openvpn-auth-ldap: Fix CVE-2024-28820 (#337962)

2024-08-29 18:09:15 +02:00 · 2024-08-29 18:09:15 +02:00 · 1906fbbe6c
commit 1906fbbe6c
parent 120df833b5
2 changed files with 17 additions and 10 deletions
--- a/pkgs/tools/networking/openvpn/openvpn-auth-ldap.nix
+++ b/pkgs/tools/networking/openvpn/openvpn-auth-ldap.nix
@ -1,12 +1,14 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, gnustep
-, re2c
-, openldap
-, openssl
-, openvpn
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  fetchpatch2,
+  autoreconfHook,
+  gnustep,
+  re2c,
+  openldap,
+  openssl,
+  openvpn,
 }:

 stdenv.mkDerivation rec {
@ -22,6 +24,11 @@ stdenv.mkDerivation rec {

  patches = [
    ./auth-ldap-fix-conftest.patch
+    (fetchpatch2 {
+      name = "fix-cve-2024-28820";
+      url = "https://patch-diff.githubusercontent.com/raw/threerings/openvpn-auth-ldap/pull/92.patch";
+      hash = "sha256-SXuo1D/WywKO5hCsmoeDdTsR7EelxFxJAKmlAQJ6vuE=";
+    })
  ];

  nativeBuildInputs = [
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -11070,7 +11070,7 @@ with pkgs;
  openvpn_learnaddress = callPackage ../tools/networking/openvpn/openvpn_learnaddress.nix { };

  openvpn-auth-ldap = callPackage ../tools/networking/openvpn/openvpn-auth-ldap.nix {
-    stdenv = clangStdenv;
+    inherit (llvmPackages_17) stdenv;
  };

  namespaced-openvpn = python3Packages.callPackage ../tools/networking/namespaced-openvpn { };