olm: mark as vulnerable

[emilazy]

Description of changes

See https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[emilazy]

Result of nixpkgs-review pr 334638 run on aarch64-linux 1

48 packages removed:
chatty (†0.8.4) cinny-unwrapped (†4.1.0) cinny-unwrapped (†4.1.0) fluffychat-linux (†1.20.0) fluffychat-web (†1.20.0) go-neb-unstable (†2021-07-21) gomuks (†0.3.1) heisenbridge (†1.14.6) homeassistant-test-matrix (†2024.8.1) itinerary (†23.08.5) itinerary (†24.05.2) libquotient (†0.8.2) libquotient (†0.8.2) matrix-commander (†7.6.2) maubot (†0.4.2) mautrix-discord (†0.7.0) mautrix-googlechat (†0.5.1) mautrix-meta (†0.3.2) mautrix-signal (†0.6.3) mautrix-whatsapp (†0.10.9) mtxclient (†0.10.0) neochat (†23.08.5) neochat (†24.05.2) nheko (†0.12.0) olm (†3.2.16) pantalaimon (†0.10.5) pantalaimon (†0.10.5) purple-matrix-unstable (†2019-06-06) python3.11-matrix-nio (†0.24.0) python3.11-mautrix (†0.20.6) python3.11-mautrix (†0.20.6) python3.11-python-olm (†3.2.16) python3.11-zulip (†0.9.0) python3.12-matrix-nio (†0.24.0) python3.12-maubot (†0.4.2) python3.12-mautrix (†0.20.6) python3.12-mautrix (†0.20.6) python3.12-mautrix-facebook (†0.5.1) python3.12-mautrix-telegram (†0.15.2) python3.12-opsdroid (†0.30.0) python3.12-python-olm (†3.2.16) python3.12-weechat-matrix (†0.3.0) python3.12-zulip (†0.9.0) quaternion (†0.0.96.1) quaternion (†0.0.96.1) visidata (†3.0.2) weechat-matrix-bridge-unstable (†2018-11-19) zulip-term (†0.7.0)

😢

Hopefully going forwards we can disable libolm support for as many of these as possible so that users can still use them without overriding the security warning and get E2E support with Pantalaimon (lol Pantalaimon is vulnerable too), (I no longer think this is a good idea) or even more hopefully upstream will actually fix the issues or there’ll be an active fork, or even more hopefully these clients will move to something that actually has security support and no known vulnerabilities.

[emilazy]

Some tracking issues:

• libolm is now deprecated. Nheko-Reborn/nheko#1786
• move from libolm to vodozemac due to deprecation  cinnyapp/cinny#1869
• libolm is now deprecated. krille-chan/fluffychat#1258
• libolm deprecation and possible security vulnerablity quotient-im/libQuotient#780
• Reconsider dependency on olm (GNOME Chatty)
• Add Matrix Rust crypto component (Thunderbird)
• libolm is deprecated mautrix/go#262

Looks like the vodozemac bindings are being worked on.

[sumnerevans]

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

[LeSuisse]

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

Just to clarify: this PR is about giving a warning to nixpkgs libolm users that issues have been raised and might impact their threat model. It is not about disabling encryption for the users of said software but warning them and giving them a choice.

At a Linux distribution level, it is hard to judge what might be the usage of a specific software for a potential user (to put it another way, it is hard to evaluate the threat model of a specific user). In the nixpkgs/NixOS case we do not have a lot of other choices to alert users :/ .

The impacted packages are leaf packages so people allowing them should not burn too much CPU time rebuilding them if this PR gets merged.

In any cases libolm was marked as deprecated by upstream so downstream consumers will have to move to an alternative I suppose?

[emilazy]

None of the issues described by soatok are practically exploitable. We definitely should not disable libolm support, as having no encryption is way worse than having "vulnerabilities" that cannot be exploited.

So, I agree that at the time of writing there’s no known way to exploit these vulnerabilities over the network in practice. I also agree that it’s perfectly possible that there might not be a way to exploit them at all. (And I agree that having no encryption is worse: my hope was that, given that Matrix DMs are E2E by default, users would set up an E2E proxy without the issues in the interim while the ecosystem is in flux; I thought this may be better than having to bypass the security warning. Still, I was wrong: for one thing, Pantalaimon still depends on libolm, and for another, that’s probably more churn than just bypassing the warning or switching to another client. So yes, I no longer think that part of my previous comment is a good idea at all.)

However, there’s a history here with timing attacks. They were known to be a theoretical possibility for many years, but the idea of being able to use them in a practical attack was dismissed; they were considered entirely hypothetical and not worth worrying about. Then, in 2003, we got the paper Remote Timing Attacks are Practical, and everything changed. Exploits of timing attacks have only improved in the years since, and people have managed to wring private key material in fairly realistic network conditions out of some pretty marginal exploits.

So there’s two things here:

1. “These timing attacks aren’t practically exploitable” is something that has been said a lot historically, and ended up being untrue a lot more often than you might expect.

2. “You have to be careful about timing attacks” is sufficiently received cryptographic engineering wisdom at this point that it’s a seriously concerning sign for any critical cryptography code written in the past decade+ to be vulnerable to them.

To quote Matthew Garrett – who is far more of an expert than me – on Hacker News:

but also if you're going to argue that it's unclear that these issues are remotely exploitable, it'd be helpful to discuss why - are there external constraints that ratelimit them such that the number of packets required is infeasible in any length of time? Is all the affected key material ephemeral and rotated before it's realistic to get a large enough sample? Just vibes?

I think it would be great if it turns out that these vulnerabilities are not practically exploitable under most threat models! I want users to be safe; that’s my whole motivation here! But, still: the arguments for why it’s definitely not exploitable that I’ve seen are pretty handwave‐y and look a lot like similar historical arguments that turned out to be way overconfident. And the fact that the library has been deprecated rather than getting a fix for an issue this basic is concerning, because cryptography code that messes up table‐stakes things like this is very likely to have other issues lurking, and if anyone ever does develop a practical exploit for even this known issue, users will have no recourse.

And, I mean, here’s an excerpt from the statement in the upstream libolm repository:

It also depends on simplistic cryptography primitive
implementations which are intended for pragmatic and education purposes rather
than security - e.g. Brad Conte's crypto-algorithms.

…

As such as of July 2024, libolm is now officially deprecated - please do not
use it going forwards.

When we click the link to the README file for the cryptography algorithm implementations they use, we get this terrifying statement:

Note that these are not cryptographically secure implementations. They have no resistence to side-channel attacks and should not be used in contexts that need cryptographically secure implementations.

I mean, what more can you say to that? “These are not cryptographically secure implementations … and should not be used in contexts that need cryptographically secure implementations”. In my view, that right there is sufficient for knownVulnerabilities by itself. I’ve seen it posed that nobody should be reacting to these vulnerability disclosures because they were already known for years and that line has been tucked away in that README for years. But… that’s actually more concerning, not less? They’re depending critically on code that says “this is not secure” but didn’t actually deprecate the library and say “this is not secure” until someone rediscovered some of the issues?

It doesn’t really matter how long a vulnerability has existed or if it was known or not. We set knownVulnerabilities based on upstream’s ability and willingness to respond to security vulnerabilities, and if we put aside opinions on the likely severity of the vulnerabilities in question for a moment, it’s hard for me to imagine a situation that more justifies warning users about the known risks they’re taking than this – the library is based on code that has a big warning saying it’s not safe, there are specific known textbook vulnerabilities in the code, upstream does not intend to fix them, and they’ve added their own big warning saying not to use the library. As a user of Matrix E2E, I’d… personally quite like to know about this state of affairs before installing a client that uses it!

I also want to be clear that I’m not trying to participate in any kind of pro‐Matrix vs. anti‐Matrix thing in this pull request, or penalize users of these clients. I use Matrix on a daily basis to work on NixOS and socialize, and am consequently invested in its ecosystem. I sincerely hope that the ecosystem can move to maintained libraries for E2E. I think it sucks that a library that is depended on by basically every non‐Element client for encryption is in this state. I really wish this whole situation wasn’t a thing. But it is, and I don’t think we can make it go away just by ignoring it. I fully expect many users will react to this security notice by shrugging, adding the package to their list of permitted insecure packages, and going about their day. That’s okay: they got the opportunity to make an informed choice, which is what matters to me.

I genuinely look forward to clients resolving this issue and leaving Matrix users safer. Rather than debating whether known vulnerabilities that won’t be fixed pass a threshold of severity and practically‐demonstrated exploits, it’d be better if we simply had confidence that clients were using safe, well‐maintained E2E implementations that will proactively address any security issues that arise in the future.

[oxzi]

Thanks a lot for this PR. As one of the package maintainers of olm I have just started the same until I stumbled over this PR.

[oxzi]

Could you please add more details, for example, linking the olm commit stating it as deprecated - https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985 - and Soatok's blog post.

[emilazy]

Yes, thanks for nudging me to do this. I avoided doing it because I was worried about being sufficiently neutral and describing the potential risks and trade‐offs sufficiently well, but it’s important in a situation like this. I’ve pushed a long but hopefully unbiased and informative explanation of the issues and maintenance status of the package that should let users make an informed decision. Please let me know what you think.

[oxzi]

I enjoyed reading your deprecation information text. It informs the user with enough details to look into it.

Thanks again for all the work you are putting into this :)

[emilazy]

I’ve pushed this with a much more elaborate and nuanced knownVulnerabilities text as suggested by @oxzi. Given what I’ve learned about the cryptography code used by libolm since I initially opened this PR and how long these vulnerabilities have been ignored, I feel confident that warnign users and letting them make their own choices is the right thing to do here.

There is one big remaining issue: Thunderbird. Thunderbird grew chat support at some point and added support for Matrix a few years back. That code currently vendors libolm for encryption support. I’ve linked their tracking issue and it will hopefully be addressed soon, given the strength of Mozilla’s security team.

At first, I hoped we could simply patch out Matrix support from the Thunderbird package until then, on the assumption that the vast majority of people use Thunderbird exclusively as an email client. That worked, but unfortunately it turns out that rolling back to a version with Matrix support leaves you without the account data you had previously added. That’s obviously not acceptable, and I don’t have enough knowledge of the Thunderbird code to stub it out in a more sophisticated manner.

I have opted not to mark the Thunderbird packages with knownVulnerabilities for now. I don’t feel entirely comfortable with that, and would prefer to make a more principled decision, but my reasoning is twofold:

1. Thunderbird have been tracking their intent to migrate off libolm for longer than the other clients, have some existing work in the pipeline for it, and Mozilla are generally proactive about addressing security issues. We can hopefully expect them to address this issue quickly and obviate the need for any warnings.

2. Thunderbird is, primarily, an email client. Our reverse dependencies of libolm are generally primarily Matrix clients where it makes sense to communicate the state of libolm to the vast majority of users. In contrast, I suspect that only a very small fraction of Thunderbird users use its Matrix support. Warning all Thunderbird users en masse about a vulnerability in a dusty corner of the application that they most likely don’t even know exists will cause a lot of inconvenience and panic for limited gain.

This is not a sustainable solution; If Thunderbird don’t move off libolm quickly, we’ll have to do something, but this was the best resolution I could think of to warn users of Matrix clients without causing widespread chaos. If the issue isn’t addressed in a timely fashion, hopefully we can figure out how to patch Matrix support in a more reliable fashion or something. I’m not entirely happy with this, but it’s the best compromise I can think of at this time.

[emilazy]

The Thunderbird patch to move off libolm has been updated, so I’m feeling confident that they will address this in a timely fashion and that we can hold off on knownVulnerabilities for Thunderbird for now.

I think this is ready to merge once the new message has been reviewed.

[LeSuisse]

Suggested change

	this security warning, especially if you rely criticially on Matrix
	this security warning, especially if you rely critically on Matrix

[emilazy]

Whoops, thanks! Fixed and pushed a few other minor rewordings I had locally but forgot to squash.

[tilpner]

Thank you for the detailed new message, the tone seems appropriate, and it gives enough context that users don't have to start from scratch to decide whether they care. And good catch with the vendored libolms, I probably would have missed them :)

[tranquillity-codes]

I would recommend against linking soatok's FUD campaign blog post. The author's motivation is to "make the Matrix evangelists shut up", not to inform the public about vulnerabilities. Thus, they use manipulative tactics which they have used in the past to overblow the impact of the vulnerabilities. Additionally, they further fail to do basic research w.r.t. the client coverage. All clients that I know of that are actively worked on are in various stages of being migrated to vodozemac. Vodozemac bindings for various languages are being worked on (including C, C++, Python...) and improved.

As an aside, libolm has been known to be deprecated for as long as I am involved with Matrix (it only really takes a basic look at the repo to tell). New clients do not utilize libolm for this reason.

EDIT: Soatok took down their gist, here's a webarchive link https://web.archive.org/web/20240815171614/https://gist.github.com/soatok/8aef6f67fec9c702f510ee24d19ef92b

[numinit]

Shouldn't we try and prefer CVE #s anyway? That way there's a standardized reference to the vuln.

[emilazy]

There are no CVEs. Presumably upstream has no intention of getting them assigned.

[numinit]

Hmm. Seems like a bit of a gray area. That being said:

• Preferring CVE #s is probably a good thing, but with the absence of them, I'm not sure where this falls
• The characterization of the blogpost as "FUD" is a little dismissive and has people talking past each other

Given that this is a "maybe multiple people are right" scenario, can we point to any existing policy that expresses whether we shouldn't use the library or, conversely, shouldn't heavily weigh the blogpost's case?

[emilazy]

There’s never been any rule that says we need CVE numbers assigned to act on known vulnerabilities, especially when upstream acknowledges the vulnerabilities and openly says that the library should not be used. Many vulnerabilities don’t get CVE numbers assigned. We routinely set knownVulnerabilities for security‐critical packages that are end‐of‐life, as this one is, even when they don’t have specific known vulnerabilities, as this one does.

I think the upstream statements and the documentation of the cryptography code it relies on would be sufficient for this, but the blog post provides additional detail about specific concrete timing attacks the code is vulnerable to.

Note that the wording hopefully makes it very clear that the purpose is to warn and inform users. The error message will contain specific instructions on how to bypass the warning and continue to use the packages that depend on libolm until the ecosystem finishes migrating.

[numinit]

Also, just relying on CVEs seems like a derailment to me.

If you'd like to directly address what I was asking, which read:

can we point to any existing policy that expresses whether we shouldn't use the library or, conversely, shouldn't heavily weigh the blogpost's case

Then you might say:

see for examples, gogs or googleearth-pro

Thanks for the answer, those are good examples. Here's gogs, which had an announcement: https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/applications/version-management/gogs/default.nix#L49

[deepbluev7]

I think what is important to put this into context is that at least some of these vulnerabilities were intentional choices done at the start of libolms development and haven't been considered critical so far. There is a lot of buzz around them now, but arguably the impact of those issues hasn't changed. And while libolm was deprecated now, that has mostly been a decision based on how much maintenance bandwidth the maintainers for it have and them focusing on vodozemac now.

If you consider that important enough to warrant a manual override by users to install software based on libolm, you should probably also consider to warn for things like Nheko, that explicitly warn in the README, that the implementation isn't done by professionals: https://github.com/Nheko-Reborn/nheko/?tab=readme-ov-file#note-regarding-end-to-end-encryption

I believe the latter to have a much higher impact to users. While the libolm deprecation will be a problem at some point, it happened only recently and projects didn't have much time yet to figure out how they want to deal with it.

[emilazy]

I appreciate that many in the Matrix development community had already known about these issues for years, and so the recent flurry of urgency might seem misguided to them. However, I think there’s a fundamental disconnect here: we don’t consider security issues less severe based on their age, and the fact that the libolm maintainers and the clients depending on it were aware of them and didn’t choose to fix them or more actively deprecate and warn about the library before compounds the problem, rather than mitigating it. I’ve used Matrix for 6 years now, and I never knew that the encryption library I was relying on for a substantial portion of that time was using cryptography code whose security was explicitly disclaimed; I would have been shocked to find that out, and I don’t think you can reasonably expect end users to read README files buried in a subdirectory of a library dependency.

If I had learned about these issues sooner, I would have made an active effort to keep users informed, try to get upstream to act one way or another on them, and make my own personal risk assessment decisions relating to use of the library. The main effect of the blog post, it seems, has been to publicize to a wider audience, including cryptography engineers, what the Matrix development ecosystem was already aware of.

Nheko depends on libolm, so it will already trigger a warning with this pull request. In an ideal world perhaps we would warn about such things beyond that (especially if we got the problems infrastructure to have a less blunt tool to use for these things), but I think that there’s a distance between a non‐audited implementation of a cryptographic protocol on top of a library and the library itself being deprecated with known concrete issues. We inherently have to make some judgement calls about security as a distro, but I don’t think we’re really in a position to review the general coding practices of every application separate to any upstream deprecations and known published vulnerabilities.

[jtrees]

Just FYI. There are now CVEs:

• CVE-2024-45191 - AES implementation is vulnerable to cache-timing attacks
• CVE-2024-45192 - Base64 implementation used for decoding sensitive data has a timing side-channel
• CVE-2024-45193 - Ed25519 signatures are malleable

— Source: Matrix Foundation blog

[LeSuisse]

The message was adjusted in #338006

[emilazy]

@tilpner I just found another one in the form of jitsi-meet (which I didn’t see any existing issue for, so I’ve contacted their security team as recommended on their GitHub page). Sadly I expect there are probably more vendored copies we’re missing, other than the Thunderbird one I’m holding off on in the hopes that they’ll address it swiftly. Vendoring is such a pain…

@tranquillity-codes suggested I remove the link to Soatok’s blog post on Matrix. I replied that I had done my best to write a balanced advisory on this clearly controversial issue, that I don’t think it would do a service to users to omit the link to the public coordinated disclosure of the known vulnerabilities in libolm, and that I linked several statements from Matrix.org including the project lead’s reply to the blog post for balance. Based on the conversation, I do not think that we are likely to be able to resolve our disagreement, so I don’t think further discussion on the matter would be productive. If there was a formal CVE advisory then perhaps we could link to that instead, but that doesn’t seem likely to happen. I’ve already elaborated on my position about assumptions of the severity or exploitability of the bugs in my previous comment.

Having discussed this matter extensively on Matrix over the past couple days and with the positive feedback from the maintainers of this package, I think this PR is the best way we can handle a bad situation, should be ready to merge, and will likely hit the button within a day pending other feedback if nobody else does. I will continue to follow the tracking issues in various clients and do my bit to help bump to versions that do not depend on libolm as they are released.

[emilazy]

Updated the knownVulnerabilities text slightly in light of libolm’s non‐Matrix use in Jitsi Meet. Hoping for a quick response from their security team.

[emilazy]

The manual backport is up at #335189. I will give it a couple days before merging to get a sense of the fallout and continue to track upstream developments.

[MTRNord]

Just so you are aware there is some more statement from the foundation side at https://matrix.org/blog/2024/08/16/this-week-in-matrix-2024-08-16/#dept-of-encryption-closed-lock-with-key

[emilazy]

Thanks for the pointer; I appreciate the acknowledgement from upstream that more proactive action would have hopefully helped to avoid the recent kerfuffle. vodozemac seems like a much better base for future development; I’m really happy that it was audited and I’m actively tracking the process of client adoption. Hopefully the ecosystem can put this behind it soon.

[TheArcaneBrony]

What's the plan for pantalaimon, given I don't see that being updated to use vodozemac any time soon, but is part of my infrastructure.

[emilazy]

You’ll have to make your own risk assessment based on the information in the message and decide whether or not to permit olm as described. I don’t know what the plans of the Pantalaimon developers are, although I suspect nothing is going to happen as it hasn’t received any commits in over a year and is apparently deprecated (matrix-org/pantalaimon#167, matrix-org/pantalaimon#168).

[TheArcaneBrony]

Yeah those issues were posted an hour ago, though I've known that it probably wont happens as it's been dead for ages. It is worrying to think about having to throw out a decent chunk of my infrastructure in the event olm/pantalaimon get removed from nixpkgs, or stick to using nixos 24.05 as an overlay to get it...

[emilazy]

Nothing that depends on libolm has been removed and there is definitely not going to be any rush to make that happen. The knownVulnerabilities message is there to inform you and the error you get tells you how to permit libolm specifically on your system.

In the longer term, depending on the movement in the rest of the ecosystem, if there is totally unmaintained software that relies critically on libolm and will never move off it then we might consider removing it, yes, especially if anyone finds any worse vulnerabilities, but that’s not anything there is any kind of agreement to do at this time. This pull request is not intended as a prelude to imminent removal.

[gador]

Is there a known good alternative for a desktop matrix client, which can be used without olm?
I tried element, pantalaimon, gomuks, fluffychat and cinny.
As I see it, there is no matrix client usable (without using permittedInsecurePackages) as of now in all of nixpkgs.

[dotlambda]

Is there a known good alternative for a desktop matrix client, which can be used without olm?

At least element and fractal work.

[gador]

Just to be clear: I meant element-desktop and not element (which is a Periodic table on the command line)
Thanks for the tip with fractal. I'll give it a try 👍

[dotlambda]

#335753 unbreaks element-desktop

[emilazy]

Eek! I should have checked the reverse dependencies of Jitsi Meet when finding it at the last minute, I didn’t expect to break Element 😬

Very sorry for that, especially for giving users an inaccurate impression of Element’s security with the inherited warning… Not sure what the best way to remediate that is.