nixpkgs/pkgs/tools/networking/dropbear/default.nix
Tobias Geerinckx-Rice 7c84bd121a
dropbear: 2016.73 -> 2016.74
Security fixes:
- Message printout was vulnerable to format string injection
- dropbearconvert import of OpenSSH keys could run arbitrary code
  as the local dropbearconvert user when parsing malicious key
  files
- dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided
- dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

Fixes:
- Fix port forwarding failure when connecting to domains that have
  both IPv4 and IPv6 addresses. The bug was introduced in 2015.68
- Fix 100% CPU use while waiting for rekey to complete
2016-07-23 21:29:51 +02:00

45 lines
1.3 KiB
Nix

{ stdenv, fetchurl, zlib, enableStatic ? false,
sftpPath ? "/var/run/current-system/sw/libexec/sftp-server" }:
stdenv.mkDerivation rec {
name = "dropbear-2016.74";
src = fetchurl {
url = "http://matt.ucc.asn.au/dropbear/releases/${name}.tar.bz2";
sha256 = "14c8f4gzixf0j9fkx68jgl85q7b05852kk0vf09gi6h0xmafl817";
};
dontDisableStatic = enableStatic;
configureFlags = stdenv.lib.optional enableStatic "LDFLAGS=-static";
CFLAGS = "-DSFTPSERVER_PATH=\\\"${sftpPath}\\\"";
# http://www.gnu.org/software/make/manual/html_node/Libraries_002fSearch.html
preConfigure = ''
makeFlags=VPATH=`cat $NIX_CC/nix-support/orig-libc`/lib
'';
crossAttrs = {
# This works for uclibc, at least.
preConfigure = ''
makeFlags=VPATH=`cat ${stdenv.ccCross}/nix-support/orig-libc`/lib
'';
};
patches = [
# Allow sessions to inherit the PATH from the parent dropbear.
# Otherwise they only get the usual /bin:/usr/bin kind of PATH
./pass-path.patch
];
buildInputs = [ zlib ];
meta = with stdenv.lib; {
homepage = "http://matt.ucc.asn.au/dropbear/dropbear.html";
description = "A small footprint implementation of the SSH 2 protocol";
license = licenses.mit;
maintainers = with maintainers; [ abbradar ];
platforms = platforms.linux;
};
}