From c4cd252753ec056f63031f91962be20885f912f2 Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sat, 22 Nov 2025 12:25:41 +0100
Subject: [PATCH 1/2] update nixpkgs

bitcoind-knots: 29.2.knots20251010 -> 29.2.knots20251110
clightning: 25.09 -> 25.09.2
lightning-loop: 0.31.2-beta -> 0.31.5-beta
---
 flake.lock               | 12 ++++++------
 pkgs/clnrest/default.nix |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/flake.lock b/flake.lock
index 9aa93d9..147a257 100644
--- a/flake.lock
+++ b/flake.lock
@@ -44,11 +44,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1761016216,
-        "narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=",
+        "lastModified": 1763622513,
+        "narHash": "sha256-1jQnuyu82FpiSxowrF/iFK6Toh9BYprfDqfs4BB+19M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "481cf557888e05d3128a76f14c76397b7d7cc869",
+        "rev": "c58bc7f5459328e4afac201c5c4feb7c818d604b",
         "type": "github"
       },
       "original": {
@@ -60,11 +60,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1760965567,
-        "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
+        "lastModified": 1763618868,
+        "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
+        "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942",
         "type": "github"
       },
       "original": {
diff --git a/pkgs/clnrest/default.nix b/pkgs/clnrest/default.nix
index 51534a1..ee61ec1 100644
--- a/pkgs/clnrest/default.nix
+++ b/pkgs/clnrest/default.nix
@@ -11,7 +11,7 @@ rustPlatform.buildRustPackage rec {
 
   inherit (clightning) src;
 
-  cargoHash = "sha256-UxMXBO/rpanNU8vz8y4V5wSbCNHKYmVXtoGRpOqI+A0=";
+  cargoHash = "sha256-2xOLwj42Ua85+kn73y+5q3YmzKYMCjxLlq/UrYjiZv0=";
 
   depsExtraArgs = {
     nativeBuildInputs = [ unzip ];

From e6e3a13dbb95ebbf68212a49e8e36c520ed9e14e Mon Sep 17 00:00:00 2001
From: Erik Arvstedt <erik.arvstedt@gmail.com>
Date: Sat, 22 Nov 2025 12:58:19 +0100
Subject: [PATCH 2/2] work around CVE-2024-23342 for pkgs `hwi`, `trezor`

---
 modules/hardware-wallets.nix     |  2 +-
 pkgs/default.nix                 |  1 +
 pkgs/pinned.nix                  |  1 -
 pkgs/python-packages/default.nix | 18 ++++++++++++++++++
 4 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/modules/hardware-wallets.nix b/modules/hardware-wallets.nix
index d8d2871..905f126 100644
--- a/modules/hardware-wallets.nix
+++ b/modules/hardware-wallets.nix
@@ -62,7 +62,7 @@ in {
       });
     })
     (mkIf cfg.trezor {
-      environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
+      environment.systemPackages = [ config.nix-bitcoin.pkgs.pyPkgs.nbPython3PackagesWithUnlockedEcdsa.trezor ];
       # Don't use rules from nixpkgs because we want to use our own group.
       services.udev.packages = lib.singleton (pkgs.writeTextFile {
         name = "trezord-udev-rules";
diff --git a/pkgs/default.nix b/pkgs/default.nix
index d9be881..4ba0acb 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -26,6 +26,7 @@ let self = {
   trustedcoin = pkgs.callPackage ./trustedcoin { };
 
   bitcoind_29 = pkgs.callPackage ./bitcoind_29 {};
+  inherit (self.pyPkgs.nbPython3PackagesWithUnlockedEcdsa) hwi;
 
   pyPkgs = import ./python-packages self pkgs.python3;
   inherit (self.pyPkgs)
diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix
index 0a3ea7f..dd6a95d 100644
--- a/pkgs/pinned.nix
+++ b/pkgs/pinned.nix
@@ -5,7 +5,6 @@ pkgs: pkgsUnstable:
     elementsd
     extra-container
     fulcrum
-    hwi
     lightning-pool
     lndconnect;
 
diff --git a/pkgs/python-packages/default.nix b/pkgs/python-packages/default.nix
index 96e6247..40266cd 100644
--- a/pkgs/python-packages/default.nix
+++ b/pkgs/python-packages/default.nix
@@ -33,4 +33,22 @@ rec {
   }).pkgs;
 
   nbPython3PackagesJoinmarket = nbPython3Packages;
+
+  # Re-enable pkgs `hwi`, `trezor` that are unaffected by `CVE-2024-23342` because
+  # they don't use python pkg `ecdsa` for signing.
+  # These packages no longer evaluate in nixpkgs after `ecdsa` was tagged with this CVE.
+  nbPython3PackagesWithUnlockedEcdsa = let
+    python3PackagesWithUnlockedEcdsa = (python3.override {
+      packageOverrides = self: super: {
+        ecdsa = super.ecdsa.overrideAttrs (old: {
+          meta = old.meta // {
+            knownVulnerabilities = builtins.filter (x: x != "CVE-2024-23342") old.meta.knownVulnerabilities;
+          };
+        });
+      };
+    }).pkgs;
+  in {
+    hwi = with python3PackagesWithUnlockedEcdsa; toPythonApplication hwi;
+    inherit (python3PackagesWithUnlockedEcdsa) trezor;
+  };
 }