From 0406434baaf180af51c02c2cee02d972356047b3 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Thu, 25 Apr 2019 04:35:50 +0200 Subject: gnu: bind: Update to 9.12.4-P1 [fixes CVE-2018-5743, CVE-2019-6467]. * gnu/packages/dns.scm (isc-bind): Update to 9.12.4-P1. [source]: Add patch. [inputs]: Add python and python-ply. * packages/patches/bind-fix-unused-pk11-ecc-constants.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/packages/dns.scm | 11 ++++-- .../bind-fix-unused-pk11-ecc-constants.patch | 43 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch (limited to 'gnu/packages') diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index 24b6384eab..6a8f49fbe8 100644 --- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -51,6 +51,7 @@ #:use-module (gnu packages pkg-config) #:use-module (gnu packages protobuf) #:use-module (gnu packages python) + #:use-module (gnu packages python-xyz) #:use-module (gnu packages swig) #:use-module (gnu packages tls) #:use-module (gnu packages web) @@ -106,7 +107,7 @@ and BOOTP/TFTP for network booting of diskless machines.") (define-public isc-bind (package (name "bind") - (version "9.12.3-P4") + (version "9.12.4-P1") (source (origin (method url-fetch) (uri (string-append @@ -114,7 +115,9 @@ and BOOTP/TFTP for network booting of diskless machines.") "/bind-" version ".tar.gz")) (sha256 (base32 - "01pj47z5582rd538dmbzf1msw4jc8j4zr0zx4ciy88r6qr9l80fi")))) + "1if7zc5gzrfd28csc63v9bjwrc0rgvm1x9yx058946hc5gp5lyp2")) + (patches + (search-patches "bind-fix-unused-pk11-ecc-constants.patch")))) (build-system gnu-build-system) (outputs `("out" "utils")) (inputs @@ -122,7 +125,9 @@ and BOOTP/TFTP for network booting of diskless machines.") `(("libcap" ,libcap) ("libxml2" ,libxml2) ("openssl" ,openssl) - ("p11-kit" ,p11-kit))) + ("p11-kit" ,p11-kit) + ("python" ,python) + ("python-ply" ,python-ply))) (native-inputs `(("perl" ,perl) ("net-tools" ,net-tools))) (arguments diff --git a/gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch b/gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch new file mode 100644 index 0000000000..ab7cc83684 --- /dev/null +++ b/gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch @@ -0,0 +1,43 @@ +From: Tobias Geerinckx-Rice +Date: Thu, 25 Apr 2019 04:36:52 +0200 +Subject: [PATCH] gnu: bind: Fix unused PKCS#11 ECC constants. + +Without this patch, the build fails: + + pkcs11-keygen.c: In function ‘main’: + pkcs11-keygen.c:424:32: error: ‘pk11_ecc_prime256v1’ undeclared (first use in this function) + public_template[4].pValue = pk11_ecc_prime256v1; + ^ + pkcs11-keygen.c:424:32: note: each undeclared identifier is reported only once for each function it appears in + pkcs11-keygen.c:428:32: error: ‘pk11_ecc_secp384r1’ undeclared (first use in this function) + public_template[4].pValue = pk11_ecc_secp384r1; + ^ + make[2]: *** [Makefile:217: pkcs11-keygen.o] Error 1 + +Fix copied verbatim from upstream[0]. + +[0]: https://gitlab.isc.org/isc-projects/bind9/issues/935 + +--- +--- orig-bind-9.11.6/bin/pkcs11/pkcs11-keygen.c 2019-02-27 15:28:15.000000000 -0800 ++++ bind-9.11.6/bin/pkcs11/pkcs11-keygen.c 2019-03-11 09:20:50.955257469 -0700 +@@ -403,6 +403,10 @@ + public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize; + break; + case key_ecc: ++#if !defined(HAVE_PKCS11_ECDSA) ++ fprintf(stderr, "prime256v1 and secp3841r1 is not supported\n"); ++ usage(); ++#else + op_type = OP_EC; + if (bits == 0) + bits = 256; +@@ -429,7 +433,7 @@ + public_template[4].ulValueLen = + sizeof(pk11_ecc_secp384r1); + } +- ++#endif + break; + case key_ecx: + #if !defined(CKM_EDDSA_KEY_PAIR_GEN) -- cgit v1.2.3