aiolabs/nix-bitcoin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

work around CVE-2024-23342 for pkgs hwi, trezor

Browse source
This commit is contained in:
Erik Arvstedt 2025-11-22 12:58:19 +01:00
parent c4cd252753
commit e6e3a13dbb
No known key found for this signature in database
GPG key ID: 33312B944DD97846
4 changed files with 20 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
modules/hardware-wallets.nix
View file

@ -62,7 +62,7 @@ in {
});
})
(mkIf cfg.trezor {
environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
environment.systemPackages = [ config.nix-bitcoin.pkgs.pyPkgs.nbPython3PackagesWithUnlockedEcdsa.trezor ];
# Don't use rules from nixpkgs because we want to use our own group.
services.udev.packages = lib.singleton (pkgs.writeTextFile {
name = "trezord-udev-rules";

1
pkgs/default.nix
View file

@ -26,6 +26,7 @@ let self = {
trustedcoin = pkgs.callPackage ./trustedcoin { };
bitcoind_29 = pkgs.callPackage ./bitcoind_29 {};
inherit (self.pyPkgs.nbPython3PackagesWithUnlockedEcdsa) hwi;
pyPkgs = import ./python-packages self pkgs.python3;
inherit (self.pyPkgs)

1
pkgs/pinned.nix
View file

@ -5,7 +5,6 @@ pkgs: pkgsUnstable:
elementsd
extra-container
fulcrum
hwi
lightning-pool
lndconnect;

18
pkgs/python-packages/default.nix
View file

@ -33,4 +33,22 @@ rec {
}).pkgs;
nbPython3PackagesJoinmarket = nbPython3Packages;
# Re-enable pkgs `hwi`, `trezor` that are unaffected by `CVE-2024-23342` because
# they don't use python pkg `ecdsa` for signing.
# These packages no longer evaluate in nixpkgs after `ecdsa` was tagged with this CVE.
nbPython3PackagesWithUnlockedEcdsa = let
python3PackagesWithUnlockedEcdsa = (python3.override {
packageOverrides = self: super: {
ecdsa = super.ecdsa.overrideAttrs (old: {
meta = old.meta // {
knownVulnerabilities = builtins.filter (x: x != "CVE-2024-23342") old.meta.knownVulnerabilities;
};
});
};
}).pkgs;
in {
hwi = with python3PackagesWithUnlockedEcdsa; toPythonApplication hwi;
inherit (python3PackagesWithUnlockedEcdsa) trezor;
};
}