tcpdump: fix multiple CVEs

Fixes CVE-2017-11541, CVE-2017-11542, CVE-2017-11543. Also fixes a segfault if built with openssl 1.1.
2017-09-05 13:07:11 +02:00 · 2017-09-05 13:07:11 +02:00 · a46f206271
commit a46f206271
parent f8ff9a783f
1 changed files with 20 additions and 1 deletions
--- a/pkgs/tools/networking/tcpdump/default.nix
+++ b/pkgs/tools/networking/tcpdump/default.nix
@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, libpcap, enableStatic ? false
+{ stdenv, fetchFromGitHub, fetchpatch, libpcap, enableStatic ? false
 , hostPlatform
 }:

@ -13,6 +13,25 @@ stdenv.mkDerivation rec {
    sha256 = "1vzrvn1q7x28h18yskqc390y357pzpg5xd3pzzj4xz3llnvsr64p";
  };

+  patches = [
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11541.patch";
+      sha256 = "1lqg4lbyddnv75wpj0rs2sxz4lb3d1vp8n385i27mrpcxw9qaxia";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11542.patch";
+      sha256 = "0vqgmw9i5vr3d4siyrh8mw60jdmp5r66rbjxfmbnwhlfjf4bwxz4";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-CVE-2017-11543.patch";
+      sha256 = "1vk9ncpx0qjja8l69xw5kkvgy9fkcii2n98diazv1yndln2cs26l";
+    })
+    (fetchpatch {
+      url = "http://www.tcpdump.org/pre-4.9.2/PUBLISHED-OpenSSL-1.1-segfault.patch";
+      sha256 = "0mw0jdj5nyg4sviqj7wxwf2492b2bdqmjrvf1k34ak417xfcvy1d";
+    })
+  ];
+
  buildInputs = [ libpcap ];

  crossAttrs = {