Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

olm: mark as vulnerable #334638

Merged
merged 2 commits into from
Aug 16, 2024
Merged

olm: mark as vulnerable #334638

merged 2 commits into from
Aug 16, 2024

Conversation

emilazy
Copy link
Member

@emilazy emilazy commented Aug 14, 2024

Description of changes

See https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@emilazy emilazy added 1.severity: security Issues which raise a security issue, or PRs that fix one backport release-24.05 labels Aug 14, 2024
@emilazy emilazy force-pushed the push-twxurolyowvm branch from c95f41b to 1ed56ac Compare August 14, 2024 14:31
@mweinelt mweinelt mentioned this pull request Aug 14, 2024
13 tasks
@emilazy
Copy link
Member Author

emilazy commented Aug 14, 2024

Result of nixpkgs-review pr 334638 run on aarch64-linux 1

48 packages removed:
chatty (†0.8.4) cinny-unwrapped (†4.1.0) cinny-unwrapped (†4.1.0) fluffychat-linux (†1.20.0) fluffychat-web (†1.20.0) go-neb-unstable (†2021-07-21) gomuks (†0.3.1) heisenbridge (†1.14.6) homeassistant-test-matrix (†2024.8.1) itinerary (†23.08.5) itinerary (†24.05.2) libquotient (†0.8.2) libquotient (†0.8.2) matrix-commander (†7.6.2) maubot (†0.4.2) mautrix-discord (†0.7.0) mautrix-googlechat (†0.5.1) mautrix-meta (†0.3.2) mautrix-signal (†0.6.3) mautrix-whatsapp (†0.10.9) mtxclient (†0.10.0) neochat (†23.08.5) neochat (†24.05.2) nheko (†0.12.0) olm (†3.2.16) pantalaimon (†0.10.5) pantalaimon (†0.10.5) purple-matrix-unstable (†2019-06-06) python3.11-matrix-nio (†0.24.0) python3.11-mautrix (†0.20.6) python3.11-mautrix (†0.20.6) python3.11-python-olm (†3.2.16) python3.11-zulip (†0.9.0) python3.12-matrix-nio (†0.24.0) python3.12-maubot (†0.4.2) python3.12-mautrix (†0.20.6) python3.12-mautrix (†0.20.6) python3.12-mautrix-facebook (†0.5.1) python3.12-mautrix-telegram (†0.15.2) python3.12-opsdroid (†0.30.0) python3.12-python-olm (†3.2.16) python3.12-weechat-matrix (†0.3.0) python3.12-zulip (†0.9.0) quaternion (†0.0.96.1) quaternion (†0.0.96.1) visidata (†3.0.2) weechat-matrix-bridge-unstable (†2018-11-19) zulip-term (†0.7.0)

😢

Hopefully going forwards we can disable libolm support for as many of these as possible so that users can still use them without overriding the security warning and get E2E support with Pantalaimon (lol Pantalaimon is vulnerable too), (I no longer think this is a good idea) or even more hopefully upstream will actually fix the issues or there’ll be an active fork, or even more hopefully these clients will move to something that actually has security support and no known vulnerabilities.

@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Aug 14, 2024
@sumnerevans
Copy link
Contributor

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

@LeSuisse
Copy link
Contributor

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

Just to clarify: this PR is about giving a warning to nixpkgs libolm users that issues have been raised and might impact their threat model. It is not about disabling encryption for the users of said software but warning them and giving them a choice.

At a Linux distribution level, it is hard to judge what might be the usage of a specific software for a potential user (to put it another way, it is hard to evaluate the threat model of a specific user). In the nixpkgs/NixOS case we do not have a lot of other choices to alert users :/ .

The impacted packages are leaf packages so people allowing them should not burn too much CPU time rebuilding them if this PR gets merged.

In any cases libolm was marked as deprecated by upstream so downstream consumers will have to move to an alternative I suppose?

@emilazy
Copy link
Member Author

emilazy commented Aug 15, 2024

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

So, I agree that at the time of writing there’s no known way to exploit these vulnerabilities over the network in practice. I also agree that it’s perfectly possible that there might not be a way to exploit them at all. (And I agree that having no encryption is worse: my hope was that, given that Matrix DMs are E2E by default, users would set up an E2E proxy without the issues in the interim while the ecosystem is in flux; I thought this may be better than having to bypass the security warning. Still, I was wrong: for one thing, Pantalaimon still depends on libolm, and for another, that’s probably more churn than just bypassing the warning or switching to another client. So yes, I no longer think that part of my previous comment is a good idea at all.)

However, there’s a history here with timing attacks. They were known to be a theoretical possibility for many years, but the idea of being able to use them in a practical attack was dismissed; they were considered entirely hypothetical and not worth worrying about. Then, in 2003, we got the paper Remote Timing Attacks are Practical, and everything changed. Exploits of timing attacks have only improved in the years since, and people have managed to wring private key material in fairly realistic network conditions out of some pretty marginal exploits.

So there’s two things here:

  1. “These timing attacks aren’t practically exploitable” is something that has been said a lot historically, and ended up being untrue a lot more often than you might expect.

  2. “You have to be careful about timing attacks” is sufficiently received cryptographic engineering wisdom at this point that it’s a seriously concerning sign for any critical cryptography code written in the past decade+ to be vulnerable to them.

To quote Matthew Garrett – who is far more of an expert than me – on Hacker News:

but also if you're going to argue that it's unclear that these issues are remotely exploitable, it'd be helpful to discuss why - are there external constraints that ratelimit them such that the number of packets required is infeasible in any length of time? Is all the affected key material ephemeral and rotated before it's realistic to get a large enough sample? Just vibes?

I think it would be great if it turns out that these vulnerabilities are not practically exploitable under most threat models! I want users to be safe; that’s my whole motivation here! But, still: the arguments for why it’s definitely not exploitable that I’ve seen are pretty handwave‐y and look a lot like similar historical arguments that turned out to be way overconfident. And the fact that the library has been deprecated rather than getting a fix for an issue this basic is concerning, because cryptography code that messes up table‐stakes things like this is very likely to have other issues lurking, and if anyone ever does develop a practical exploit for even this known issue, users will have no recourse.

And, I mean, here’s an excerpt from the statement in the upstream libolm repository:

It also depends on simplistic cryptography primitive
implementations which are intended for pragmatic and education purposes rather
than security - e.g. Brad Conte's crypto-algorithms.

As such as of July 2024, libolm is now officially deprecated - please do not
use it going forwards
.

When we click the link to the README file for the cryptography algorithm implementations they use, we get this terrifying statement:

Note that these are not cryptographically secure implementations. They have no resistence to side-channel attacks and should not be used in contexts that need cryptographically secure implementations.

I mean, what more can you say to that? “These are not cryptographically secure implementations … and should not be used in contexts that need cryptographically secure implementations”. In my view, that right there is sufficient for knownVulnerabilities by itself. I’ve seen it posed that nobody should be reacting to these vulnerability disclosures because they were already known for years and that line has been tucked away in that README for years. But… that’s actually more concerning, not less? They’re depending critically on code that says “this is not secure” but didn’t actually deprecate the library and say “this is not secure” until someone rediscovered some of the issues?

It doesn’t really matter how long a vulnerability has existed or if it was known or not. We set knownVulnerabilities based on upstream’s ability and willingness to respond to security vulnerabilities, and if we put aside opinions on the likely severity of the vulnerabilities in question for a moment, it’s hard for me to imagine a situation that more justifies warning users about the known risks they’re taking than this – the library is based on code that has a big warning saying it’s not safe, there are specific known textbook vulnerabilities in the code, upstream does not intend to fix them, and they’ve added their own big warning saying not to use the library. As a user of Matrix E2E, I’d… personally quite like to know about this state of affairs before installing a client that uses it!

I also want to be clear that I’m not trying to participate in any kind of pro‐Matrix vs. anti‐Matrix thing in this pull request, or penalize users of these clients. I use Matrix on a daily basis to work on NixOS and socialize, and am consequently invested in its ecosystem. I sincerely hope that the ecosystem can move to maintained libraries for E2E. I think it sucks that a library that is depended on by basically every non‐Element client for encryption is in this state. I really wish this whole situation wasn’t a thing. But it is, and I don’t think we can make it go away just by ignoring it. I fully expect many users will react to this security notice by shrugging, adding the package to their list of permitted insecure packages, and going about their day. That’s okay: they got the opportunity to make an informed choice, which is what matters to me.

I genuinely look forward to clients resolving this issue and leaving Matrix users safer. Rather than debating whether known vulnerabilities that won’t be fixed pass a threshold of severity and practically‐demonstrated exploits, it’d be better if we simply had confidence that clients were using safe, well‐maintained E2E implementations that will proactively address any security issues that arise in the future.

Copy link
Member

@oxzi oxzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for this PR. As one of the package maintainers of olm I have just started the same until I stumbled over this PR.

@@ -27,5 +27,8 @@ stdenv.mkDerivation rec {
homepage = "https://gitlab.matrix.org/matrix-org/olm";
license = licenses.asl20;
maintainers = with maintainers; [ tilpner oxzi ];
knownVulnerabilities = [
"libolm is deprecated upstream with an AES cache timing vulnerability that upstream doesn't plan to fix"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add more details, for example, linking the olm commit stating it as deprecated - https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985 - and Soatok's blog post.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, thanks for nudging me to do this. I avoided doing it because I was worried about being sufficiently neutral and describing the potential risks and trade‐offs sufficiently well, but it’s important in a situation like this. I’ve pushed a long but hopefully unbiased and informative explanation of the issues and maintenance status of the package that should let users make an informed decision. Please let me know what you think.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I enjoyed reading your deprecation information text. It informs the user with enough details to look into it.

Thanks again for all the work you are putting into this :)

@oxzi oxzi requested a review from tilpner August 15, 2024 09:10
@emilazy emilazy force-pushed the push-twxurolyowvm branch from 1ed56ac to 42003e9 Compare August 15, 2024 17:52
@emilazy
Copy link
Member Author

emilazy commented Aug 15, 2024

I’ve pushed this with a much more elaborate and nuanced knownVulnerabilities text as suggested by @oxzi. Given what I’ve learned about the cryptography code used by libolm since I initially opened this PR and how long these vulnerabilities have been ignored, I feel confident that warnign users and letting them make their own choices is the right thing to do here.

There is one big remaining issue: Thunderbird. Thunderbird grew chat support at some point and added support for Matrix a few years back. That code currently vendors libolm for encryption support. I’ve linked their tracking issue and it will hopefully be addressed soon, given the strength of Mozilla’s security team.

At first, I hoped we could simply patch out Matrix support from the Thunderbird package until then, on the assumption that the vast majority of people use Thunderbird exclusively as an email client. That worked, but unfortunately it turns out that rolling back to a version with Matrix support leaves you without the account data you had previously added. That’s obviously not acceptable, and I don’t have enough knowledge of the Thunderbird code to stub it out in a more sophisticated manner.

I have opted not to mark the Thunderbird packages with knownVulnerabilities for now. I don’t feel entirely comfortable with that, and would prefer to make a more principled decision, but my reasoning is twofold:

  1. Thunderbird have been tracking their intent to migrate off libolm for longer than the other clients, have some existing work in the pipeline for it, and Mozilla are generally proactive about addressing security issues. We can hopefully expect them to address this issue quickly and obviate the need for any warnings.

  2. Thunderbird is, primarily, an email client. Our reverse dependencies of libolm are generally primarily Matrix clients where it makes sense to communicate the state of libolm to the vast majority of users. In contrast, I suspect that only a very small fraction of Thunderbird users use its Matrix support. Warning all Thunderbird users en masse about a vulnerability in a dusty corner of the application that they most likely don’t even know exists will cause a lot of inconvenience and panic for limited gain.

This is not a sustainable solution; If Thunderbird don’t move off libolm quickly, we’ll have to do something, but this was the best resolution I could think of to warn users of Matrix clients without causing widespread chaos. If the issue isn’t addressed in a timely fashion, hopefully we can figure out how to patch Matrix support in a more reliable fashion or something. I’m not entirely happy with this, but it’s the best compromise I can think of at this time.

@emilazy
Copy link
Member Author

emilazy commented Aug 15, 2024

The Thunderbird patch to move off libolm has been updated, so I’m feeling confident that they will address this in a timely fashion and that we can hold off on knownVulnerabilities for Thunderbird for now.

I think this is ready to merge once the new message has been reviewed.

implementations, or to otherwise further maintain in any capacity.

You should make an informed decision about whether to override
this security warning, especially if you rely criticially on Matrix
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
this security warning, especially if you rely criticially on Matrix
this security warning, especially if you rely critically on Matrix

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops, thanks! Fixed and pushed a few other minor rewordings I had locally but forgot to squash.

@emilazy emilazy force-pushed the push-twxurolyowvm branch from 42003e9 to bdcccfe Compare August 15, 2024 20:44
Copy link
Member

@tilpner tilpner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the detailed new message, the tone seems appropriate, and it gives enough context that users don't have to start from scratch to decide whether they care. And good catch with the vendored libolms, I probably would have missed them :)

<https://gitlab.matrix.org/matrix-org/olm/-/blob/6d4b5b07887821a95b144091c8497d09d377f985/lib/crypto-algorithms/README.md>

* The blog post disclosing the details of the known vulnerabilities:
<https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/>
Copy link

@tranquillity-codes tranquillity-codes Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would recommend against linking soatok's FUD campaign blog post. The author's motivation is to "make the Matrix evangelists shut up", not to inform the public about vulnerabilities. Thus, they use manipulative tactics which they have used in the past to overblow the impact of the vulnerabilities. Additionally, they further fail to do basic research w.r.t. the client coverage. All clients that I know of that are actively worked on are in various stages of being migrated to vodozemac. Vodozemac bindings for various languages are being worked on (including C, C++, Python...) and improved.

As an aside, libolm has been known to be deprecated for as long as I am involved with Matrix (it only really takes a basic look at the repo to tell). New clients do not utilize libolm for this reason.

EDIT: Soatok took down their gist, here's a webarchive link https://web.archive.org/web/20240815171614/https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we try and prefer CVE #s anyway? That way there's a standardized reference to the vuln.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no CVEs. Presumably upstream has no intention of getting them assigned.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm. Seems like a bit of a gray area. That being said:

  • Preferring CVE #s is probably a good thing, but with the absence of them, I'm not sure where this falls
  • The characterization of the blogpost as "FUD" is a little dismissive and has people talking past each other

Given that this is a "maybe multiple people are right" scenario, can we point to any existing policy that expresses whether we shouldn't use the library or, conversely, shouldn't heavily weigh the blogpost's case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There’s never been any rule that says we need CVE numbers assigned to act on known vulnerabilities, especially when upstream acknowledges the vulnerabilities and openly says that the library should not be used. Many vulnerabilities don’t get CVE numbers assigned. We routinely set knownVulnerabilities for security‐critical packages that are end‐of‐life, as this one is, even when they don’t have specific known vulnerabilities, as this one does.

I think the upstream statements and the documentation of the cryptography code it relies on would be sufficient for this, but the blog post provides additional detail about specific concrete timing attacks the code is vulnerable to.

Note that the wording hopefully makes it very clear that the purpose is to warn and inform users. The error message will contain specific instructions on how to bypass the warning and continue to use the packages that depend on libolm until the ecosystem finishes migrating.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, just relying on CVEs seems like a derailment to me.

If you'd like to directly address what I was asking, which read:

can we point to any existing policy that expresses whether we shouldn't use the library or, conversely, shouldn't heavily weigh the blogpost's case

Then you might say:

see for examples, gogs or googleearth-pro

Thanks for the answer, those are good examples. Here's gogs, which had an announcement: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/applications/version-management/gogs/default.nix#L49

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what is important to put this into context is that at least some of these vulnerabilities were intentional choices done at the start of libolms development and haven't been considered critical so far. There is a lot of buzz around them now, but arguably the impact of those issues hasn't changed. And while libolm was deprecated now, that has mostly been a decision based on how much maintenance bandwidth the maintainers for it have and them focusing on vodozemac now.

If you consider that important enough to warrant a manual override by users to install software based on libolm, you should probably also consider to warn for things like Nheko, that explicitly warn in the README, that the implementation isn't done by professionals: https://github.com/Nheko-Reborn/nheko/?tab=readme-ov-file#note-regarding-end-to-end-encryption

I believe the latter to have a much higher impact to users. While the libolm deprecation will be a problem at some point, it happened only recently and projects didn't have much time yet to figure out how they want to deal with it.

Copy link
Member Author

@emilazy emilazy Aug 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I appreciate that many in the Matrix development community had already known about these issues for years, and so the recent flurry of urgency might seem misguided to them. However, I think there’s a fundamental disconnect here: we don’t consider security issues less severe based on their age, and the fact that the libolm maintainers and the clients depending on it were aware of them and didn’t choose to fix them or more actively deprecate and warn about the library before compounds the problem, rather than mitigating it. I’ve used Matrix for 6 years now, and I never knew that the encryption library I was relying on for a substantial portion of that time was using cryptography code whose security was explicitly disclaimed; I would have been shocked to find that out, and I don’t think you can reasonably expect end users to read README files buried in a subdirectory of a library dependency.

If I had learned about these issues sooner, I would have made an active effort to keep users informed, try to get upstream to act one way or another on them, and make my own personal risk assessment decisions relating to use of the library. The main effect of the blog post, it seems, has been to publicize to a wider audience, including cryptography engineers, what the Matrix development ecosystem was already aware of.

Nheko depends on libolm, so it will already trigger a warning with this pull request. In an ideal world perhaps we would warn about such things beyond that (especially if we got the problems infrastructure to have a less blunt tool to use for these things), but I think that there’s a distance between a non‐audited implementation of a cryptographic protocol on top of a library and the library itself being deprecated with known concrete issues. We inherently have to make some judgement calls about security as a distro, but I don’t think we’re really in a position to review the general coding practices of every application separate to any upstream deprecations and known published vulnerabilities.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI. There are now CVEs:

  • CVE-2024-45191 - AES implementation is vulnerable to cache-timing attacks
  • CVE-2024-45192 - Base64 implementation used for decoding sensitive data has a timing side-channel
  • CVE-2024-45193 - Ed25519 signatures are malleable

— Source: Matrix Foundation blog

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The message was adjusted in #338006

@emilazy emilazy force-pushed the push-twxurolyowvm branch from bdcccfe to aff7952 Compare August 16, 2024 00:24
@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

@tilpner I just found another one in the form of jitsi-meet (which I didn’t see any existing issue for, so I’ve contacted their security team as recommended on their GitHub page). Sadly I expect there are probably more vendored copies we’re missing, other than the Thunderbird one I’m holding off on in the hopes that they’ll address it swiftly. Vendoring is such a pain…

@tranquillity-codes suggested I remove the link to Soatok’s blog post on Matrix. I replied that I had done my best to write a balanced advisory on this clearly controversial issue, that I don’t think it would do a service to users to omit the link to the public coordinated disclosure of the known vulnerabilities in libolm, and that I linked several statements from Matrix.org including the project lead’s reply to the blog post for balance. Based on the conversation, I do not think that we are likely to be able to resolve our disagreement, so I don’t think further discussion on the matter would be productive. If there was a formal CVE advisory then perhaps we could link to that instead, but that doesn’t seem likely to happen. I’ve already elaborated on my position about assumptions of the severity or exploitability of the bugs in my previous comment.

Having discussed this matter extensively on Matrix over the past couple days and with the positive feedback from the maintainers of this package, I think this PR is the best way we can handle a bad situation, should be ready to merge, and will likely hit the button within a day pending other feedback if nobody else does. I will continue to follow the tracking issues in various clients and do my bit to help bump to versions that do not depend on libolm as they are released.

@emilazy emilazy force-pushed the push-twxurolyowvm branch 2 times, most recently from 843268b to 45bf5e2 Compare August 16, 2024 00:36
@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

Updated the knownVulnerabilities text slightly in light of libolm’s non‐Matrix use in Jitsi Meet. Hoping for a quick response from their security team.

@emilazy emilazy force-pushed the push-twxurolyowvm branch from 45bf5e2 to 0734fc6 Compare August 16, 2024 15:21
@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

The manual backport is up at #335189. I will give it a couple days before merging to get a sense of the fallout and continue to track upstream developments.

@MTRNord
Copy link
Contributor

MTRNord commented Aug 16, 2024

Just so you are aware there is some more statement from the foundation side at https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key

@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

Thanks for the pointer; I appreciate the acknowledgement from upstream that more proactive action would have hopefully helped to avoid the recent kerfuffle. vodozemac seems like a much better base for future development; I’m really happy that it was audited and I’m actively tracking the process of client adoption. Hopefully the ecosystem can put this behind it soon.

@TheArcaneBrony
Copy link
Contributor

What's the plan for pantalaimon, given I don't see that being updated to use vodozemac any time soon, but is part of my infrastructure.

@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

You’ll have to make your own risk assessment based on the information in the message and decide whether or not to permit olm as described. I don’t know what the plans of the Pantalaimon developers are, although I suspect nothing is going to happen as it hasn’t received any commits in over a year and is apparently deprecated (matrix-org/pantalaimon#167, matrix-org/pantalaimon#168).

@TheArcaneBrony
Copy link
Contributor

Yeah those issues were posted an hour ago, though I've known that it probably wont happens as it's been dead for ages. It is worrying to think about having to throw out a decent chunk of my infrastructure in the event olm/pantalaimon get removed from nixpkgs, or stick to using nixos 24.05 as an overlay to get it...

@emilazy
Copy link
Member Author

emilazy commented Aug 16, 2024

Nothing that depends on libolm has been removed and there is definitely not going to be any rush to make that happen. The knownVulnerabilities message is there to inform you and the error you get tells you how to permit libolm specifically on your system.

In the longer term, depending on the movement in the rest of the ecosystem, if there is totally unmaintained software that relies critically on libolm and will never move off it then we might consider removing it, yes, especially if anyone finds any worse vulnerabilities, but that’s not anything there is any kind of agreement to do at this time. This pull request is not intended as a prelude to imminent removal.

@gador
Copy link
Member

gador commented Aug 19, 2024

Is there a known good alternative for a desktop matrix client, which can be used without olm?
I tried element, pantalaimon, gomuks, fluffychat and cinny.
As I see it, there is no matrix client usable (without using permittedInsecurePackages) as of now in all of nixpkgs.

@dotlambda
Copy link
Member

Is there a known good alternative for a desktop matrix client, which can be used without olm?

At least element and fractal work.

@gador
Copy link
Member

gador commented Aug 19, 2024

Just to be clear: I meant element-desktop and not element (which is a Periodic table on the command line)
Thanks for the tip with fractal. I'll give it a try 👍

@dotlambda
Copy link
Member

#335753 unbreaks element-desktop

@emilazy
Copy link
Member Author

emilazy commented Aug 19, 2024

Eek! I should have checked the reverse dependencies of Jitsi Meet when finding it at the last minute, I didn’t expect to break Element 😬

Very sorry for that, especially for giving users an inaccurate impression of Element’s security with the inherited warning… Not sure what the best way to remediate that is.

@Sylonin

This comment was marked as spam.

philipwilk-softServeBot pushed a commit to philipwilk/nixos that referenced this pull request Aug 20, 2024
@gador gador mentioned this pull request Aug 22, 2024
13 tasks
AndrewKvalheim added a commit to AndrewKvalheim/nixpkgs that referenced this pull request Aug 23, 2024
Olm has a known vulnerability (NixOS#334638) but is only an optional
dependency of nio, so in theory nio should by default be unaffected.
nio’s tests, however, cover its full suite of extra features, so Olm is
still evaluated as a dependency of the check phase. Since the check
phase doesn’t process user data or access the network this vulnerability
isn’t relevant and can be ignored, allowing nio to evaluate and
ultimately be run without Olm.
@emilazy emilazy mentioned this pull request Aug 23, 2024
13 tasks
@emilazy emilazy deleted the push-twxurolyowvm branch August 26, 2024 00:52
gmacon pushed a commit to gmacon/nixpkgs that referenced this pull request Aug 30, 2024
After olm gained knownVulnerabilities in NixOS#334638, allow building these
bridges using the pure-Go goolm library instead of libolm bindings.
github-actions bot pushed a commit that referenced this pull request Sep 1, 2024
After olm gained knownVulnerabilities in #334638, allow building these
bridges using the pure-Go goolm library instead of libolm bindings.

(cherry picked from commit 8b17835)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux
Projects
None yet
Development

Successfully merging this pull request may close these issues.