gnu: bind: Update to 9.12.4-P1 [fixes CVE-2018-5743, CVE-2019-6467].

* gnu/packages/dns.scm (isc-bind): Update to 9.12.4-P1. [source]: Add patch. [inputs]: Add python and python-ply. * packages/patches/bind-fix-unused-pk11-ecc-constants.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it.
2019-04-25 04:35:50 +02:00 · 2019-04-25 04:35:50 +02:00 · 0406434baa
commit 0406434baa
parent 9b19734c50
3 changed files with 52 additions and 3 deletions
--- a/gnu/local.mk
+++ b/gnu/local.mk
@ -682,6 +682,7 @@ dist_patch_DATA =						\
  %D%/packages/patches/beets-python-3.7-fix.patch		\
  %D%/packages/patches/beignet-correct-file-names.patch		\
  %D%/packages/patches/biber-fix-encoding-write.patch		\
+  %D%/packages/patches/bind-fix-unused-pk11-ecc-constants.patch	\
  %D%/packages/patches/binutils-loongson-workaround.patch	\
  %D%/packages/patches/blender-2.79-newer-ffmpeg.patch		\
  %D%/packages/patches/blender-2.79-python-3.7-fix.patch	\
--- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@ -51,6 +51,7 @@
  #:use-module (gnu packages pkg-config)
  #:use-module (gnu packages protobuf)
  #:use-module (gnu packages python)
+  #:use-module (gnu packages python-xyz)
  #:use-module (gnu packages swig)
  #:use-module (gnu packages tls)
  #:use-module (gnu packages web)
@ -106,7 +107,7 @@ and BOOTP/TFTP for network booting of diskless machines.")
 (define-public isc-bind
  (package
    (name "bind")
-    (version "9.12.3-P4")
+    (version "9.12.4-P1")
    (source (origin
              (method url-fetch)
              (uri (string-append
@ -114,7 +115,9 @@ and BOOTP/TFTP for network booting of diskless machines.")
                    "/bind-" version ".tar.gz"))
              (sha256
               (base32
-                "01pj47z5582rd538dmbzf1msw4jc8j4zr0zx4ciy88r6qr9l80fi"))))
+                "1if7zc5gzrfd28csc63v9bjwrc0rgvm1x9yx058946hc5gp5lyp2"))
+              (patches
+               (search-patches "bind-fix-unused-pk11-ecc-constants.patch"))))
    (build-system gnu-build-system)
    (outputs `("out" "utils"))
    (inputs
@ -122,7 +125,9 @@ and BOOTP/TFTP for network booting of diskless machines.")
     `(("libcap" ,libcap)
       ("libxml2" ,libxml2)
       ("openssl" ,openssl)
-       ("p11-kit" ,p11-kit)))
+       ("p11-kit" ,p11-kit)
+       ("python" ,python)
+       ("python-ply" ,python-ply)))
    (native-inputs `(("perl" ,perl)
                     ("net-tools" ,net-tools)))
    (arguments
--- a/gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch
+++ b/gnu/packages/patches/bind-fix-unused-pk11-ecc-constants.patch
@ -0,0 +1,43 @@
+From: Tobias Geerinckx-Rice <me@tobias.gr>
+Date: Thu, 25 Apr 2019 04:36:52 +0200
+Subject: [PATCH] gnu: bind: Fix unused PKCS#11 ECC constants.
+
+Without this patch, the build fails:
+
+  pkcs11-keygen.c: In function ‘main’:
+  pkcs11-keygen.c:424:32: error: ‘pk11_ecc_prime256v1’ undeclared (first use in this function)
+      public_template[4].pValue = pk11_ecc_prime256v1;
+                                  ^
+  pkcs11-keygen.c:424:32: note: each undeclared identifier is reported only once for each function it appears in
+  pkcs11-keygen.c:428:32: error: ‘pk11_ecc_secp384r1’ undeclared (first use in this function)
+      public_template[4].pValue = pk11_ecc_secp384r1;
+                                  ^
+  make[2]: *** [Makefile:217: pkcs11-keygen.o] Error 1
+
+Fix copied verbatim from upstream[0].
+
+[0]: https://gitlab.isc.org/isc-projects/bind9/issues/935
+
+---
+--- orig-bind-9.11.6/bin/pkcs11/pkcs11-keygen.c	2019-02-27 15:28:15.000000000 -0800
+++ bind-9.11.6/bin/pkcs11/pkcs11-keygen.c	2019-03-11 09:20:50.955257469 -0700
+@@ -403,6 +403,10 @@
+ 		public_template[RSA_PUBLIC_EXPONENT].ulValueLen = expsize;
+ 		break;
+ 	case key_ecc:
+#if !defined(HAVE_PKCS11_ECDSA)
+		fprintf(stderr, "prime256v1 and secp3841r1 is not supported\n");
+		usage();
+#else
+ 		op_type = OP_EC;
+ 		if (bits == 0)
+ 			bits = 256;
+@@ -429,7 +433,7 @@
+ 			public_template[4].ulValueLen =
+ 				sizeof(pk11_ecc_secp384r1);
+ 		}
+-
+#endif
+ 		break;
+ 	case key_ecx:
+ #if !defined(CKM_EDDSA_KEY_PAIR_GEN)