trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

Nix refusing to evaluate due to CVE-2024-23342

Open jhvst opened this issue 4 months ago • 3 comments

What I am trying to do: nix build github:nixos/nixpkgs/nixos-25.05#trezor-agent What I get instead:

error:
       … while evaluating the attribute 'drvPath'
         at /nix/store/6dvf3k09y1gs9h4sisybvyqdxcyri8xb-source/lib/customisation.nix:418:7:
          417|     // {
          418|       drvPath =
             |       ^
          419|         assert condition;

       … while calling the 'derivationStrict' builtin
         at <nix/derivation-internal.nix>:37:12:
           36|
           37|   strict = derivationStrict drvAttrs;
             |            ^
           38|

       (stack trace truncated; use '--show-trace' to show the full, detailed trace)

       error: Package ‘python3.12-ecdsa-0.19.1’ in /nix/store/6dvf3k09y1gs9h4sisybvyqdxcyri8xb-source/pkgs/development/python-modules/ecdsa/default.nix:43 is marked as insecure, refusing to evaluate.


       Known issues:
        - CVE-2024-23342

       You can install it anyway by allowing this package, using the
       following methods:

       a) To temporarily allow all insecure packages, you can use an environment
          variable for a single invocation of the nix tools:

            $ export NIXPKGS_ALLOW_INSECURE=1

          Note: When using `nix shell`, `nix build`, `nix develop`, etc with a flake,
                then pass `--impure` in order to allow use of environment variables.

       b) for `nixos-rebuild` you can add ‘python3.12-ecdsa-0.19.1’ to
          `nixpkgs.config.permittedInsecurePackages` in the configuration.nix,
          like so:

            {
              nixpkgs.config.permittedInsecurePackages = [
                "python3.12-ecdsa-0.19.1"
              ];
            }

       c) For `nix-env`, `nix-build`, `nix-shell` or any other Nix command you can add
          ‘python3.12-ecdsa-0.19.1’ to `permittedInsecurePackages` in
          ~/.config/nixpkgs/config.nix, like so:

            {
              permittedInsecurePackages = [
                "python3.12-ecdsa-0.19.1"
              ];
            }

Also see: https://github.com/NixOS/nixpkgs/pull/454346 And: https://github.com/tlsfuzzer/python-ecdsa/issues/330

Wondering whether you are planning on migrating the library or should I permit the package?

jhvst avatar Oct 28 '25 18:10 jhvst

Should be resolved by https://github.com/trezor/trezor-firmware/pull/6070 and by the upcoming 0.20 trezorlib release.

romanz avatar Oct 29 '25 09:10 romanz

Related: NixOS/nixpkgs#455630

andrevmatos avatar Nov 05 '25 21:11 andrevmatos

libagent also needs a fix: https://github.com/trezor/trezor-firmware/pull/6070#issuecomment-3626557029

adrian-gierakowski avatar Dec 08 '25 12:12 adrian-gierakowski