summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Stahl <mstahl@redhat.com>2017-04-20 22:19:45 +0200
committerThorsten Behrens <Thorsten.Behrens@CIB.de>2017-04-25 18:50:06 +0200
commit2ffa1bc41687e69ec286357069300b51f3551721 (patch)
tree0228a3786db03f4f957eea8e5716d5cc1bdb6541
parent7e2ee5ad4aca628b2bfa90b20154f42f42bfe6ba (diff)
nss: upgrade to release 3.29.5
- fixes CVE-2017-5461 and CVE-2017-5462 - drop ubsan-alignment.patch.0, there is apparently now some NO_SANITIZE_ALIGNMENT macro upstream to get this effect - drop some hunks to prevent hard-coding CC/CCC vars, upstream now respects environment vars (but doesn't quote them...) - drop first hunk of ubsan.patch.0, fixed upstream - drop hunk for gtest-internal.h, header looks much newer anyway Reviewed-on: https://gerrit.libreoffice.org/36756 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Michael Stahl <mstahl@redhat.com> (cherry picked from commit 0cdf41419af854acccee0f819d4add7e8cafb7dc) Change-Id: I5c484c02c1235e185af1ef5166b069303d3378e1 Reviewed-on: https://gerrit.libreoffice.org/36797 Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> (cherry picked from commit ab79e074c3e5df02023a3f1f58b8ab75c7c060f1) Reviewed-on: https://gerrit.libreoffice.org/36945 Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com> Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de> Tested-by: Thorsten Behrens <Thorsten.Behrens@CIB.de>
Diffstat
-rw-r--r--download.lst3
-rw-r--r--external/nss/ExternalProject_nss.mk1
-rw-r--r--external/nss/nss-ios.patch4
-rw-r--r--external/nss/nss-more-static.patch34
-rw-r--r--external/nss/nss.patch47
-rw-r--r--external/nss/nss.utf8bom.patch.19
-rw-r--r--external/nss/nss.windowbuild.patch.020
-rw-r--r--external/nss/nss_macosx.patch19
-rw-r--r--external/nss/ubsan.patch.012
9 files changed, 53 insertions, 96 deletions
diff --git a/download.lst b/download.lst
index 8858eb06a44e..dcc9639811d3 100644
--- a/download.lst
+++ b/download.lst
@@ -109,7 +109,8 @@ export MWAW_TARBALL := libmwaw-0.3.$(MWAW_VERSION_MICRO).tar.bz2
export MYSQLCPPCONN_TARBALL := 7239a4430efd4d0189c4f24df67f08e5-mysql-connector-c++-1.1.4.tar.gz
export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
export NEON_TARBALL := 231adebe5c2f78fded3e3df6e958878e-neon-0.30.1.tar.gz
-export NSS_TARBALL := 0e3eee39402386cf16fd7aaa7399ebef-nss-3.27-with-nspr-4.13.tar.gz
+export NSS_MD5SUM := e55ee06b22687df68fafc6a30c0554b2
+export NSS_TARBALL := nss-3.29.5-with-nspr-4.13.1.tar.gz
export ODFGEN_MD5SUM := 32572ea48d9021bbd6fa317ddb697abc
export ODFGEN_VERSION_MICRO := 6
export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2
diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk
index 258e8452c45a..b0e74b80fd28 100644
--- a/external/nss/ExternalProject_nss.mk
+++ b/external/nss/ExternalProject_nss.mk
@@ -76,6 +76,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): $(call gb_ExternalProject
$(MAKE) -j1 AR="$(AR)" \
RANLIB="$(RANLIB)" \
NMEDIT="$(NM)edit" \
+ CCC="$(CXX)" \
$(if $(CROSS_COMPILING),NSPR_CONFIGURE_OPTS="--build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM)") \
nss_build_all \
&& rm -f $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.a \
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
index d4107d77f954..9d4af2c724e9 100644
--- a/external/nss/nss-ios.patch
+++ b/external/nss/nss-ios.patch
@@ -52,8 +52,8 @@
--- a/a/nss/coreconf/Darwin.mk
+++ a/a/nss/coreconf/Darwin.mk
@@ -124,7 +124,7 @@
- # May override this with -bundle to create a loadable module.
- DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names
+ DSO_LDOPTS += --coverage
+ endif
-MKSHLIB = $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
+MKSHLIB = touch $@; echo
diff --git a/external/nss/nss-more-static.patch b/external/nss/nss-more-static.patch
index 6b06a4e4a226..26948f0be24c 100644
--- a/external/nss/nss-more-static.patch
+++ b/external/nss/nss-more-static.patch
@@ -9,30 +9,30 @@
/* determine if hybrid platform, then actually load the DSO. */
static PRStatus
@@ -136,9 +136,9 @@
- return PR_FAILURE;
- }
+ return PR_FAILURE;
+ }
-- handle = loader_LoadLibrary(name);
-- if (handle) {
-- PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
-+ handle = 0;
-+ {
-+ PRFuncPtr address = FREEBL_GetVector;
- PRStatus status;
- if (address) {
- FREEBLGetVectorFn * getVector = (FREEBLGetVectorFn *)address;
+- handle = loader_LoadLibrary(name);
+- if (handle) {
+- PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
++ handle = 0;
++ {
++ PRFuncPtr address = FREEBL_GetVector;
+ if (address) {
+ FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
+ const FREEBLVector *dsoVector = getVector();
@@ -887,6 +887,7 @@
void
BL_Unload(void)
{
+#if 0
- /* This function is not thread-safe, but doesn't need to be, because it is
- * only called from functions that are also defined as not thread-safe,
- * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
+ /* This function is not thread-safe, but doesn't need to be, because it is
+ * only called from functions that are also defined as not thread-safe,
+ * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
@@ -905,6 +905,7 @@
- blLib = NULL;
- }
- loadFreeBLOnce = pristineCallOnce;
+ }
+ blLib = NULL;
+ loadFreeBLOnce = pristineCallOnce;
+#endif
}
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 771ebf59baed..b3b932343d83 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -54,24 +54,16 @@ diff -ru a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk
diff -ru nss.orig/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk
--- a/nss.orig/nss/coreconf/arch.mk 2016-02-12 15:36:18.000000000 +0100
+++ b/nss/nss/coreconf/arch.mk 2016-02-23 20:48:31.595941079 +0100
-@@ -280,15 +280,21 @@
- # IMPL_STRATEGY may be defined too.
- #
-
--ifdef CROSS_COMPILE
--OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
--else
--OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
--endif
+@@ -280,11 +280,17 @@
+ OBJDIR_NAME_COMPILER = $(COMPILER_TAG)
+ endif
+ OBJDIR_NAME_BASE = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(OBJDIR_NAME_COMPILER)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG)
+-OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
+# OBJDIR_NAME is used to build the directory containing the built objects, for
+# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ
+# We need to deliver the contents of that folder into instdir. To make that
+# easier in the makefile we rename this directory to "out".
-+#ifdef CROSS_COMPILE
-+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
-+#else
-+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
-+#endif
++#OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
+OBJDIR_NAME = out
@@ -96,20 +88,6 @@ diff -ru a/nss/coreconf/FreeBSD.mk b/nss/coreconf/FreeBSD.mk
diff -ru a/nss/coreconf/Linux.mk b/nss/coreconf/Linux.mk
--- a/a/nss/coreconf/Linux.mk 2014-09-29 16:46:38.189421588 +0100
+++ b/b/nss/coreconf/Linux.mk 2014-09-29 16:47:42.985012235 +0100
-@@ -16,8 +16,11 @@
- IMPL_STRATEGY = _PTH
- endif
-
--CC = gcc
--CCC = g++
-+# CC is taken from environment automatically.
-+#CC = gcc
-+# Use CCC from environment.
-+#CCC = g++
-+CCC = $(CXX)
- RANLIB = ranlib
-
- DEFAULT_COMPILER = gcc
@@ -157,7 +160,7 @@
# against the libsanitizer runtime built into the main executable.
ZDEFS_FLAG = -Wl,-z,defs
@@ -172,6 +150,19 @@ diff -ru a/nss/Makefile b/nss/Makefile
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
+@@ -91,10 +91,10 @@
+ NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
+ endif
+ ifdef CC
+-NSPR_CONFIGURE_ENV = CC=$(CC)
++NSPR_CONFIGURE_ENV = CC="$(CC) "
+ endif
+ ifdef CCC
+-NSPR_CONFIGURE_ENV += CXX=$(CCC)
++NSPR_CONFIGURE_ENV += CXX="$(CCC) "
+ endif
+ # Remove -arch definitions. NSPR can't handle that.
+ NSPR_CONFIGURE_ENV := $(filter-out -arch x86_64,$(NSPR_CONFIGURE_ENV))
diff -ru nss.orig/nss/coreconf/Werror.mk nss/nss/coreconf/Werror.mk
--- a/nss.orig/nss/coreconf/Werror.mk 2016-02-12 15:36:18.000000000 +0100
+++ b/nss/nss/coreconf/Werror.mk 2016-02-23 23:58:15.119584046 +0100
diff --git a/external/nss/nss.utf8bom.patch.1 b/external/nss/nss.utf8bom.patch.1
index bc37f184ce64..e8c56abefcde 100644
--- a/external/nss/nss.utf8bom.patch.1
+++ b/external/nss/nss.utf8bom.patch.1
@@ -1,12 +1,3 @@
-diff -ur nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h
---- nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h 2016-03-31 18:26:06.763009800 +0800
-+++ nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h 2016-03-31 19:17:11.724452000 +0800
-@@ -1,4 +1,4 @@
--// Copyright 2005, Google Inc.
-+// Copyright 2005, Google Inc.
- // All rights reserved.
- //
- // Redistribution and use in source and binary forms, with or without
diff -ur nss.org/nss/lib/ckfw/builtins/certdata.perl nss/nss/lib/ckfw/builtins/certdata.perl
--- nss.org/nss/lib/ckfw/builtins/certdata.perl 2016-03-31 18:26:07.890190900 +0800
+++ nss/nss/lib/ckfw/builtins/certdata.perl 2016-03-31 19:16:16.727269600 +0800
diff --git a/external/nss/nss.windowbuild.patch.0 b/external/nss/nss.windowbuild.patch.0
index 04b13a7bea27..c25ff4d6437b 100644
--- a/external/nss/nss.windowbuild.patch.0
+++ b/external/nss/nss.windowbuild.patch.0
@@ -1,5 +1,5 @@
---- ./nss/external_tests/ssl_gtest/tls_connect.cc
-+++ ./nss/external_tests/ssl_gtest/tls_connect.cc
+--- ./nss/gtests/ssl_gtest/tls_connect.cc
++++ ./nss/gtests/ssl_gtest/tls_connect.cc
@@ -375,6 +375,12 @@
}
}
@@ -13,8 +13,8 @@
void TlsConnectTestBase::EnableAlpn() {
client_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
server_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
---- ./nss/external_tests/ssl_gtest/tls_connect.h
-+++ ./nss/external_tests/ssl_gtest/tls_connect.h
+--- ./nss/gtests/ssl_gtest/tls_connect.h
++++ ./nss/gtests/ssl_gtest/tls_connect.h
@@ -113,12 +113,6 @@
SessionResumptionMode expected_resumption_mode_;
std::vector<std::vector<uint8_t>> session_ids_;
@@ -26,10 +26,10 @@
- const uint8_t alpn_dummy_val_[4] = {0x01, 0x62, 0x01, 0x61};
-
private:
- void CheckResumption(SessionResumptionMode expected);
- void CheckExtendedMasterSecret();
---- ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-+++ ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+ static inline Mode ToMode(const std::string& str) {
+ return str == "TLS" ? STREAM : DGRAM;
+--- ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
++++ ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
@@ -51,6 +51,12 @@
CheckAlpn("a");
}
@@ -43,8 +43,8 @@
TEST_P(TlsConnectGeneric, ConnectAlpnClone) {
EnsureModelSockets();
client_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
---- ./nss/external_tests/ssl_gtest/databuffer.h
-+++ ./nss/external_tests/ssl_gtest/databuffer.h
+--- ./nss/gtests/ssl_gtest/databuffer.h
++++ ./nss/gtests/ssl_gtest/databuffer.h
@@ -10,6 +10,7 @@
#include <algorithm>
#include <cassert>
diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch
index dfbad1a36f32..3144fa687761 100644
--- a/external/nss/nss_macosx.patch
+++ b/external/nss/nss_macosx.patch
@@ -13,21 +13,6 @@ diff -ru a/nspr/configure b/nspr/configure
diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk
--- a/a/nss/coreconf/Darwin.mk 2014-09-29 16:50:22.992304799 +0100
+++ b/b/nss/coreconf/Darwin.mk 2014-09-29 16:51:59.214931953 +0100
-@@ -8,8 +8,12 @@
-
- DEFAULT_COMPILER = gcc
-
--CC = gcc
--CCC = g++
-+# CC is taken from environment automatically.
-+#CC = cc
-+# Use CCC from environment.
-+#CCC = c++
-+CCC = $(CXX)
-+
- RANLIB = ranlib
-
- ifndef CPU_ARCH
@@ -20,13 +24,17 @@
ifeq (,$(filter-out i%86,$(CPU_ARCH)))
@@ -71,8 +56,8 @@ diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk
-DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
+DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names
- MKSHLIB = $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
- DLL_SUFFIX = dylib
+ ifdef USE_GCOV
+ OS_CFLAGS += --coverage
diff -ru a/nss/Makefile b/nss/Makefile
--- a/a/nss/Makefile 2014-09-29 16:50:22.990304789 +0100
+++ b/b/nss/Makefile 2014-09-29 16:51:59.207931908 +0100
diff --git a/external/nss/ubsan.patch.0 b/external/nss/ubsan.patch.0
index 8d0b5b417ca8..059a9f3b2c0a 100644
--- a/external/nss/ubsan.patch.0
+++ b/external/nss/ubsan.patch.0
@@ -1,15 +1,3 @@
-diff -ru nss.orig/nss/lib/certdb/crl.c nss/nss/lib/certdb/crl.c
---- nss/lib/certdb/crl.c 2016-02-12 15:36:18.000000000 +0100
-+++ nss/lib/certdb/crl.c 2016-02-23 20:57:17.067924598 +0100
-@@ -1982,7 +1982,7 @@
- return SECSuccess;
- }
- /* all CRLs are good, sort them by thisUpdate */
-- qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate);
-+ if (cache->ncrls != 0) qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate);
-
- if (cache->ncrls) {
- /* pick the newest CRL */
--- nss/lib/softoken/legacydb/pk11db.c
+++ nss/lib/softoken/legacydb/pk11db.c
@@ -65,7 +65,7 @@
generated by cgit v1.2.3 (git 2.39.1) at 2024-04-25 04:15:01 +0000