Merge #819: Update nixpkgs

jonasnick · jonasnick · commit f1ebb5d2cd10 · 2025-11-24T12:50:28.000Z
e6e3a13 work around CVE-2024-23342 for pkgs `hwi`, `trezor` (Erik Arvstedt) c4cd252 update nixpkgs (Erik Arvstedt) Pull request description: ACKs for top commit: jonasnick: ACK e6e3a13 Tree-SHA512: f0f5bcbe0ea28f5870aed7bd983904fe3d57aedad45955835ace1fb151f48f169977f453d41a071b60e0e27af6fc92572c629627dfc8d81012c0bb4241a7f459
diff --git a/flake.lock b/flake.lock
diff --git a/modules/hardware-wallets.nix b/modules/hardware-wallets.nix
@@ -62,7 +62,7 @@ in {
       });
     })
     (mkIf cfg.trezor {
-      environment.systemPackages = [ pkgs.python3.pkgs.trezor ];
+      environment.systemPackages = [ config.nix-bitcoin.pkgs.pyPkgs.nbPython3PackagesWithUnlockedEcdsa.trezor ];
       # Don't use rules from nixpkgs because we want to use our own group.
       services.udev.packages = lib.singleton (pkgs.writeTextFile {
         name = "trezord-udev-rules";
diff --git a/pkgs/clnrest/default.nix b/pkgs/clnrest/default.nix
@@ -11,7 +11,7 @@ rustPlatform.buildRustPackage rec {
 
   inherit (clightning) src;
 
-  cargoHash = "sha256-UxMXBO/rpanNU8vz8y4V5wSbCNHKYmVXtoGRpOqI+A0=";
+  cargoHash = "sha256-2xOLwj42Ua85+kn73y+5q3YmzKYMCjxLlq/UrYjiZv0=";
 
   depsExtraArgs = {
     nativeBuildInputs = [ unzip ];
diff --git a/pkgs/default.nix b/pkgs/default.nix
@@ -26,6 +26,7 @@ let self = {
   trustedcoin = pkgs.callPackage ./trustedcoin { };
 
   bitcoind_29 = pkgs.callPackage ./bitcoind_29 {};
+  inherit (self.pyPkgs.nbPython3PackagesWithUnlockedEcdsa) hwi;
 
   pyPkgs = import ./python-packages self pkgs.python3;
   inherit (self.pyPkgs)
diff --git a/pkgs/pinned.nix b/pkgs/pinned.nix
@@ -5,7 +5,6 @@ pkgs: pkgsUnstable:
     elementsd
     extra-container
     fulcrum
-    hwi
     lightning-pool
     lndconnect;
 
diff --git a/pkgs/python-packages/default.nix b/pkgs/python-packages/default.nix
@@ -33,4 +33,22 @@ rec {
   }).pkgs;
 
   nbPython3PackagesJoinmarket = nbPython3Packages;
+
+  # Re-enable pkgs `hwi`, `trezor` that are unaffected by `CVE-2024-23342` because
+  # they don't use python pkg `ecdsa` for signing.
+  # These packages no longer evaluate in nixpkgs after `ecdsa` was tagged with this CVE.
+  nbPython3PackagesWithUnlockedEcdsa = let
+    python3PackagesWithUnlockedEcdsa = (python3.override {
+      packageOverrides = self: super: {
+        ecdsa = super.ecdsa.overrideAttrs (old: {
+          meta = old.meta // {
+            knownVulnerabilities = builtins.filter (x: x != "CVE-2024-23342") old.meta.knownVulnerabilities;
+          };
+        });
+      };
+    }).pkgs;
+  in {
+    hwi = with python3PackagesWithUnlockedEcdsa; toPythonApplication hwi;
+    inherit (python3PackagesWithUnlockedEcdsa) trezor;
+  };
 }
