CVE-2024-45193: 
NixOS vulnerability analysis and mitigation

CVE-2024-45193 affects Matrix libolm through version 3.2.16. The vulnerability relates to Ed25519 signature malleability due to lack of validation criteria, specifically not ensuring that S < n in the signature verification process. This vulnerability was discovered in August 2024 and affects the libolm implementation of Olm. The issue only affects products that are no longer supported by the maintainer (NVD).

The vulnerability stems from the Ed25519 library used within Olm not ensuring that S < n during signature verification, which makes signatures malleable. This means that for a given valid signature, it's possible to generate a second valid signature for the same message. The issue is present in the Ed25519 verification code where the implementation lacks proper validation checks (Soatok Blog).

The impact of this vulnerability is considered low to medium, as signature malleability usually isn't critical for most protocols unless they're being used in specific contexts like cryptocurrency applications. The CVSS v3.1 score is 4.3 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

Rather than fixing libolm, the Matrix team has deprecated the library and recommends all Matrix clients migrate to vodozemac. However, as of the vulnerability disclosure, only about 19% of Matrix clients supporting E2EE had adopted vodozemac, while the majority still used the vulnerable libolm implementation (Soatok Blog).

The disclosure of this vulnerability, along with other issues in libolm, has sparked significant discussion in the security community. The Matrix development team's admission that they knowingly shipped cryptography code with known vulnerabilities for years has been met with criticism from security researchers. This revelation led some security experts to strengthen their stance against recommending Matrix as a secure messaging platform (Soatok Blog, Hacker News).