Merge pull request #334638 from emilazy/push-twxurolyowvm

olm: mark as vulnerable

pkgs/applications/networking/instant-messengers/fluffychat/default.nix

@@ -8,6 +8,7 @@
 , pulseaudio
 , makeDesktopItem
 , zenity
+, olm
 
 , targetFlutterPlatform ? "linux"
 }:
@@ -44,6 +45,7 @@ flutter319.buildFlutterApplication (rec {
     maintainers = with maintainers; [ mkg20001 gilice ];
     platforms = [ "x86_64-linux" "aarch64-linux" ];
     sourceProvenance = [ sourceTypes.fromSource ];
+    inherit (olm.meta) knownVulnerabilities;
   };
 } // lib.optionalAttrs (targetFlutterPlatform == "linux") {
   nativeBuildInputs = [ imagemagick ];

pkgs/by-name/ci/cinny-unwrapped/package.nix

@@ -9,6 +9,7 @@
   pango,
   stdenv,
   darwin,
+  olm,
 }:
 
 buildNpmPackage rec {
@@ -54,5 +55,6 @@ buildNpmPackage rec {
     maintainers = with lib.maintainers; [ abbe ];
     license = lib.licenses.agpl3Only;
     platforms = lib.platforms.all;
+    inherit (olm.meta) knownVulnerabilities;
   };
 }

pkgs/by-name/el/element-call/package.nix

@@ -6,6 +6,7 @@
 , yarnBuildHook
 , nodejs
 , npmHooks
+, olm
 }:
 
 let
@@ -52,5 +53,6 @@ stdenv.mkDerivation (finalAttrs: {
     license = licenses.asl20;
     maintainers = with maintainers; [ kilimnik ];
     mainProgram = "element-call";
+    inherit (olm.meta) knownVulnerabilities;
   };
 })

pkgs/development/libraries/olm/default.nix

@@ -27,5 +27,44 @@ stdenv.mkDerivation rec {
     homepage = "https://gitlab.matrix.org/matrix-org/olm";
     license = licenses.asl20;
     maintainers = with maintainers; [ tilpner oxzi ];
+    knownVulnerabilities = [ ''
+      The libolm end‐to‐end encryption library used in many Matrix
+      clients and Jitsi Meet has been deprecated upstream, and relies
+      on a cryptography library that has known side‐channel issues and
+      disclaims that its implementations are not cryptographically secure
+      and should not be used when cryptographic security is required.
+
+      It is not known that the issues can be exploited over the network in
+      practical conditions. Upstream has stated that the library should
+      not be used going forwards, and there are no plans to move to a
+      another cryptography implementation or otherwise further maintain
+      the library at all.
+
+      You should make an informed decision about whether to override this
+      security warning, especially if you critically rely on end‐to‐end
+      encryption. If you don’t care about that, or don’t use the Matrix
+      functionality of a multi‐protocol client depending on libolm,
+      then there should be no additional risk.
+
+      Some clients are investigating migrating away from libolm to maintained
+      libraries without known vulnerabilities.
+
+      For further information, see:
+
+      * The libolm deprecation notice:
+        <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/README.md#important-libolm-is-now-deprecated>
+
+      * The warning from the cryptography code used by libolm:
+        <https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>
+
+      * The blog post disclosing the details of the known vulnerabilities:
+        <https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
+
+      * The Matrix.org project lead’s response to the disclosure:
+        <https://news.ycombinator.com/item?id=41249371>
+
+      * A (likely incomplete) aggregation of client tracking issue links:
+        <https://github.com/NixOS/nixpkgs/pull/334638#issuecomment-2289025802>
+    '' ];
   };
 }

pkgs/servers/web-apps/jitsi-meet/default.nix

@@ -1,4 +1,4 @@
-{ lib, stdenv, fetchurl, nixosTests }:
+{ lib, stdenv, fetchurl, nixosTests, olm }:
 
 stdenv.mkDerivation rec {
   pname = "jitsi-meet";
@@ -34,5 +34,6 @@ stdenv.mkDerivation rec {
     license = licenses.asl20;
     maintainers = teams.jitsi.members;
     platforms = platforms.all;
+    inherit (olm.meta) knownVulnerabilities;
   };
 }