gnu: isc-dhcp: Update to 4.3.3; update bundled bind to 9.9.8-P2.

Fixes CVE-2015-8000 and CVE-2015-8461.

* gnu/packages/admin.scm (isc-dhcp): Update to 4.3.3.
  [inputs]: Add 'bind-source-tarball'.
  [arguments]: Use modify-phases.  Add 'replace-bundled-bind' phase.
  In 'post-configure' phase, avoid hard-coding version numbers of
  bundled bind.
This commit is contained in:
Mark H Weaver 2015-12-21 19:42:23 -05:00
parent f9a5b18897
commit 6548b1e122
1 changed files with 125 additions and 83 deletions

View File

@ -388,99 +388,141 @@ connection alive.")
(license license:gpl3+))) (license license:gpl3+)))
(define-public isc-dhcp (define-public isc-dhcp
(package (let* ((bind-major-version "9")
(name "isc-dhcp") (bind-minor-version "9")
(version "4.3.1") (bind-patch-version "8")
(source (origin (bind-release-type "-P")
(method url-fetch) (bind-release-version "2")
(uri (string-append "http://ftp.isc.org/isc/dhcp/" (bind-version (string-append bind-major-version
version "/dhcp-" version ".tar.gz")) "."
(sha256 bind-minor-version
(base32 "."
"1w4s7sni1m9223ya8m2a64lr62845c6xlraprjf8zfx6lylbqv16")))) bind-patch-version
(build-system gnu-build-system) bind-release-type
(arguments bind-release-version)))
'(#:phases (alist-cons-after (package
'configure 'post-configure (name "isc-dhcp")
(lambda* (#:key outputs #:allow-other-keys) (version "4.3.3")
;; Point to the right client script, which will be (source (origin
;; installed in a later phase. (method url-fetch)
(substitute* "includes/dhcpd.h" (uri (string-append "http://ftp.isc.org/isc/dhcp/"
(("#define[[:blank:]]+_PATH_DHCLIENT_SCRIPT.*") version "/dhcp-" version ".tar.gz"))
(let ((out (assoc-ref outputs "out"))) (sha256
(string-append "#define _PATH_DHCLIENT_SCRIPT \"" (base32
out "/libexec/dhclient-script" "1pjy4lylx7dww1fp2mk5ikya5vxaf97z70279j81n74vn12ljg2m"))))
"\"\n")))) (build-system gnu-build-system)
(arguments
`(#:phases
(modify-phases %standard-phases
(add-after 'unpack 'replace-bundled-bind
(lambda* (#:key inputs #:allow-other-keys)
(delete-file "bind/bind.tar.gz")
(copy-file (assoc-ref inputs "bind-source-tarball")
"bind/bind.tar.gz")
(chmod "bind/bind.tar.gz" #o644)
(substitute* "bind/version.tmp"
(("^MAJORVER=.*")
(format #f "MAJORVER=~a\n" ,bind-major-version))
(("^MINORVER=.*")
(format #f "MINORVER=~a\n" ,bind-minor-version))
(("^PATCHVER=.*")
(format #f "PATCHVER=~a\n" ,bind-patch-version))
(("^RELEASETYPE=.*")
(format #f "RELEASETYPE=~a\n" ,bind-release-type))
(("^RELEASEVER=.*")
(format #f "RELEASEVER=~a\n" ,bind-release-version)))
#t))
(add-after 'configure 'post-configure
(lambda* (#:key outputs #:allow-other-keys)
;; Point to the right client script, which will be
;; installed in a later phase.
(substitute* "includes/dhcpd.h"
(("#define[[:blank:]]+_PATH_DHCLIENT_SCRIPT.*")
(let ((out (assoc-ref outputs "out")))
(string-append "#define _PATH_DHCLIENT_SCRIPT \""
out "/libexec/dhclient-script"
"\"\n"))))
;; During the 'build' phase, 'bind.tar.gz' is extracted, so ;; During the 'build' phase, 'bind.tar.gz' is extracted, so
;; we must patch shebangs in there and make sure the right ;; we must patch shebangs in there and make sure the right
;; shell is used. ;; shell is used.
(with-directory-excursion "bind" (with-directory-excursion "bind"
(substitute* "Makefile" (substitute* "Makefile"
(("\\./configure") (("\\./configure")
(let ((sh (which "sh"))) (let ((sh (which "sh")))
(string-append "./configure CONFIG_SHELL=" (string-append "./configure CONFIG_SHELL="
sh " SHELL=" sh)))) sh " SHELL=" sh))))
(system* "tar" "xf" "bind.tar.gz") (let ((bind-directory (string-append "bind-" ,bind-version)))
(for-each patch-shebang (system* "tar" "xf" "bind.tar.gz")
(find-files "bind-9.9.5-P1" ".*")) (for-each patch-shebang
(zero? (system* "tar" "cf" "bind.tar.gz" (find-files bind-directory ".*"))
"bind-9.9.5-P1" (zero? (system* "tar" "cf" "bind.tar.gz"
;; avoid non-determinism in the archive bind-directory
"--sort=name" ;; avoid non-determinism in the archive
"--mtime=@0" "--sort=name"
"--owner=root:0" "--mtime=@0"
"--group=root:0")))) "--owner=root:0"
(alist-cons-after "--group=root:0"))))))
'install 'post-install (add-after 'install 'post-install
(lambda* (#:key inputs outputs #:allow-other-keys) (lambda* (#:key inputs outputs #:allow-other-keys)
;; Install the dhclient script for GNU/Linux and make sure ;; Install the dhclient script for GNU/Linux and make sure
;; if finds all the programs it needs. ;; if finds all the programs it needs.
(let* ((out (assoc-ref outputs "out")) (let* ((out (assoc-ref outputs "out"))
(libexec (string-append out "/libexec")) (libexec (string-append out "/libexec"))
(coreutils (assoc-ref inputs "coreutils")) (coreutils (assoc-ref inputs "coreutils"))
(inetutils (assoc-ref inputs "inetutils")) (inetutils (assoc-ref inputs "inetutils"))
(net-tools (assoc-ref inputs "net-tools")) (net-tools (assoc-ref inputs "net-tools"))
(sed (assoc-ref inputs "sed"))) (sed (assoc-ref inputs "sed")))
(substitute* "client/scripts/linux" (substitute* "client/scripts/linux"
(("/sbin/ip") (("/sbin/ip")
(string-append (assoc-ref inputs "iproute") (string-append (assoc-ref inputs "iproute")
"/sbin/ip"))) "/sbin/ip")))
(mkdir-p libexec) (mkdir-p libexec)
(copy-file "client/scripts/linux" (copy-file "client/scripts/linux"
(string-append libexec "/dhclient-script")) (string-append libexec "/dhclient-script"))
(wrap-program (wrap-program
(string-append libexec "/dhclient-script") (string-append libexec "/dhclient-script")
`("PATH" ":" prefix `("PATH" ":" prefix
,(map (lambda (dir) ,(map (lambda (dir)
(string-append dir "/bin:" (string-append dir "/bin:"
dir "/sbin")) dir "/sbin"))
(list inetutils net-tools coreutils sed)))))) (list inetutils net-tools coreutils sed))))))))))
%standard-phases))))
(native-inputs `(("perl" ,perl))) (native-inputs `(("perl" ,perl)))
(inputs `(("inetutils" ,inetutils) (inputs `(("inetutils" ,inetutils)
("net-tools" ,net-tools) ("net-tools" ,net-tools)
("iproute" ,iproute) ("iproute" ,iproute)
;; When cross-compiling, we need the cross Coreutils and sed. ;; XXX isc-dhcp bundles a copy of bind that has security
;; Otherwise just use those from %FINAL-INPUTS. ;; flaws, so we use a newer version.
,@(if (%current-target-system) ("bind-source-tarball"
`(("coreutils" ,coreutils) ,(origin
("sed" ,sed)) (method url-fetch)
'()))) (uri (string-append "http://ftp.isc.org/isc/bind9/"
bind-version
"/bind-" bind-version ".tar.gz"))
(sha256
(base32
"0agkpmpna7s67la13krn4xlhwhdjpazmljxlq0zbjdwnw4k1k17m"))))
(home-page "http://www.isc.org/products/DHCP/") ;; When cross-compiling, we need the cross Coreutils and sed.
(synopsis "Dynamic Host Configuration Protocol (DHCP) tools") ;; Otherwise just use those from %FINAL-INPUTS.
(description ,@(if (%current-target-system)
"ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a `(("coreutils" ,coreutils)
("sed" ,sed))
'())))
(home-page "http://www.isc.org/products/DHCP/")
(synopsis "Dynamic Host Configuration Protocol (DHCP) tools")
(description
"ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a
reference implementation of all aspects of DHCP, through a suite of DHCP reference implementation of all aspects of DHCP, through a suite of DHCP
tools: server, client, and relay agent.") tools: server, client, and relay agent.")
(license license:isc))) (license license:isc))))
(define-public libpcap (define-public libpcap
(package (package