From 84cd68f55584b684e122457d58e169ca69d008a6 Mon Sep 17 00:00:00 2001 From: ak2k <19240940+ak2k@users.noreply.github.com> Date: Wed, 2 Jul 2025 18:14:07 -0400 Subject: [PATCH] litestream: fix CVE-2024-41254 by adding SSH host key verification Apply patch from upstream commit f6c859061bfd7ccc2a21fcde3e9f0eb9ad98cd5e by benbjohnson that adds optional SSH host key verification to SFTP connections. This addresses CVE-2024-41254 where InsecureIgnoreHostKey() was used unconditionally, allowing potential MITM attacks. The patch adds a new `host-key-path` configuration option that allows users to specify a file containing the SSH host key for verification. When not specified, it maintains backward compatibility by falling back to the insecure behavior. Fixes: #388411 --- .../li/litestream/fix-cve-2024-41254.patch | 64 +++++++++++++++++++ pkgs/by-name/li/litestream/package.nix | 3 +- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 pkgs/by-name/li/litestream/fix-cve-2024-41254.patch diff --git a/pkgs/by-name/li/litestream/fix-cve-2024-41254.patch b/pkgs/by-name/li/litestream/fix-cve-2024-41254.patch new file mode 100644 index 000000000000..8fd06b712a24 --- /dev/null +++ b/pkgs/by-name/li/litestream/fix-cve-2024-41254.patch @@ -0,0 +1,64 @@ +diff --git a/cmd/litestream/main.go b/cmd/litestream/main.go +index 1234567..abcdefg 100644 +--- a/cmd/litestream/main.go ++++ b/cmd/litestream/main.go +@@ -362,6 +362,7 @@ type ReplicaConfig struct { + Host string `yaml:"host"` + User string `yaml:"user"` + Password string `yaml:"password"` + KeyPath string `yaml:"key-path"` ++ HostKeyPath string `yaml:"host-key-path"` + + // Encryption identities and recipients +@@ -664,6 +665,7 @@ func NewReplicaFromConfig(c *ReplicaConfig, dbc *DBConfig) (_ litestream.Replic + client.Password = password + client.Path = path + client.KeyPath = c.KeyPath ++ client.HostKeyPath = c.HostKeyPath + return client, nil + } + +diff --git a/sftp/replica_client.go b/sftp/replica_client.go +index 30d8fa87..8b651e97 100644 +--- a/sftp/replica_client.go ++++ b/sftp/replica_client.go +@@ -41,6 +41,7 @@ type ReplicaClient struct { + Password string + Path string + KeyPath string ++ HostKeyPath string + DialTimeout time.Duration + } + +@@ -71,14 +72,28 @@ func (c *ReplicaClient) Init(ctx context.Context) (_ *sftp.Client, err error) { + + // Build SSH configuration & auth methods + config := &ssh.ClientConfig{ +- User: c.User, +- HostKeyCallback: ssh.InsecureIgnoreHostKey(), +- BannerCallback: ssh.BannerDisplayStderr(), ++ User: c.User, ++ BannerCallback: ssh.BannerDisplayStderr(), + } + if c.Password != "" { + config.Auth = append(config.Auth, ssh.Password(c.Password)) + } + ++ if c.HostKeyPath == "" { ++ config.HostKeyCallback = ssh.InsecureIgnoreHostKey() ++ } else { ++ buf, err := os.ReadFile(c.HostKeyPath) ++ if err != nil { ++ return nil, fmt.Errorf("cannot read sftp host key path: %w", err) ++ } ++ ++ key, _, _, _, err := ssh.ParseAuthorizedKey(buf) ++ if err != nil { ++ return nil, fmt.Errorf("cannot parse sftp host key path: path=%s len=%d err=%w", c.HostKeyPath, len(buf), err) ++ } ++ config.HostKeyCallback = ssh.FixedHostKey(key) ++ } ++ + if c.KeyPath != "" { + buf, err := os.ReadFile(c.KeyPath) + if err != nil { \ No newline at end of file diff --git a/pkgs/by-name/li/litestream/package.nix b/pkgs/by-name/li/litestream/package.nix index 9407d958f7d9..f6414af6ef24 100644 --- a/pkgs/by-name/li/litestream/package.nix +++ b/pkgs/by-name/li/litestream/package.nix @@ -23,6 +23,8 @@ buildGoModule rec { vendorHash = "sha256-sYIY3Z3VrCqbjEbQtEY7q6Jljg8jMoa2qWEB/IkDjzM="; + patches = [ ./fix-cve-2024-41254.patch ]; + passthru.tests = { inherit (nixosTests) litestream; }; meta = with lib; { @@ -31,6 +33,5 @@ buildGoModule rec { license = licenses.asl20; homepage = "https://litestream.io/"; maintainers = with maintainers; [ fbrs ]; - knownVulnerabilities = [ "CVE-2024-41254" ]; }; }