not cryptographically secure
and should not be used when cryptographic security is required.
It is not known if the issues can be exploited over the network in
practical conditions. Upstream does not believe such an attack is
feasible, but has stated that the library should not be used going
forward, and there are no plans to move to a another cryptography
implementation or otherwise further maintain the library at all.
You should make an informed decision about whether to override this
security warning, especially if you critically rely on end‐to‐end
encryption. If you don’t care about that, or don’t use the Matrix
functionality of a multi‐protocol client depending on libolm,
then there should be no additional risk.
Some clients are investigating migrating away from libolm to maintained
libraries without known vulnerabilities.
For further information, see:
* The CVE records for the known vulnerabilities:
* CVE-2024-45191
* CVE-2024-45192
* CVE-2024-45193
* The libolm deprecation notice:
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
* The warning from the cryptography code used by libolm:
<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
* The blog post disclosing the details of the known vulnerabilities:
<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
* The statement about the deprecation and vulnerabilities from the
Matrix.org Foundation:
<https://matrix.org/blog/2024/08/libolm-deprecation/>
* A (likely incomplete) aggregation of client tracking issue links:
<https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
'' ];
};
}
3 changes: 2 additions & 1 deletion pkgs/servers/web-apps/jitsi-meet/default.nix
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{ lib, stdenv, fetchurl, nixosTests }:
{ lib, stdenv, fetchurl, nixosTests, olm }:

stdenv.mkDerivation rec {
pname = "jitsi-meet";
Expand Down Expand Up @@ -34,5 +34,6 @@ stdenv.mkDerivation rec {
license = licenses.asl20;
maintainers = teams.jitsi.members;
platforms = platforms.all;
inherit (olm.meta) knownVulnerabilities;
};
}

0 comments on commit cbff61b

Please sign in to comment.