strongswan: patch CVE-2018-16151 & CVE-2018-16152

NixOS · Nov 2, 2018 · f71cc5f · f71cc5f
1 parent a9c8e66
commit f71cc5f
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl
+{ stdenv, fetchurl, fetchpatch
 , pkgconfig, autoreconfHook
 , gmp, python, iptables, ldns, unbound, openssl, pcsclite
 , openresolv
@@ -36,6 +36,17 @@ stdenv.mkDerivation rec {
     ./ext_auth-path.patch
     ./firewall_defaults.patch
     ./updown-path.patch
+
+    (fetchpatch {
+      name = "CVE-2018-16151-and-CVE-2018-16152.patch";
+      url = "https://download.strongswan.org/patches/27_gmp_pkcs1_verify_patch/strongswan-5.6.1-5.6.3_gmp-pkcs1-verify.patch";
+      sha256 = "04a5ql6clig5zq9914i4iyrrxcc36w2hzmwsrl69rxnq8hwhw1ql";
+    })
+    (fetchpatch {
+      name = "fix-for-CVE-2018-16151-and-CVE-2018-16152.patch";
+      url = "https://download.strongswan.org/patches/28_gmp_pkcs1_overflow_patch/strongswan-4.4.0-5.7.0_gmp-pkcs1-overflow.patch";
+      sha256 = "1h8m9rsqzkl71x25h1aavs5xkqm20083law339phfjlrpbjpnizp";
+    })
   ];
 
   postPatch = ''