gnu: isc-dhcp: Update to 4.3.3; update bundled bind to 9.9.8-P2.

Fixes CVE-2015-8000 and CVE-2015-8461.

* gnu/packages/admin.scm (isc-dhcp): Update to 4.3.3.
  [inputs]: Add 'bind-source-tarball'.
  [arguments]: Use modify-phases.  Add 'replace-bundled-bind' phase.
  In 'post-configure' phase, avoid hard-coding version numbers of
  bundled bind.
This commit is contained in:
Mark H Weaver 2015-12-21 19:42:23 -05:00
parent f9a5b18897
commit 6548b1e122
1 changed files with 125 additions and 83 deletions

View File

@ -388,20 +388,51 @@ connection alive.")
(license license:gpl3+))) (license license:gpl3+)))
(define-public isc-dhcp (define-public isc-dhcp
(let* ((bind-major-version "9")
(bind-minor-version "9")
(bind-patch-version "8")
(bind-release-type "-P")
(bind-release-version "2")
(bind-version (string-append bind-major-version
"."
bind-minor-version
"."
bind-patch-version
bind-release-type
bind-release-version)))
(package (package
(name "isc-dhcp") (name "isc-dhcp")
(version "4.3.1") (version "4.3.3")
(source (origin (source (origin
(method url-fetch) (method url-fetch)
(uri (string-append "http://ftp.isc.org/isc/dhcp/" (uri (string-append "http://ftp.isc.org/isc/dhcp/"
version "/dhcp-" version ".tar.gz")) version "/dhcp-" version ".tar.gz"))
(sha256 (sha256
(base32 (base32
"1w4s7sni1m9223ya8m2a64lr62845c6xlraprjf8zfx6lylbqv16")))) "1pjy4lylx7dww1fp2mk5ikya5vxaf97z70279j81n74vn12ljg2m"))))
(build-system gnu-build-system) (build-system gnu-build-system)
(arguments (arguments
'(#:phases (alist-cons-after `(#:phases
'configure 'post-configure (modify-phases %standard-phases
(add-after 'unpack 'replace-bundled-bind
(lambda* (#:key inputs #:allow-other-keys)
(delete-file "bind/bind.tar.gz")
(copy-file (assoc-ref inputs "bind-source-tarball")
"bind/bind.tar.gz")
(chmod "bind/bind.tar.gz" #o644)
(substitute* "bind/version.tmp"
(("^MAJORVER=.*")
(format #f "MAJORVER=~a\n" ,bind-major-version))
(("^MINORVER=.*")
(format #f "MINORVER=~a\n" ,bind-minor-version))
(("^PATCHVER=.*")
(format #f "PATCHVER=~a\n" ,bind-patch-version))
(("^RELEASETYPE=.*")
(format #f "RELEASETYPE=~a\n" ,bind-release-type))
(("^RELEASEVER=.*")
(format #f "RELEASEVER=~a\n" ,bind-release-version)))
#t))
(add-after 'configure 'post-configure
(lambda* (#:key outputs #:allow-other-keys) (lambda* (#:key outputs #:allow-other-keys)
;; Point to the right client script, which will be ;; Point to the right client script, which will be
;; installed in a later phase. ;; installed in a later phase.
@ -422,18 +453,18 @@ connection alive.")
(string-append "./configure CONFIG_SHELL=" (string-append "./configure CONFIG_SHELL="
sh " SHELL=" sh)))) sh " SHELL=" sh))))
(let ((bind-directory (string-append "bind-" ,bind-version)))
(system* "tar" "xf" "bind.tar.gz") (system* "tar" "xf" "bind.tar.gz")
(for-each patch-shebang (for-each patch-shebang
(find-files "bind-9.9.5-P1" ".*")) (find-files bind-directory ".*"))
(zero? (system* "tar" "cf" "bind.tar.gz" (zero? (system* "tar" "cf" "bind.tar.gz"
"bind-9.9.5-P1" bind-directory
;; avoid non-determinism in the archive ;; avoid non-determinism in the archive
"--sort=name" "--sort=name"
"--mtime=@0" "--mtime=@0"
"--owner=root:0" "--owner=root:0"
"--group=root:0")))) "--group=root:0"))))))
(alist-cons-after (add-after 'install 'post-install
'install 'post-install
(lambda* (#:key inputs outputs #:allow-other-keys) (lambda* (#:key inputs outputs #:allow-other-keys)
;; Install the dhclient script for GNU/Linux and make sure ;; Install the dhclient script for GNU/Linux and make sure
;; if finds all the programs it needs. ;; if finds all the programs it needs.
@ -458,8 +489,7 @@ connection alive.")
,(map (lambda (dir) ,(map (lambda (dir)
(string-append dir "/bin:" (string-append dir "/bin:"
dir "/sbin")) dir "/sbin"))
(list inetutils net-tools coreutils sed)))))) (list inetutils net-tools coreutils sed))))))))))
%standard-phases))))
(native-inputs `(("perl" ,perl))) (native-inputs `(("perl" ,perl)))
@ -467,6 +497,18 @@ connection alive.")
("net-tools" ,net-tools) ("net-tools" ,net-tools)
("iproute" ,iproute) ("iproute" ,iproute)
;; XXX isc-dhcp bundles a copy of bind that has security
;; flaws, so we use a newer version.
("bind-source-tarball"
,(origin
(method url-fetch)
(uri (string-append "http://ftp.isc.org/isc/bind9/"
bind-version
"/bind-" bind-version ".tar.gz"))
(sha256
(base32
"0agkpmpna7s67la13krn4xlhwhdjpazmljxlq0zbjdwnw4k1k17m"))))
;; When cross-compiling, we need the cross Coreutils and sed. ;; When cross-compiling, we need the cross Coreutils and sed.
;; Otherwise just use those from %FINAL-INPUTS. ;; Otherwise just use those from %FINAL-INPUTS.
,@(if (%current-target-system) ,@(if (%current-target-system)
@ -480,7 +522,7 @@ connection alive.")
"ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a "ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a
reference implementation of all aspects of DHCP, through a suite of DHCP reference implementation of all aspects of DHCP, through a suite of DHCP
tools: server, client, and relay agent.") tools: server, client, and relay agent.")
(license license:isc))) (license license:isc))))
(define-public libpcap (define-public libpcap
(package (package