ipsec-tools: apply debians patch to fix CVE-2015-4047

pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch

@@ -0,0 +1,16 @@
+Index: pkg-ipsec-tools/src/racoon/gssapi.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/gssapi.c
++++ pkg-ipsec-tools/src/racoon/gssapi.c
+@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1)
+	gss_name_t princ, canon_princ;
+	OM_uint32 maj_stat, min_stat;
+
++	if (iph1->rmconf == NULL) {
++		plog(LLV_ERROR, LOCATION, NULL, "no remote config\n");
++		return -1;
++	}
++
+	gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
+	if (gps == NULL) {
+		plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");

pkgs/os-specific/linux/ipsec-tools/default.nix

@@ -16,7 +16,8 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ readline openssl flex kerberos pam ];
 
-  patches = [ ./dont-create-localstatedir-during-install.patch ];
+  patches = [ ./dont-create-localstatedir-during-install.patch
+              ./CVE-2015-4047.patch ];
 
   # fix build with newer gcc versions
   preConfigure = ''substituteInPlace configure --replace "-Werror" "" '';