From b5f5cc6d4417391394c7b513bf45a171a1b99c9b Mon Sep 17 00:00:00 2001 From: ajs124 Date: Wed, 15 Dec 2021 17:52:58 +0000 Subject: ipsecTools: drop --- .../linux/ipsec-tools/CVE-2015-4047.patch | 16 -- .../linux/ipsec-tools/CVE-2016-10396.patch | 193 --------------------- pkgs/os-specific/linux/ipsec-tools/default.nix | 49 ------ .../dont-create-localstatedir-during-install.patch | 13 -- pkgs/top-level/aliases.nix | 1 + pkgs/top-level/all-packages.nix | 5 - 6 files changed, 1 insertion(+), 276 deletions(-) delete mode 100644 pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch delete mode 100644 pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch delete mode 100644 pkgs/os-specific/linux/ipsec-tools/default.nix delete mode 100644 pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch diff --git a/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch b/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch deleted file mode 100644 index 00c23c6cac1..00000000000 --- a/pkgs/os-specific/linux/ipsec-tools/CVE-2015-4047.patch +++ /dev/null @@ -1,16 +0,0 @@ -Index: pkg-ipsec-tools/src/racoon/gssapi.c -=================================================================== ---- pkg-ipsec-tools.orig/src/racoon/gssapi.c -+++ pkg-ipsec-tools/src/racoon/gssapi.c -@@ -192,6 +192,11 @@ gssapi_init(struct ph1handle *iph1) - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - -+ if (iph1->rmconf == NULL) { -+ plog(LLV_ERROR, LOCATION, NULL, "no remote config\n"); -+ return -1; -+ } -+ - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); diff --git a/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch b/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch deleted file mode 100644 index b644d46f8c9..00000000000 --- a/pkgs/os-specific/linux/ipsec-tools/CVE-2016-10396.patch +++ /dev/null @@ -1,193 +0,0 @@ -From: Antoine_Beaupre -Acked-by: Jiri Bohac -Subject: PR/51682: Avoid DoS with fragment out of order insertion; keep fragments sorted in the list. -References: bsc#1047443, CVE-2016-10396 - - - -Index: a/src/racoon/handler.h -=================================================================== ---- a/src/racoon/handler.h.orig 2018-01-26 18:05:21.114764376 +0100 -+++ a/src/racoon/handler.h 2018-01-26 18:05:33.986741103 +0100 -@@ -141,6 +141,7 @@ struct ph1handle { - #endif - #ifdef ENABLE_FRAG - int frag; /* IKE phase 1 fragmentation */ -+ int frag_last_index; - struct isakmp_frag_item *frag_chain; /* Received fragments */ - #endif - -Index: a/src/racoon/isakmp.c -=================================================================== ---- a/src/racoon/isakmp.c.orig 2018-01-26 18:05:21.118764369 +0100 -+++ a/src/racoon/isakmp.c 2018-01-26 18:05:33.986741103 +0100 -@@ -1069,6 +1069,7 @@ isakmp_ph1begin_i(rmconf, remote, local) - iph1->frag = 1; - else - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -@@ -1173,6 +1174,7 @@ isakmp_ph1begin_r(msg, remote, local, et - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - iph1->approval = NULL; -Index: a/src/racoon/isakmp_frag.c -=================================================================== ---- a/src/racoon/isakmp_frag.c.orig 2018-01-26 18:05:21.118764369 +0100 -+++ a/src/racoon/isakmp_frag.c 2018-01-26 18:05:33.986741103 +0100 -@@ -173,6 +173,43 @@ vendorid_frag_cap(gen) - return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]); - } - -+static int -+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item) -+{ -+ struct isakmp_frag_item *pitem = NULL; -+ struct isakmp_frag_item *citem = iph1->frag_chain; -+ -+ /* no frag yet, just insert at beginning of list */ -+ if (iph1->frag_chain == NULL) { -+ iph1->frag_chain = item; -+ return 0; -+ } -+ -+ do { -+ /* duplicate fragment number, abort (CVE-2016-10396) */ -+ if (citem->frag_num == item->frag_num) -+ return -1; -+ -+ /* need to insert before current item */ -+ if (citem->frag_num > item->frag_num) { -+ if (pitem != NULL) -+ pitem->frag_next = item; -+ else -+ /* insert at the beginning of the list */ -+ iph1->frag_chain = item; -+ item->frag_next = citem; -+ return 0; -+ } -+ -+ pitem = citem; -+ citem = citem->frag_next; -+ } while (citem != NULL); -+ -+ /* we reached the end of the list, insert */ -+ pitem->frag_next = item; -+ return 0; -+} -+ - int - isakmp_frag_extract(iph1, msg) - struct ph1handle *iph1; -@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg) - item->frag_next = NULL; - item->frag_packet = buf; - -- /* Look for the last frag while inserting the new item in the chain */ -- if (item->frag_last) -- last_frag = item->frag_num; -+ /* Check for the last frag before inserting the new item in the chain */ -+ if (item->frag_last) { -+ /* if we have the last fragment, indices must match */ -+ if (iph1->frag_last_index != 0 && -+ item->frag_last != iph1->frag_last_index) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated last fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; -+ } - -- if (iph1->frag_chain == NULL) { -- iph1->frag_chain = item; -- } else { -- struct isakmp_frag_item *current; -+ last_frag = iph1->frag_last_index = item->frag_num; -+ } - -- current = iph1->frag_chain; -- while (current->frag_next) { -- if (current->frag_last) -- last_frag = item->frag_num; -- current = current->frag_next; -- } -- current->frag_next = item; -+ /* insert fragment into chain */ -+ if (isakmp_frag_insert(iph1, item) == -1) { -+ plog(LLV_ERROR, LOCATION, NULL, -+ "Repeated fragment index mismatch\n"); -+ racoon_free(item); -+ vfree(buf); -+ return -1; - } - -- /* If we saw the last frag, check if the chain is complete */ -+ /* If we saw the last frag, check if the chain is complete -+ * we have a sorted list now, so just walk through */ - if (last_frag != 0) { -+ item = iph1->frag_chain; - for (i = 1; i <= last_frag; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -+ if (item->frag_num != i) -+ break; -+ item = item->frag_next; - if (item == NULL) /* Not found */ - break; - } - -- if (item != NULL) /* It is complete */ -+ if (i > last_frag) /* It is complete */ - return 1; - } - -@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1) - } - data = buf->v; - -+ item = iph1->frag_chain; - for (i = 1; i <= frag_count; i++) { -- item = iph1->frag_chain; -- do { -- if (item->frag_num == i) -- break; -- item = item->frag_next; -- } while (item != NULL); -- -- if (item == NULL) { -+ if (item->frag_num != i) { - plog(LLV_ERROR, LOCATION, NULL, - "Missing fragment #%d\n", i); - vfree(buf); -@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1) - } - memcpy(data, item->frag_packet->v, item->frag_packet->l); - data += item->frag_packet->l; -+ item = item->frag_next; - } - - out: - - -diff -u -p -r1.50 -r1.51 ---- a/src/racoon/isakmp_inf.c 2013/04/12 09:53:10 1.50 -+++ a/src/racoon/isakmp_inf.c 2017/01/24 19:23:56 1.51 -@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca - #endif - #ifdef ENABLE_FRAG - iph1->frag = 0; -+ iph1->frag_last_index = 0; - iph1->frag_chain = NULL; - #endif - diff --git a/pkgs/os-specific/linux/ipsec-tools/default.nix b/pkgs/os-specific/linux/ipsec-tools/default.nix deleted file mode 100644 index f10364121a4..00000000000 --- a/pkgs/os-specific/linux/ipsec-tools/default.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ lib, stdenv, fetchurl, fetchpatch, linuxHeaders, readline, openssl, flex, libkrb5, pam }: - -# TODO: These tools are supposed to work under NetBSD and FreeBSD as -# well, so I guess it's not appropriate to place this expression in -# "os-specific/linux/ipsec-tools". Since I cannot verify that the -# expression actually builds on those platforms, I'll leave it here for -# the time being. - -stdenv.mkDerivation rec { - pname = "ipsec-tools"; - version = "0.8.2"; - - src = fetchurl { - url = "mirror://sourceforge/ipsec-tools/ipsec-tools-${version}.tar.bz2"; - sha256 = "0b9gfbz78k2nj0k7jdlm5kajig628ja9qm0z5yksiwz22s3v7dlf"; - }; - - buildInputs = [ readline openssl flex libkrb5 pam ]; - - patches = [ - ./dont-create-localstatedir-during-install.patch - ./CVE-2015-4047.patch - ./CVE-2016-10396.patch - ]; - - # fix build with newer gcc versions - preConfigure = ''substituteInPlace configure --replace "-Werror" "" ''; - - configureFlags = [ - "--sysconfdir=/etc --localstatedir=/var" - "--with-kernel-headers=${linuxHeaders}/include" - "--disable-security-context" - "--enable-adminport" - "--enable-dpd" - "--enable-frag" - "--enable-gssapi" - "--enable-hybrid" - "--enable-natt" - "--enable-shared" - "--enable-stats" - ]; - - meta = with lib; { - homepage = "http://ipsec-tools.sourceforge.net/"; - description = "Port of KAME's IPsec utilities to the Linux-2.6 IPsec implementation"; - license = licenses.bsd3; - platforms = platforms.linux; - }; -} diff --git a/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch b/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch deleted file mode 100644 index 16b80c36d6a..00000000000 --- a/pkgs/os-specific/linux/ipsec-tools/dont-create-localstatedir-during-install.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ubr ipsec-tools-0.8.0-orig/src/racoon/Makefile.in ipsec-tools-0.8.0/src/racoon/Makefile.in ---- ipsec-tools-0.8.0-orig/src/racoon/Makefile.in 2012-10-20 13:01:07.700903316 +0200 -+++ ipsec-tools-0.8.0/src/racoon/Makefile.in 2012-10-20 13:01:13.177832616 +0200 -@@ -1085,9 +1085,6 @@ - uninstall-sbinPROGRAMS - - --install-exec-local: -- ${mkinstalldirs} $(DESTDIR)${adminsockdir} -- - # special object rules - crypto_openssl_test.o: crypto_openssl.c - $(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 060f2c06875..e899b3c67b2 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -412,6 +412,7 @@ mapAliases ({ inotifyTools = inotify-tools; inter-ui = inter; # added 2021-03-27 iproute = iproute2; # moved from top-level 2021-03-14 + ipsecTools = throw "ipsecTools has benn removed, because it was no longer maintained upstream"; # added 2021-12-15 i-score = throw "i-score has been removed: abandoned upstream."; # added 2020-11-21 jack2Full = jack2; # moved from top-level 2021-03-14 jamomacore = throw "jamomacore has been removed: abandoned upstream."; # added 2020-11-21 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 759870ec571..264e1cede9e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -8641,11 +8641,6 @@ with pkgs; pngout = callPackage ../tools/graphics/pngout { }; - ipsecTools = callPackage ../os-specific/linux/ipsec-tools { - flex = flex_2_5_35; - openssl = openssl_1_0_2; - }; - patch = gnupatch; patchage = callPackage ../applications/audio/patchage { }; -- cgit 1.4.1