[Backport release-24.05] openvpn-auth-ldap: Fix CVE-2024-28820 (#338216)

openvpn-auth-ldap: Fix CVE-2024-28820 (#337962) (cherry picked from commit 1906fbb) Co-authored-by: Simon Hauser <[email protected]>
NixOS · Aug 30, 2024 · 6e99f2a · 6e99f2a
1 parent 702deac
commit 6e99f2a
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/pkgs/tools/networking/openvpn/openvpn-auth-ldap.nix b/pkgs/tools/networking/openvpn/openvpn-auth-ldap.nix
@@ -1,12 +1,14 @@
-{ lib
-, stdenv
-, fetchFromGitHub
-, autoreconfHook
-, gnustep
-, re2c
-, openldap
-, openssl
-, openvpn
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+  fetchpatch2,
+  autoreconfHook,
+  gnustep,
+  re2c,
+  openldap,
+  openssl,
+  openvpn,
 }:
 
 stdenv.mkDerivation rec {
@@ -22,6 +24,11 @@ stdenv.mkDerivation rec {
 
   patches = [
     ./auth-ldap-fix-conftest.patch
+    (fetchpatch2 {
+      name = "fix-cve-2024-28820";
+      url = "https://patch-diff.githubusercontent.com/raw/threerings/openvpn-auth-ldap/pull/92.patch";
+      hash = "sha256-SXuo1D/WywKO5hCsmoeDdTsR7EelxFxJAKmlAQJ6vuE=";
+    })
   ];
 
   nativeBuildInputs = [

diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
@@ -11382,7 +11382,7 @@ with pkgs;
   openvpn_learnaddress = callPackage ../tools/networking/openvpn/openvpn_learnaddress.nix { };
 
   openvpn-auth-ldap = callPackage ../tools/networking/openvpn/openvpn-auth-ldap.nix {
-    stdenv = clangStdenv;
+    inherit (llvmPackages_17) stdenv;
   };
 
   namespaced-openvpn = python3Packages.callPackage ../tools/networking/namespaced-openvpn { };