gnu: isc-dhcp: Update to 4.3.3; update bundled bind to 9.9.8-P2.

Fixes CVE-2015-8000 and CVE-2015-8461.

* gnu/packages/admin.scm (isc-dhcp): Update to 4.3.3.
  [inputs]: Add 'bind-source-tarball'.
  [arguments]: Use modify-phases.  Add 'replace-bundled-bind' phase.
  In 'post-configure' phase, avoid hard-coding version numbers of
  bundled bind.
This commit is contained in:
Mark H Weaver 2015-12-21 19:42:23 -05:00
parent f9a5b18897
commit 6548b1e122
1 changed files with 125 additions and 83 deletions

View File

@ -388,20 +388,51 @@ connection alive.")
(license license:gpl3+)))
(define-public isc-dhcp
(let* ((bind-major-version "9")
(bind-minor-version "9")
(bind-patch-version "8")
(bind-release-type "-P")
(bind-release-version "2")
(bind-version (string-append bind-major-version
"."
bind-minor-version
"."
bind-patch-version
bind-release-type
bind-release-version)))
(package
(name "isc-dhcp")
(version "4.3.1")
(version "4.3.3")
(source (origin
(method url-fetch)
(uri (string-append "http://ftp.isc.org/isc/dhcp/"
version "/dhcp-" version ".tar.gz"))
(sha256
(base32
"1w4s7sni1m9223ya8m2a64lr62845c6xlraprjf8zfx6lylbqv16"))))
"1pjy4lylx7dww1fp2mk5ikya5vxaf97z70279j81n74vn12ljg2m"))))
(build-system gnu-build-system)
(arguments
'(#:phases (alist-cons-after
'configure 'post-configure
`(#:phases
(modify-phases %standard-phases
(add-after 'unpack 'replace-bundled-bind
(lambda* (#:key inputs #:allow-other-keys)
(delete-file "bind/bind.tar.gz")
(copy-file (assoc-ref inputs "bind-source-tarball")
"bind/bind.tar.gz")
(chmod "bind/bind.tar.gz" #o644)
(substitute* "bind/version.tmp"
(("^MAJORVER=.*")
(format #f "MAJORVER=~a\n" ,bind-major-version))
(("^MINORVER=.*")
(format #f "MINORVER=~a\n" ,bind-minor-version))
(("^PATCHVER=.*")
(format #f "PATCHVER=~a\n" ,bind-patch-version))
(("^RELEASETYPE=.*")
(format #f "RELEASETYPE=~a\n" ,bind-release-type))
(("^RELEASEVER=.*")
(format #f "RELEASEVER=~a\n" ,bind-release-version)))
#t))
(add-after 'configure 'post-configure
(lambda* (#:key outputs #:allow-other-keys)
;; Point to the right client script, which will be
;; installed in a later phase.
@ -422,18 +453,18 @@ connection alive.")
(string-append "./configure CONFIG_SHELL="
sh " SHELL=" sh))))
(let ((bind-directory (string-append "bind-" ,bind-version)))
(system* "tar" "xf" "bind.tar.gz")
(for-each patch-shebang
(find-files "bind-9.9.5-P1" ".*"))
(find-files bind-directory ".*"))
(zero? (system* "tar" "cf" "bind.tar.gz"
"bind-9.9.5-P1"
bind-directory
;; avoid non-determinism in the archive
"--sort=name"
"--mtime=@0"
"--owner=root:0"
"--group=root:0"))))
(alist-cons-after
'install 'post-install
"--group=root:0"))))))
(add-after 'install 'post-install
(lambda* (#:key inputs outputs #:allow-other-keys)
;; Install the dhclient script for GNU/Linux and make sure
;; if finds all the programs it needs.
@ -458,8 +489,7 @@ connection alive.")
,(map (lambda (dir)
(string-append dir "/bin:"
dir "/sbin"))
(list inetutils net-tools coreutils sed))))))
%standard-phases))))
(list inetutils net-tools coreutils sed))))))))))
(native-inputs `(("perl" ,perl)))
@ -467,6 +497,18 @@ connection alive.")
("net-tools" ,net-tools)
("iproute" ,iproute)
;; XXX isc-dhcp bundles a copy of bind that has security
;; flaws, so we use a newer version.
("bind-source-tarball"
,(origin
(method url-fetch)
(uri (string-append "http://ftp.isc.org/isc/bind9/"
bind-version
"/bind-" bind-version ".tar.gz"))
(sha256
(base32
"0agkpmpna7s67la13krn4xlhwhdjpazmljxlq0zbjdwnw4k1k17m"))))
;; When cross-compiling, we need the cross Coreutils and sed.
;; Otherwise just use those from %FINAL-INPUTS.
,@(if (%current-target-system)
@ -480,7 +522,7 @@ connection alive.")
"ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a
reference implementation of all aspects of DHCP, through a suite of DHCP
tools: server, client, and relay agent.")
(license license:isc)))
(license license:isc))))
(define-public libpcap
(package