From 0596106683b60f66622c21b1633b21aa7217ac5a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 10 Jul 2025 15:29:24 +0200
Subject: [PATCH 1/3] ffmpeg-full: migrate from libmfx to libvpl

Provides support for newer hardware (from Tiger Lake, 11th gen), which
was released in late 2020. Also, this adds support for the Intel GPUs,
which also work on aarch64-linux.

The intel-media-sdk/libmfx repo was archived back in 2023 and to this day
there are five known local privilege escalation vulnerabilites, that I
do not want us to ship by default anymore.

Older hardware can probably[1][2] still rely on VA-API instead, which
should be sufficient harm reduction.

[1] https://trac.ffmpeg.org/wiki/Hardware/VAAPI
[2] https://jellyfin.org/docs/general/post-install/transcoding/hardware-acceleration/intel/
---
 pkgs/development/libraries/ffmpeg/generic.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/development/libraries/ffmpeg/generic.nix b/pkgs/development/libraries/ffmpeg/generic.nix
index 30f2240d2ca4..33bf1d44a544 100644
--- a/pkgs/development/libraries/ffmpeg/generic.nix
+++ b/pkgs/development/libraries/ffmpeg/generic.nix
@@ -99,7 +99,7 @@
   withLcms2 ? withFullDeps, # ICC profile support via lcms2
   withLzma ? withHeadlessDeps, # xz-utils
   withMetal ? false, # Unfree and requires manual downloading of files
-  withMfx ? withFullDeps && (with stdenv.hostPlatform; isLinux && !isAarch), # Hardware acceleration via intel-media-sdk/libmfx
+  withMfx ? false, # Hardware acceleration via intel-media-sdk/libmfx
   withModplug ? withFullDeps && !stdenv.hostPlatform.isDarwin, # ModPlug support
   withMp3lame ? withHeadlessDeps, # LAME MP3 encoder
   withMysofa ? withFullDeps, # HRTF support via SOFAlizer
@@ -145,7 +145,7 @@
   withVmaf ? withFullDeps && !stdenv.hostPlatform.isAarch64 && lib.versionAtLeast version "5", # Netflix's VMAF (Video Multi-Method Assessment Fusion)
   withVoAmrwbenc ? withFullDeps && withVersion3, # AMR-WB encoder
   withVorbis ? withHeadlessDeps, # Vorbis de/encoding, native encoder exists
-  withVpl ? false, # Hardware acceleration via intel libvpl
+  withVpl ? withFullDeps && stdenv.hostPlatform.isLinux, # Hardware acceleration via intel libvpl
   withVpx ? withHeadlessDeps && stdenv.buildPlatform == stdenv.hostPlatform, # VP8 & VP9 de/encoding
   withVulkan ? withHeadlessDeps && !stdenv.hostPlatform.isDarwin,
   withVvenc ? withFullDeps && lib.versionAtLeast version "7.1", # H.266/VVC encoding

From 4eacb1412e92cb1e9b4d61771e10d273afe31108 Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 10 Jul 2025 16:12:37 +0200
Subject: [PATCH 2/3] sunshine: drop dependency on intel-media-sdk

Was dropped upstream in the 2025.118.151840.
---
 pkgs/by-name/su/sunshine/package.nix | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/pkgs/by-name/su/sunshine/package.nix b/pkgs/by-name/su/sunshine/package.nix
index 3af68dcfa3d4..cc7c211b49d0 100644
--- a/pkgs/by-name/su/sunshine/package.nix
+++ b/pkgs/by-name/su/sunshine/package.nix
@@ -39,7 +39,6 @@
   libglvnd,
   numactl,
   amf-headers,
-  intel-media-sdk,
   svt-av1,
   vulkan-loader,
   libappindicator,
@@ -146,9 +145,6 @@ stdenv'.mkDerivation rec {
     ++ lib.optionals cudaSupport [
       cudaPackages.cudatoolkit
       cudaPackages.cuda_cudart
-    ]
-    ++ lib.optionals stdenv.hostPlatform.isx86_64 [
-      intel-media-sdk
     ];
 
   runtimeDependencies = [

From c7a9aa54ec7f1a14e4a243c22bb13084620e295a Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Thu, 10 Jul 2025 16:04:27 +0200
Subject: [PATCH 3/3] intel-media-sdk: mark vulnerable

The upstream repo was archived on 2023-05-17 with the following comment:

> This project has been identified as having known security escapes.

It is now clear what (some) of these are, which prompts marking this
package as vulnerable.

This is now safe to do, as it is not a default part of our ffmpeg-full
package any longer.
---
 pkgs/by-name/in/intel-media-sdk/package.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkgs/by-name/in/intel-media-sdk/package.nix b/pkgs/by-name/in/intel-media-sdk/package.nix
index 26a77a7ed94e..3401d07089e6 100644
--- a/pkgs/by-name/in/intel-media-sdk/package.nix
+++ b/pkgs/by-name/in/intel-media-sdk/package.nix
@@ -69,6 +69,16 @@ stdenv.mkDerivation rec {
       midchildan
       pjungkamp
     ];
+    knownVulnerabilities = [
+      ''
+        End of life with various local privilege escalation vulnerabilites:
+          - CVE-2023-22656
+          - CVE-2023-45221
+          - CVE-2023-47169
+          - CVE-2023-47282
+          - CVE-2023-48368
+      ''
+    ];
     platforms = [ "x86_64-linux" ];
   };
 }