Merge pull request 'openssh: Temporary patch for CVE-2024-6387 mitigation' (#30) from KokaKiwi/nixcfg:openssh-mitigation into main

Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/nixcfg/pulls/30

1 files changed, 17 insertions, 0 deletions

diff --git a/nix/configuration.nix b/nix/configuration.nix
index 68751a2..ab7b11a 100644
--- a/nix/configuration.nix
+++ b/nix/configuration.nix
@@ -78,6 +78,23 @@ SystemMaxUse=1G
   services.openssh.enable = true;
   services.openssh.settings.PasswordAuthentication = false;
 
+  # FIXME: Temporary patch for OpenSSH (CVE-2024-6387)
+  # Patches from backport PR: https://github.com/NixOS/nixpkgs/pull/323765
+  programs.ssh.package = pkgs.openssh.overrideAttrs(prev: {
+    patches = prev.patches ++ [
+      (pkgs.fetchpatch {
+        url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-CVE-2024-6387.patch";
+        hash = "sha256-B3Wz/eWSdOnrOcVzDv+QqzLGdFlb3jivQ8qZMC3d0Qw=";
+      })
+      (pkgs.fetchpatch {
+        url = "https://raw.githubusercontent.com/emilazy/nixpkgs/c21c340818954576c6401ad460a9d42bab030bc4/pkgs/tools/networking/openssh/openssh-9.6_p1-chaff-logic.patch";
+        hash = "sha256-lepBEFxKTAwg379iCD8KQCZVAzs3qNSSyUTOcartpK4=";
+      })
+    ];
+
+    doCheck = false;
+  });
+
   virtualisation.docker = {
     enable = true;
     extraOptions = "--config-file=${pkgs.writeText "daemon.json" (builtins.toJSON {