summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-12-21 19:42:23 -0500
committerMark H Weaver <mhw@netris.org>2015-12-21 19:47:27 -0500
commit6548b1e122c75532f5bebd9ce105f66f38d170de (patch)
tree46620f81194261667fa5da3e800f391c3d23adbb
parentf9a5b1889714cbfbc7ca84b22e4290d2cd4b084c (diff)
downloadguix-6548b1e122c75532f5bebd9ce105f66f38d170de.tar.gz
gnu: isc-dhcp: Update to 4.3.3; update bundled bind to 9.9.8-P2.
Fixes CVE-2015-8000 and CVE-2015-8461.

* gnu/packages/admin.scm (isc-dhcp): Update to 4.3.3.
  [inputs]: Add 'bind-source-tarball'.
  [arguments]: Use modify-phases.  Add 'replace-bundled-bind' phase.
  In 'post-configure' phase, avoid hard-coding version numbers of
  bundled bind.
-rw-r--r--gnu/packages/admin.scm224
1 files changed, 133 insertions, 91 deletions
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index ee275f7251..a574c84a61 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -388,99 +388,141 @@ connection alive.")
     (license license:gpl3+)))
 
 (define-public isc-dhcp
-  (package
-    (name "isc-dhcp")
-    (version "4.3.1")
-    (source (origin
-              (method url-fetch)
-              (uri (string-append "http://ftp.isc.org/isc/dhcp/"
-                                  version "/dhcp-" version ".tar.gz"))
-              (sha256
-               (base32
-                "1w4s7sni1m9223ya8m2a64lr62845c6xlraprjf8zfx6lylbqv16"))))
-    (build-system gnu-build-system)
-    (arguments
-     '(#:phases (alist-cons-after
-                 'configure 'post-configure
-                 (lambda* (#:key outputs #:allow-other-keys)
-                   ;; Point to the right client script, which will be
-                   ;; installed in a later phase.
-                   (substitute* "includes/dhcpd.h"
-                     (("#define[[:blank:]]+_PATH_DHCLIENT_SCRIPT.*")
-                      (let ((out (assoc-ref outputs "out")))
-                        (string-append "#define _PATH_DHCLIENT_SCRIPT \""
-                                       out "/libexec/dhclient-script"
-                                       "\"\n"))))
-
-                   ;; During the 'build' phase, 'bind.tar.gz' is extracted, so
-                   ;; we must patch shebangs in there and make sure the right
-                   ;; shell is used.
-                   (with-directory-excursion "bind"
-                     (substitute* "Makefile"
-                       (("\\./configure")
-                        (let ((sh (which "sh")))
-                          (string-append "./configure CONFIG_SHELL="
-                                         sh " SHELL=" sh))))
-
-                     (system* "tar" "xf" "bind.tar.gz")
-                     (for-each patch-shebang
-                               (find-files "bind-9.9.5-P1" ".*"))
-                     (zero? (system* "tar" "cf" "bind.tar.gz"
-                                     "bind-9.9.5-P1"
-                                     ;; avoid non-determinism in the archive
-                                     "--sort=name"
-                                     "--mtime=@0"
-                                     "--owner=root:0"
-                                     "--group=root:0"))))
-                 (alist-cons-after
-                  'install 'post-install
-                  (lambda* (#:key inputs outputs #:allow-other-keys)
-                    ;; Install the dhclient script for GNU/Linux and make sure
-                    ;; if finds all the programs it needs.
-                    (let* ((out       (assoc-ref outputs "out"))
-                           (libexec   (string-append out "/libexec"))
-                           (coreutils (assoc-ref inputs "coreutils"))
-                           (inetutils (assoc-ref inputs "inetutils"))
-                           (net-tools (assoc-ref inputs "net-tools"))
-                           (sed       (assoc-ref inputs "sed")))
-                      (substitute* "client/scripts/linux"
-                        (("/sbin/ip")
-                         (string-append (assoc-ref inputs "iproute")
-                                        "/sbin/ip")))
-
-                      (mkdir-p libexec)
-                      (copy-file "client/scripts/linux"
-                                 (string-append libexec "/dhclient-script"))
-
-                      (wrap-program
-                          (string-append libexec "/dhclient-script")
-                        `("PATH" ":" prefix
-                          ,(map (lambda (dir)
-                                  (string-append dir "/bin:"
-                                                 dir "/sbin"))
-                                (list inetutils net-tools coreutils sed))))))
-                  %standard-phases))))
-
-    (native-inputs `(("perl" ,perl)))
-
-    (inputs `(("inetutils" ,inetutils)
-              ("net-tools" ,net-tools)
-              ("iproute" ,iproute)
-
-              ;; When cross-compiling, we need the cross Coreutils and sed.
-              ;; Otherwise just use those from %FINAL-INPUTS.
-              ,@(if (%current-target-system)
-                    `(("coreutils" ,coreutils)
-                      ("sed" ,sed))
-                    '())))
-
-    (home-page "http://www.isc.org/products/DHCP/")
-    (synopsis "Dynamic Host Configuration Protocol (DHCP) tools")
-    (description
-     "ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a
+  (let* ((bind-major-version "9")
+         (bind-minor-version "9")
+         (bind-patch-version "8")
+         (bind-release-type "-P")
+         (bind-release-version "2")
+         (bind-version (string-append bind-major-version
+                                      "."
+                                      bind-minor-version
+                                      "."
+                                      bind-patch-version
+                                      bind-release-type
+                                      bind-release-version)))
+    (package
+      (name "isc-dhcp")
+      (version "4.3.3")
+      (source (origin
+                (method url-fetch)
+                (uri (string-append "http://ftp.isc.org/isc/dhcp/"
+                                    version "/dhcp-" version ".tar.gz"))
+                (sha256
+                 (base32
+                  "1pjy4lylx7dww1fp2mk5ikya5vxaf97z70279j81n74vn12ljg2m"))))
+      (build-system gnu-build-system)
+      (arguments
+       `(#:phases
+         (modify-phases %standard-phases
+           (add-after 'unpack 'replace-bundled-bind
+             (lambda* (#:key inputs #:allow-other-keys)
+               (delete-file "bind/bind.tar.gz")
+               (copy-file (assoc-ref inputs "bind-source-tarball")
+                          "bind/bind.tar.gz")
+               (chmod "bind/bind.tar.gz" #o644)
+               (substitute* "bind/version.tmp"
+                 (("^MAJORVER=.*")
+                  (format #f "MAJORVER=~a\n" ,bind-major-version))
+                 (("^MINORVER=.*")
+                  (format #f "MINORVER=~a\n" ,bind-minor-version))
+                 (("^PATCHVER=.*")
+                  (format #f "PATCHVER=~a\n" ,bind-patch-version))
+                 (("^RELEASETYPE=.*")
+                  (format #f "RELEASETYPE=~a\n" ,bind-release-type))
+                 (("^RELEASEVER=.*")
+                  (format #f "RELEASEVER=~a\n" ,bind-release-version)))
+               #t))
+           (add-after 'configure 'post-configure
+             (lambda* (#:key outputs #:allow-other-keys)
+               ;; Point to the right client script, which will be
+               ;; installed in a later phase.
+               (substitute* "includes/dhcpd.h"
+                 (("#define[[:blank:]]+_PATH_DHCLIENT_SCRIPT.*")
+                  (let ((out (assoc-ref outputs "out")))
+                    (string-append "#define _PATH_DHCLIENT_SCRIPT \""
+                                   out "/libexec/dhclient-script"
+                                   "\"\n"))))
+
+               ;; During the 'build' phase, 'bind.tar.gz' is extracted, so
+               ;; we must patch shebangs in there and make sure the right
+               ;; shell is used.
+               (with-directory-excursion "bind"
+                 (substitute* "Makefile"
+                   (("\\./configure")
+                    (let ((sh (which "sh")))
+                      (string-append "./configure CONFIG_SHELL="
+                                     sh " SHELL=" sh))))
+
+                 (let ((bind-directory (string-append "bind-" ,bind-version)))
+                   (system* "tar" "xf" "bind.tar.gz")
+                   (for-each patch-shebang
+                             (find-files bind-directory ".*"))
+                   (zero? (system* "tar" "cf" "bind.tar.gz"
+                                   bind-directory
+                                   ;; avoid non-determinism in the archive
+                                   "--sort=name"
+                                   "--mtime=@0"
+                                   "--owner=root:0"
+                                   "--group=root:0"))))))
+           (add-after 'install 'post-install
+             (lambda* (#:key inputs outputs #:allow-other-keys)
+               ;; Install the dhclient script for GNU/Linux and make sure
+               ;; if finds all the programs it needs.
+               (let* ((out       (assoc-ref outputs "out"))
+                      (libexec   (string-append out "/libexec"))
+                      (coreutils (assoc-ref inputs "coreutils"))
+                      (inetutils (assoc-ref inputs "inetutils"))
+                      (net-tools (assoc-ref inputs "net-tools"))
+                      (sed       (assoc-ref inputs "sed")))
+                 (substitute* "client/scripts/linux"
+                   (("/sbin/ip")
+                    (string-append (assoc-ref inputs "iproute")
+                                   "/sbin/ip")))
+
+                 (mkdir-p libexec)
+                 (copy-file "client/scripts/linux"
+                            (string-append libexec "/dhclient-script"))
+
+                 (wrap-program
+                     (string-append libexec "/dhclient-script")
+                   `("PATH" ":" prefix
+                     ,(map (lambda (dir)
+                             (string-append dir "/bin:"
+                                            dir "/sbin"))
+                           (list inetutils net-tools coreutils sed))))))))))
+
+      (native-inputs `(("perl" ,perl)))
+
+      (inputs `(("inetutils" ,inetutils)
+                ("net-tools" ,net-tools)
+                ("iproute" ,iproute)
+
+                ;; XXX isc-dhcp bundles a copy of bind that has security
+                ;; flaws, so we use a newer version.
+                ("bind-source-tarball"
+                 ,(origin
+                    (method url-fetch)
+                    (uri (string-append "http://ftp.isc.org/isc/bind9/"
+                                        bind-version
+                                        "/bind-" bind-version ".tar.gz"))
+                    (sha256
+                     (base32
+                      "0agkpmpna7s67la13krn4xlhwhdjpazmljxlq0zbjdwnw4k1k17m"))))
+
+                ;; When cross-compiling, we need the cross Coreutils and sed.
+                ;; Otherwise just use those from %FINAL-INPUTS.
+                ,@(if (%current-target-system)
+                      `(("coreutils" ,coreutils)
+                        ("sed" ,sed))
+                      '())))
+
+      (home-page "http://www.isc.org/products/DHCP/")
+      (synopsis "Dynamic Host Configuration Protocol (DHCP) tools")
+      (description
+       "ISC's Dynamic Host Configuration Protocol (DHCP) distribution provides a
 reference implementation of all aspects of DHCP, through a suite of DHCP
 tools: server, client, and relay agent.")
-    (license license:isc)))
+      (license license:isc))))
 
 (define-public libpcap
   (package