talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

litestream: fix CVE-2024-41254 by adding SSH host key verification (#421926)

Browse Source
This commit is contained in:
Aleksana 2025-07-25 15:48:04 +08:00 committed by GitHub
commit 7fd36ee82c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
pkgs/by-name/li/litestream/fix-cve-2024-41254.patch Normal file
View File

@ -0,0 +1,64 @@
diff --git a/cmd/litestream/main.go b/cmd/litestream/main.go
index 1234567..abcdefg 100644
--- a/cmd/litestream/main.go
+++ b/cmd/litestream/main.go
@@ -362,6 +362,7 @@ type ReplicaConfig struct {
Host string `yaml:"host"`
User string `yaml:"user"`
Password string `yaml:"password"`
KeyPath string `yaml:"key-path"`
+ HostKeyPath string `yaml:"host-key-path"`
// Encryption identities and recipients
@@ -664,6 +665,7 @@ func NewReplicaFromConfig(c *ReplicaConfig, dbc *DBConfig) (_ litestream.Replic
client.Password = password
client.Path = path
client.KeyPath = c.KeyPath
+ client.HostKeyPath = c.HostKeyPath
return client, nil
}
diff --git a/sftp/replica_client.go b/sftp/replica_client.go
index 30d8fa87..8b651e97 100644
--- a/sftp/replica_client.go
+++ b/sftp/replica_client.go
@@ -41,6 +41,7 @@ type ReplicaClient struct {
Password string
Path string
KeyPath string
+ HostKeyPath string
DialTimeout time.Duration
}
@@ -71,14 +72,28 @@ func (c *ReplicaClient) Init(ctx context.Context) (_ *sftp.Client, err error) {
// Build SSH configuration & auth methods
config := &ssh.ClientConfig{
- User: c.User,
- HostKeyCallback: ssh.InsecureIgnoreHostKey(),
- BannerCallback: ssh.BannerDisplayStderr(),
+ User: c.User,
+ BannerCallback: ssh.BannerDisplayStderr(),
}
if c.Password != "" {
config.Auth = append(config.Auth, ssh.Password(c.Password))
}
+ if c.HostKeyPath == "" {
+ config.HostKeyCallback = ssh.InsecureIgnoreHostKey()
+ } else {
+ buf, err := os.ReadFile(c.HostKeyPath)
+ if err != nil {
+ return nil, fmt.Errorf("cannot read sftp host key path: %w", err)
+ }
+
+ key, _, _, _, err := ssh.ParseAuthorizedKey(buf)
+ if err != nil {
+ return nil, fmt.Errorf("cannot parse sftp host key path: path=%s len=%d err=%w", c.HostKeyPath, len(buf), err)
+ }
+ config.HostKeyCallback = ssh.FixedHostKey(key)
+ }
+
if c.KeyPath != "" {
buf, err := os.ReadFile(c.KeyPath)
if err != nil {

3
pkgs/by-name/li/litestream/package.nix
View File

@ -23,6 +23,8 @@ buildGoModule rec {
vendorHash = "sha256-sYIY3Z3VrCqbjEbQtEY7q6Jljg8jMoa2qWEB/IkDjzM="; vendorHash = "sha256-sYIY3Z3VrCqbjEbQtEY7q6Jljg8jMoa2qWEB/IkDjzM=";
patches = [ ./fix-cve-2024-41254.patch ];
passthru.tests = { inherit (nixosTests) litestream; }; passthru.tests = { inherit (nixosTests) litestream; };
meta = with lib; { meta = with lib; {
@ -31,6 +33,5 @@ buildGoModule rec {
license = licenses.asl20; license = licenses.asl20;
homepage = "https://litestream.io/"; homepage = "https://litestream.io/";
maintainers = with maintainers; [ fbrs ]; maintainers = with maintainers; [ fbrs ];
knownVulnerabilities = [ "CVE-2024-41254" ];
}; };
} }