arti: add patch for TROVE-2026-024

TROVE: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE

an invalid assumption of ASCII in port policies could allow a malicious
directory cache to crash arti clients. this issue was originally
publicly reported at
https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4049
and the final fix was merged as
https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4062. this
allows for DoSing clients, and has been allocated the the TROVE-2026-024
id with medium severity. we fetch the patch for it here, and may upgrade
to 2.4.1 or similar if upstream releases one.

(cherry picked from commit d355b592b8)
This commit is contained in:
whispers 2026-06-03 14:47:45 -04:00 committed by github-actions[bot]
commit eb8720b009

View file

@ -3,6 +3,7 @@
stdenv,
rustPlatform,
fetchFromGitLab,
fetchpatch,
pkg-config,
sqlite,
openssl,
@ -24,6 +25,17 @@ rustPlatform.buildRustPackage (finalAttrs: {
hash = "sha256-YLOdrHstmN2pLl75uclkbpN5h3iBs3xpraZ8XN6R/+Q=";
};
patches = [
# Fixes a panic that could allow malicious directory caches to crash
# clients.
# https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/4062
(fetchpatch {
name = "TROVE-2026-024.patch";
url = "https://gitlab.torproject.org/tpo/core/arti/-/commit/f69be8c70561629e63004788f0aa4bf898025f93.patch";
hash = "sha256-P0sXTKOBW7ulqQZwmTVJfrpLksLyaonuDpxGF2keDqE=";
})
];
# Working around a bug in cargo that appears with cargo-auditable, see
# https://github.com/rust-secure-code/cargo-auditable/issues/124.
postPatch = ''