nss: upgrade to release 3.29.5

- fixes CVE-2017-5461 and CVE-2017-5462 - drop ubsan-alignment.patch.0, there is apparently now some NO_SANITIZE_ALIGNMENT macro upstream to get this effect - drop some hunks to prevent hard-coding CC/CCC vars, upstream now respects environment vars (but doesn't quote them...) - drop first hunk of ubsan.patch.0, fixed upstream - drop hunk for gtest-internal.h, header looks much newer anyway Change-Id: I5c484c02c1235e185af1ef5166b069303d3378e1 Reviewed-on: https://gerrit.libreoffice.org/36756 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Michael Stahl <mstahl@redhat.com>
author: Michael Stahl <mstahl@redhat.com> 2017-04-20 22:19:45 +0200
committer: Michael Stahl <mstahl@redhat.com> 2017-04-21 14:15:17 +0200
commit: 0cdf41419af854acccee0f819d4add7e8cafb7dc (patch)
tree: 2c759b38c2834e288c753632120f7b95bb3c756a /external
parent: 87dc77ba52b003a89892e48346e140c47a1ebbb6 (diff)
10 files changed, 51 insertions, 135 deletions
diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk
index 57a78b4a850c..f555975ee7fa 100644
--- a/external/nss/ExternalProject_nss.mk
+++ b/external/nss/ExternalProject_nss.mk
@@ -56,6 +56,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): $(call gb_ExternalProject
 		$(MAKE) -j1 AR="$(AR)" \
 			RANLIB="$(RANLIB)" \
 			NMEDIT="$(NM)edit" \
+			CCC="$(CXX)" \
 			$(if $(CROSS_COMPILING),NSPR_CONFIGURE_OPTS="--build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM)") \
 			nss_build_all \
 		&& rm -f $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.a \
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index 7200e6ffdf65..09baf787e536 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -41,7 +41,6 @@ ifeq ($(COM_IS_CLANG),TRUE)
 ifneq ($(filter -fsanitize=%,$(CC)),)
 $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/asan.patch.1 \
-	external/nss/ubsan-alignment.patch.0 \
 ))
 endif
 endif
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
index d4107d77f954..9d4af2c724e9 100644
--- a/external/nss/nss-ios.patch
+++ b/external/nss/nss-ios.patch
@@ -52,8 +52,8 @@
 --- a/a/nss/coreconf/Darwin.mk
 +++ a/a/nss/coreconf/Darwin.mk
 @@ -124,7 +124,7 @@
- # May override this with -bundle to create a loadable module.
- DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names
+    DSO_LDOPTS += --coverage
+ endif
  
 -MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
 +MKSHLIB		= touch $@; echo
diff --git a/external/nss/nss-more-static.patch b/external/nss/nss-more-static.patch
index 6b06a4e4a226..26948f0be24c 100644
--- a/external/nss/nss-more-static.patch
+++ b/external/nss/nss-more-static.patch
@@ -9,30 +9,30 @@
  /*  determine if hybrid platform, then actually load the DSO. */
  static PRStatus
 @@ -136,9 +136,9 @@
-     return PR_FAILURE;
-   }
+         return PR_FAILURE;
+     }
  
--  handle = loader_LoadLibrary(name);
--  if (handle) {
--    PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
-+  handle = 0;
-+  {
-+    PRFuncPtr address = FREEBL_GetVector;
-     PRStatus status;
-     if (address) {
-       FREEBLGetVectorFn  * getVector = (FREEBLGetVectorFn *)address;
+-    handle = loader_LoadLibrary(name);
+-    if (handle) {
+-        PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
++    handle = 0;
++    {
++        PRFuncPtr address = FREEBL_GetVector;
+         if (address) {
+             FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
+             const FREEBLVector *dsoVector = getVector();
 @@ -887,6 +887,7 @@
  void
  BL_Unload(void)
  {
 +#if 0
-   /* This function is not thread-safe, but doesn't need to be, because it is
-    * only called from functions that are also defined as not thread-safe,
-    * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
+     /* This function is not thread-safe, but doesn't need to be, because it is
+      * only called from functions that are also defined as not thread-safe,
+      * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
 @@ -905,6 +905,7 @@
-       blLib = NULL;
-   }
-   loadFreeBLOnce = pristineCallOnce;
+     }
+     blLib = NULL;
+     loadFreeBLOnce = pristineCallOnce;
 +#endif
  }
  
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 771ebf59baed..b3b932343d83 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -54,24 +54,16 @@ diff -ru a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk
 diff -ru nss.orig/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk
 --- a/nss.orig/nss/coreconf/arch.mk	2016-02-12 15:36:18.000000000 +0100
 +++ b/nss/nss/coreconf/arch.mk	2016-02-23 20:48:31.595941079 +0100
-@@ -280,15 +280,21 @@
- # IMPL_STRATEGY may be defined too.
- #
- 
--ifdef CROSS_COMPILE
--OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
--else
--OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
--endif
+@@ -280,11 +280,17 @@
+     OBJDIR_NAME_COMPILER = $(COMPILER_TAG)
+ endif
+ OBJDIR_NAME_BASE = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(OBJDIR_NAME_COMPILER)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG)
+-OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
 +# OBJDIR_NAME is used to build the directory containing the built objects, for 
 +# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ
 +# We need to deliver the contents of that folder into instdir. To make that 
 +# easier in the makefile we rename this directory to "out". 
-+#ifdef CROSS_COMPILE
-+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
-+#else
-+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ
-+#endif
++#OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
 +OBJDIR_NAME = out
  
  
@@ -96,20 +88,6 @@ diff -ru a/nss/coreconf/FreeBSD.mk b/nss/coreconf/FreeBSD.mk
 diff -ru a/nss/coreconf/Linux.mk b/nss/coreconf/Linux.mk
 --- a/a/nss/coreconf/Linux.mk	2014-09-29 16:46:38.189421588 +0100
 +++ b/b/nss/coreconf/Linux.mk	2014-09-29 16:47:42.985012235 +0100
-@@ -16,8 +16,11 @@
- 	IMPL_STRATEGY = _PTH
- endif
- 
--CC			= gcc
--CCC			= g++
-+# CC is taken from environment automatically.
-+#CC			= gcc
-+# Use CCC from environment.
-+#CCC			= g++
-+CCC		= $(CXX)
- RANLIB			= ranlib
- 
- DEFAULT_COMPILER = gcc
 @@ -157,7 +160,7 @@
  # against the libsanitizer runtime built into the main executable.
  ZDEFS_FLAG		= -Wl,-z,defs
@@ -172,6 +150,19 @@ diff -ru a/nss/Makefile b/nss/Makefile
  #! gmake
  #
  # This Source Code Form is subject to the terms of the Mozilla Public
+@@ -91,10 +91,10 @@
+ NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
+ endif
+ ifdef CC
+-NSPR_CONFIGURE_ENV = CC=$(CC)
++NSPR_CONFIGURE_ENV = CC="$(CC) "
+ endif
+ ifdef CCC
+-NSPR_CONFIGURE_ENV += CXX=$(CCC)
++NSPR_CONFIGURE_ENV += CXX="$(CCC) "
+ endif
+ # Remove -arch definitions. NSPR can't handle that.
+ NSPR_CONFIGURE_ENV := $(filter-out -arch x86_64,$(NSPR_CONFIGURE_ENV))
 diff -ru nss.orig/nss/coreconf/Werror.mk nss/nss/coreconf/Werror.mk
 --- a/nss.orig/nss/coreconf/Werror.mk	2016-02-12 15:36:18.000000000 +0100
 +++ b/nss/nss/coreconf/Werror.mk	2016-02-23 23:58:15.119584046 +0100
diff --git a/external/nss/nss.utf8bom.patch.1 b/external/nss/nss.utf8bom.patch.1
index bc37f184ce64..e8c56abefcde 100644
--- a/external/nss/nss.utf8bom.patch.1
+++ b/external/nss/nss.utf8bom.patch.1
@@ -1,12 +1,3 @@
-diff -ur nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h
---- nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h	2016-03-31 18:26:06.763009800 +0800
-+++ nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h	2016-03-31 19:17:11.724452000 +0800
-@@ -1,4 +1,4 @@
--// Copyright 2005, Google Inc.
-+// Copyright 2005, Google Inc.
- // All rights reserved.
- //
- // Redistribution and use in source and binary forms, with or without
 diff -ur nss.org/nss/lib/ckfw/builtins/certdata.perl nss/nss/lib/ckfw/builtins/certdata.perl
 --- nss.org/nss/lib/ckfw/builtins/certdata.perl	2016-03-31 18:26:07.890190900 +0800
 +++ nss/nss/lib/ckfw/builtins/certdata.perl	2016-03-31 19:16:16.727269600 +0800
diff --git a/external/nss/nss.windowbuild.patch.0 b/external/nss/nss.windowbuild.patch.0
index 04b13a7bea27..c25ff4d6437b 100644
--- a/external/nss/nss.windowbuild.patch.0
+++ b/external/nss/nss.windowbuild.patch.0
@@ -1,5 +1,5 @@
---- ./nss/external_tests/ssl_gtest/tls_connect.cc
-+++ ./nss/external_tests/ssl_gtest/tls_connect.cc
+--- ./nss/gtests/ssl_gtest/tls_connect.cc
++++ ./nss/gtests/ssl_gtest/tls_connect.cc
 @@ -375,6 +375,12 @@
    }
  }
@@ -13,8 +13,8 @@
  void TlsConnectTestBase::EnableAlpn() {
    client_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
    server_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
---- ./nss/external_tests/ssl_gtest/tls_connect.h
-+++ ./nss/external_tests/ssl_gtest/tls_connect.h
+--- ./nss/gtests/ssl_gtest/tls_connect.h
++++ ./nss/gtests/ssl_gtest/tls_connect.h
 @@ -113,12 +113,6 @@
    SessionResumptionMode expected_resumption_mode_;
    std::vector<std::vector<uint8_t>> session_ids_;
@@ -26,10 +26,10 @@
 -  const uint8_t alpn_dummy_val_[4] = {0x01, 0x62, 0x01, 0x61};
 -
   private:
-   void CheckResumption(SessionResumptionMode expected);
-   void CheckExtendedMasterSecret();
---- ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
-+++ ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc
+   static inline Mode ToMode(const std::string& str) {
+     return str == "TLS" ? STREAM : DGRAM;
+--- ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
++++ ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc
 @@ -51,6 +51,12 @@
    CheckAlpn("a");
  }
@@ -43,8 +43,8 @@
  TEST_P(TlsConnectGeneric, ConnectAlpnClone) {
    EnsureModelSockets();
    client_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_));
---- ./nss/external_tests/ssl_gtest/databuffer.h
-+++ ./nss/external_tests/ssl_gtest/databuffer.h
+--- ./nss/gtests/ssl_gtest/databuffer.h
++++ ./nss/gtests/ssl_gtest/databuffer.h
 @@ -10,6 +10,7 @@
  #include <algorithm>
  #include <cassert>
diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch
index dfbad1a36f32..3144fa687761 100644
--- a/external/nss/nss_macosx.patch
+++ b/external/nss/nss_macosx.patch
@@ -13,21 +13,6 @@ diff -ru a/nspr/configure b/nspr/configure
 diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk
 --- a/a/nss/coreconf/Darwin.mk	2014-09-29 16:50:22.992304799 +0100
 +++ b/b/nss/coreconf/Darwin.mk	2014-09-29 16:51:59.214931953 +0100
-@@ -8,8 +8,12 @@
- 
- DEFAULT_COMPILER = gcc
- 
--CC		= gcc
--CCC		= g++
-+# CC is taken from environment automatically.
-+#CC		= cc
-+# Use CCC from environment.
-+#CCC		= c++
-+CCC		= $(CXX)
-+
- RANLIB		= ranlib
- 
- ifndef CPU_ARCH
 @@ -20,13 +24,17 @@
  
  ifeq (,$(filter-out i%86,$(CPU_ARCH)))
@@ -71,8 +56,8 @@ diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk
 -DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
 +DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names
  
- MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
- DLL_SUFFIX	= dylib
+ ifdef USE_GCOV
+    OS_CFLAGS += --coverage
 diff -ru a/nss/Makefile b/nss/Makefile
 --- a/a/nss/Makefile	2014-09-29 16:50:22.990304789 +0100
 +++ b/b/nss/Makefile	2014-09-29 16:51:59.207931908 +0100
diff --git a/external/nss/ubsan-alignment.patch.0 b/external/nss/ubsan-alignment.patch.0
deleted file mode 100644
index 651939f7bc88..000000000000
--- a/external/nss/ubsan-alignment.patch.0
+++ /dev/null
@@ -1,40 +0,0 @@
---- nss/lib/freebl/md5.c
-+++ nss/lib/freebl/md5.c
-@@ -445,7 +445,7 @@
-     /* Iterate over 64-byte chunks of the message. */
-     while (inputLen >= MD5_BUFFER_SIZE) {
- #ifdef IS_LITTLE_ENDIAN
--#ifdef NSS_X86_OR_X64
-+#if 0
-         /* x86 can handle arithmetic on non-word-aligned buffers */
-         wBuf = (PRUint32 *)input;
- #else
---- nss/lib/freebl/sha_fast.c
-+++ nss/lib/freebl/sha_fast.c
-@@ -16,7 +16,7 @@
- #include "ssltrace.h"
- #endif
- 
--static void shaCompress(volatile SHA_HW_t *X, const PRUint32 *datain);
-+static void shaCompress(volatile SHA_HW_t *X, const unsigned char *datain);
- 
- #define W u.w
- #define B u.b
-@@ -241,7 +241,7 @@
-  * code on AMD64.
-  */
- static void
--shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf)
-+shaCompress(volatile SHA_HW_t *X, const unsigned char *inbuf)
- {
-     register SHA_HW_t A, B, C, D, E;
- 
-@@ -277,7 +277,7 @@
-     a = SHA_ROTL(b, 5) + SHA_F4(c, d, e) + a + XW(n) + K3; \
-     c = SHA_ROTL(c, 30)
- 
--#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n])
-+#define LOAD(n) XW(n) = (((PRUint32)inbuf[4*n])<<24)|(((PRUint32)inbuf[4*n+1])<<16)|(((PRUint32)inbuf[4*n+2])<<8)|((PRUint32)inbuf[4*n+3])
- 
-     A = XH(0);
-     B = XH(1);
diff --git a/external/nss/ubsan.patch.0 b/external/nss/ubsan.patch.0
index 1254afd0c4ad..059a9f3b2c0a 100644
--- a/external/nss/ubsan.patch.0
+++ b/external/nss/ubsan.patch.0
@@ -1,14 +1,3 @@
---- nss/lib/certdb/crl.c
-+++ nss/lib/certdb/crl.c
-@@ -1982,7 +1982,7 @@
-         return SECSuccess;
-     }
-     /* all CRLs are good, sort them by thisUpdate */
--    qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate);
-+    if (cache->ncrls != 0) qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate);
- 
-     if (cache->ncrls) {
-         /* pick the newest CRL */
 --- nss/lib/softoken/legacydb/pk11db.c
 +++ nss/lib/softoken/legacydb/pk11db.c
 @@ -65,7 +65,7 @@
author	Michael Stahl <mstahl@redhat.com>	2017-04-20 22:19:45 +0200
committer	Michael Stahl <mstahl@redhat.com>	2017-04-21 14:15:17 +0200
commit	0cdf41419af854acccee0f819d4add7e8cafb7dc (patch)
tree	2c759b38c2834e288c753632120f7b95bb3c756a /external
parent	87dc77ba52b003a89892e48346e140c47a1ebbb6 (diff)