public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libreswan: 3.18 -> 3.29 (security)

Browse Source 
addressing CVE-2019-12312 & CVE-2019-10155
This commit is contained in:
Robert Scott 2019-12-07 23:52:42 +00:00 committed by Frederik Rietdijk
parent d17ecebcf0
commit 183ef82f98
2 changed files with 14 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
pkgs/tools/networking/libreswan/default.nix
View File

@ -1,12 +1,12 @@
{ stdenv, fetchurl, makeWrapper, { stdenv, fetchurl, makeWrapper,
pkgconfig, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr, pkgconfig, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr,
bash, iproute, iptables, procps, coreutils, gnused, gawk, nss, which, python, bash, iproute, iptables, procps, coreutils, gnused, gawk, nss, which, python,
docs ? false, xmlto docs ? false, xmlto, libselinux, ldns
}: }:
let let
optional = stdenv.lib.optional; optional = stdenv.lib.optional;
version = "3.18"; version = "3.29";
name = "libreswan-${version}"; name = "libreswan-${version}";
binPath = stdenv.lib.makeBinPath [ binPath = stdenv.lib.makeBinPath [
bash iproute iptables procps coreutils gnused gawk nss.tools which python bash iproute iptables procps coreutils gnused gawk nss.tools which python
@ -14,6 +14,7 @@ let
in in
assert docs -> xmlto != null; assert docs -> xmlto != null;
assert stdenv.isLinux -> libselinux != null;
stdenv.mkDerivation { stdenv.mkDerivation {
inherit name; inherit name;
@ -21,7 +22,7 @@ stdenv.mkDerivation {
src = fetchurl { src = fetchurl {
url = "https://download.libreswan.org/${name}.tar.gz"; url = "https://download.libreswan.org/${name}.tar.gz";
sha256 = "0zginnakxw7m79zrdvfdvliaiyg78zgqfqkks9z5d1rjj5w13xig"; sha256 = "0gmbb1m5in5dvnbk1n31r8myrdankzvi6yk9gcqbcwijyih423nn";
}; };
# These flags were added to compile v3.18. Try to lift them when updating. # These flags were added to compile v3.18. Try to lift them when updating.
@ -34,15 +35,21 @@ stdenv.mkDerivation {
nativeBuildInputs = [ makeWrapper pkgconfig ]; nativeBuildInputs = [ makeWrapper pkgconfig ];
buildInputs = [ bash iproute iptables systemd coreutils gnused gawk gmp unbound bison flex pam libevent buildInputs = [ bash iproute iptables systemd coreutils gnused gawk gmp unbound bison flex pam libevent
libcap_ng curl nspr nss python ] libcap_ng curl nspr nss python ldns ]
++ optional docs xmlto; ++ optional docs xmlto
++ optional stdenv.isLinux libselinux;
prePatch = '' prePatch = ''
# Correct bash path # Correct bash path
sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk
# Fix systemd unit directory, and prevent the makefile from trying to reload the systemd daemon # Fix systemd unit directory, and prevent the makefile from trying to reload the
sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|' -e 's|systemctl --system daemon-reload|true|' initsystems/systemd/Makefile # systemd daemon or create tmpfiles
sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \
-e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \
-e 's|systemctl|true|g' \
-e 's|systemd-tmpfiles|true|g' \
initsystems/systemd/Makefile
# Fix the ipsec program from crushing the PATH # Fix the ipsec program from crushing the PATH
sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in
@ -51,8 +58,6 @@ stdenv.mkDerivation {
sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in
''; '';
patches = [ ./libreswan-3.18-glibc-2.26.patch ];
# Set appropriate paths for build # Set appropriate paths for build
preBuild = "export INC_USRLOCAL=\${out}"; preBuild = "export INC_USRLOCAL=\${out}";

36
pkgs/tools/networking/libreswan/libreswan-3.18-glibc-2.26.patch
View File

@ -1,36 +0,0 @@
diff --git a/lib/libswan/id.c b/lib/libswan/id.c
index 8f06275..efb0394 100644
--- a/lib/libswan/id.c
+++ b/lib/libswan/id.c
@@ -22,6 +22,7 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <limits.h>
#include <unistd.h>
#ifndef HOST_NAME_MAX /* POSIX 1003.1-2001 says <unistd.h> defines this */
#define HOST_NAME_MAX 255 /* upper bound, according to SUSv2 */
diff --git a/linux/include/libreswan.h b/linux/include/libreswan.h
index c5efc6a..b0af4d7 100644
--- a/linux/include/libreswan.h
+++ b/linux/include/libreswan.h
@@ -211,6 +211,7 @@ static inline deltatime_t monotimediff(monotime_t a, monotime_t b) {
#include <assert.h>
#define user_assert(foo) assert(foo)
#include <stdio.h>
+#include <stdint.h>
# define uint8_t u_int8_t
# define uint16_t u_int16_t
diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
index 588c66c..4fc6289 100644
--- a/programs/pluto/rcv_whack.c
+++ b/programs/pluto/rcv_whack.c
@@ -24,6 +24,7 @@
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include <unistd.h>
#ifndef HOST_NAME_MAX /* POSIX 1003.1-2001 says <unistd.h> defines this */
# define HOST_NAME_MAX 255 /* upper bound, according to SUSv2 */