From 95f9db8d5fa86804a7f132590a583306446825df Mon Sep 17 00:00:00 2001 From: Thomas Gerbet Date: Tue, 6 Dec 2022 22:36:17 +0100 Subject: [PATCH] modsecurity_standalone: 2.9.3 -> 2.9.6 Fixes CVE-2021-42717. https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.4 --- .../security/modsecurity/Makefile.am.patch | 17 +++++++++++++++ .../security/modsecurity/Makefile.in.patch | 17 --------------- pkgs/tools/security/modsecurity/default.nix | 21 ++++++++++++------- 3 files changed, 30 insertions(+), 25 deletions(-) create mode 100644 pkgs/tools/security/modsecurity/Makefile.am.patch delete mode 100644 pkgs/tools/security/modsecurity/Makefile.in.patch diff --git a/pkgs/tools/security/modsecurity/Makefile.am.patch b/pkgs/tools/security/modsecurity/Makefile.am.patch new file mode 100644 index 000000000000..6f2e2ed36454 --- /dev/null +++ b/pkgs/tools/security/modsecurity/Makefile.am.patch @@ -0,0 +1,17 @@ +--- a/apache2/Makefile.am ++++ b/apache2/Makefile.am +@@ -179,7 +179,6 @@ install-exec-hook: $(pkglib_LTLIBRARIES) + for m in $(pkglib_LTLIBRARIES); do \ + base=`echo $$m | sed 's/\..*//'`; \ + rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ +- install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \ + done + else + install-exec-hook: $(pkglib_LTLIBRARIES) +@@ -187,6 +186,5 @@ install-exec-hook: $(pkglib_LTLIBRARIES) + for m in $(pkglib_LTLIBRARIES); do \ + base=`echo $$m | sed 's/\..*//'`; \ + rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ +- cp -p $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES); \ + done + endif diff --git a/pkgs/tools/security/modsecurity/Makefile.in.patch b/pkgs/tools/security/modsecurity/Makefile.in.patch deleted file mode 100644 index 98384c754ce7..000000000000 --- a/pkgs/tools/security/modsecurity/Makefile.in.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/apache2/Makefile.in 2017-10-10 09:45:51.000000000 -0400 -+++ b/apache2/Makefile.in 2017-10-10 09:46:04.000000000 -0400 -@@ -1208,14 +1208,12 @@ - @LINUX_TRUE@ for m in $(pkglib_LTLIBRARIES); do \ - @LINUX_TRUE@ base=`echo $$m | sed 's/\..*//'`; \ - @LINUX_TRUE@ rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ --@LINUX_TRUE@ install -D -m444 $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES)/$$base.so; \ - @LINUX_TRUE@ done - @LINUX_FALSE@install-exec-hook: $(pkglib_LTLIBRARIES) - @LINUX_FALSE@ @echo "Removing unused static libraries..."; \ - @LINUX_FALSE@ for m in $(pkglib_LTLIBRARIES); do \ - @LINUX_FALSE@ base=`echo $$m | sed 's/\..*//'`; \ - @LINUX_FALSE@ rm -f $(DESTDIR)$(pkglibdir)/$$base.*a; \ --@LINUX_FALSE@ cp -p $(DESTDIR)$(pkglibdir)/$$base.so $(DESTDIR)$(APXS_MODULES); \ - @LINUX_FALSE@ done - - # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/pkgs/tools/security/modsecurity/default.nix b/pkgs/tools/security/modsecurity/default.nix index 1bbefd1342c3..431a6f9338ea 100644 --- a/pkgs/tools/security/modsecurity/default.nix +++ b/pkgs/tools/security/modsecurity/default.nix @@ -1,6 +1,6 @@ -{ stdenv, lib, fetchurl, pkg-config +{ stdenv, lib, fetchFromGitHub, pkg-config, autoreconfHook , curl, apacheHttpd, pcre, apr, aprutil, libxml2 -, luaSupport ? false, lua5 +, luaSupport ? false, lua5, perl }: with lib; @@ -11,14 +11,16 @@ in stdenv.mkDerivation rec { pname = "modsecurity"; - version = "2.9.3"; + version = "2.9.6"; - src = fetchurl { - url = "https://www.modsecurity.org/tarball/${version}/${pname}-${version}.tar.gz"; - sha256 = "0611nskd2y6yagrciqafxdn4rxbdk2v4swf45kc1sgwx2sfh34j1"; + src = fetchFromGitHub { + owner = "SpiderLabs"; + repo = pname; + rev = "v${version}"; + sha256 = "sha256-C/D/UWaI4GsXjfhLmNnYhRJoUvlsps1551SqhmZUc/4="; }; - nativeBuildInputs = [ pkg-config ]; + nativeBuildInputs = [ pkg-config autoreconfHook ]; buildInputs = [ curl apacheHttpd pcre apr aprutil libxml2 ] ++ optional luaSupport lua5; @@ -37,7 +39,10 @@ stdenv.mkDerivation rec { outputs = ["out" "nginx"]; # by default modsecurity's install script copies compiled output to httpd's modules folder # this patch removes those lines - patches = [ ./Makefile.in.patch ]; + patches = [ ./Makefile.am.patch ]; + + doCheck = true; + checkInputs = [ perl ]; postInstall = '' mkdir -p $nginx