forked from mirrors/nixpkgs
libreswan: 3.18 -> 3.29 (security)
addressing CVE-2019-12312 & CVE-2019-10155
This commit is contained in:
Robert Scott
Frederik Rietdijk
parent
d17ecebcf0
commit
183ef82f98
|
|
@ -1,12 +1,12 @@
|
|||
{ stdenv, fetchurl, makeWrapper,
|
||||
pkgconfig, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr,
|
||||
bash, iproute, iptables, procps, coreutils, gnused, gawk, nss, which, python,
|
||||
docs ? false, xmlto
|
||||
docs ? false, xmlto, libselinux, ldns
|
||||
}:
|
||||
|
||||
let
|
||||
optional = stdenv.lib.optional;
|
||||
version = "3.18";
|
||||
version = "3.29";
|
||||
name = "libreswan-${version}";
|
||||
binPath = stdenv.lib.makeBinPath [
|
||||
bash iproute iptables procps coreutils gnused gawk nss.tools which python
|
||||
|
|
@ -14,6 +14,7 @@ let
|
|||
in
|
||||
|
||||
assert docs -> xmlto != null;
|
||||
assert stdenv.isLinux -> libselinux != null;
|
||||
|
||||
stdenv.mkDerivation {
|
||||
inherit name;
|
||||
|
|
@ -21,7 +22,7 @@ stdenv.mkDerivation {
|
|||
|
||||
src = fetchurl {
|
||||
url = "https://download.libreswan.org/${name}.tar.gz";
|
||||
sha256 = "0zginnakxw7m79zrdvfdvliaiyg78zgqfqkks9z5d1rjj5w13xig";
|
||||
sha256 = "0gmbb1m5in5dvnbk1n31r8myrdankzvi6yk9gcqbcwijyih423nn";
|
||||
};
|
||||
|
||||
# These flags were added to compile v3.18. Try to lift them when updating.
|
||||
|
|
@ -34,15 +35,21 @@ stdenv.mkDerivation {
|
|||
|
||||
nativeBuildInputs = [ makeWrapper pkgconfig ];
|
||||
buildInputs = [ bash iproute iptables systemd coreutils gnused gawk gmp unbound bison flex pam libevent
|
||||
libcap_ng curl nspr nss python ]
|
||||
++ optional docs xmlto;
|
||||
libcap_ng curl nspr nss python ldns ]
|
||||
++ optional docs xmlto
|
||||
++ optional stdenv.isLinux libselinux;
|
||||
|
||||
prePatch = ''
|
||||
# Correct bash path
|
||||
sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk
|
||||
|
||||
# Fix systemd unit directory, and prevent the makefile from trying to reload the systemd daemon
|
||||
sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|' -e 's|systemctl --system daemon-reload|true|' initsystems/systemd/Makefile
|
||||
# Fix systemd unit directory, and prevent the makefile from trying to reload the
|
||||
# systemd daemon or create tmpfiles
|
||||
sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \
|
||||
-e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \
|
||||
-e 's|systemctl|true|g' \
|
||||
-e 's|systemd-tmpfiles|true|g' \
|
||||
initsystems/systemd/Makefile
|
||||
|
||||
# Fix the ipsec program from crushing the PATH
|
||||
sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in
|
||||
|
|
@ -51,8 +58,6 @@ stdenv.mkDerivation {
|
|||
sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in
|
||||
'';
|
||||
|
||||
patches = [ ./libreswan-3.18-glibc-2.26.patch ];
|
||||
|
||||
# Set appropriate paths for build
|
||||
preBuild = "export INC_USRLOCAL=\${out}";
|
||||
|
||||
|
|
|
|||
|
|
@ -1,36 +0,0 @@
|
|||
diff --git a/lib/libswan/id.c b/lib/libswan/id.c
|
||||
index 8f06275..efb0394 100644
|
||||
--- a/lib/libswan/id.c
|
||||
+++ b/lib/libswan/id.c
|
||||
@@ -22,6 +22,7 @@
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
+#include <limits.h>
|
||||
#include <unistd.h>
|
||||
#ifndef HOST_NAME_MAX /* POSIX 1003.1-2001 says <unistd.h> defines this */
|
||||
#define HOST_NAME_MAX 255 /* upper bound, according to SUSv2 */
|
||||
diff --git a/linux/include/libreswan.h b/linux/include/libreswan.h
|
||||
index c5efc6a..b0af4d7 100644
|
||||
--- a/linux/include/libreswan.h
|
||||
+++ b/linux/include/libreswan.h
|
||||
@@ -211,6 +211,7 @@ static inline deltatime_t monotimediff(monotime_t a, monotime_t b) {
|
||||
#include <assert.h>
|
||||
#define user_assert(foo) assert(foo)
|
||||
#include <stdio.h>
|
||||
+#include <stdint.h>
|
||||
|
||||
# define uint8_t u_int8_t
|
||||
# define uint16_t u_int16_t
|
||||
diff --git a/programs/pluto/rcv_whack.c b/programs/pluto/rcv_whack.c
|
||||
index 588c66c..4fc6289 100644
|
||||
--- a/programs/pluto/rcv_whack.c
|
||||
+++ b/programs/pluto/rcv_whack.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <limits.h>
|
||||
#include <unistd.h>
|
||||
#ifndef HOST_NAME_MAX /* POSIX 1003.1-2001 says <unistd.h> defines this */
|
||||
# define HOST_NAME_MAX 255 /* upper bound, according to SUSv2 */
|
||||
Loading…
Reference in a new issue