diff options
| author | Don Lewis <truckman@apache.org> | 2016-07-18 07:09:58 +0000 |
|---|---|---|
| committer | Don Lewis <truckman@apache.org> | 2016-07-18 07:09:58 +0000 |
| commit | 65e38169a7edff860082509a596105deaf4afb7c (patch) | |
| tree | 3d67499b8e7d9f35f2768b46504c9f8507694ff9 /nss/nss.patch | |
| parent | 6bff19311a945038e5b94d53e0d7a87f66456e97 (diff) | |
#i126891# bundled nss-3.14.4-with-nspr-4.9.5 has many security
vulnerabilities
Upgrade bundled nss-3.14.4-with-nspr-4.9.5 to nss-3.25-with-nspr-4.12.
These CVEs have been fixed since nss-3.14.4 was released:
CVE-2014-1533
CVE-2014-1534
CVE-2014-1536
CVE-2014-1537
CVE-2014-1540
CVE-2014-1541
CVE-2014-1542
CVE-2014-1543
CVE-2014-1544
CVE-2014-1545
CVE-2014-1547
CVE-2014-1548
CVE-2014-1549
CVE-2014-1550
CVE-2014-1551
CVE-2014-1552
CVE-2014-1555
CVE-2014-1556
CVE-2014-1557
CVE-2014-1558
CVE-2014-1559
CVE-2014-1560
CVE-2014-1561
CVE-2014-1568
CVE-2014-1569
CVE-2014-1587
CVE-2014-1588
CVE-2014-1589
CVE-2014-1590
CVE-2014-1591
CVE-2014-1592
CVE-2014-1593
CVE-2014-1594
CVE-2014-1595
CVE-2015-4513
CVE-2015-4514
CVE-2015-4515
CVE-2015-4518
CVE-2015-7181
CVE-2015-7182
CVE-2015-7183
CVE-2015-7185
CVE-2015-7186
CVE-2015-7187
CVE-2015-7188
CVE-2015-7189
CVE-2015-7190
CVE-2015-7191
CVE-2015-7192
CVE-2015-7193
CVE-2015-7194
CVE-2015-7195
CVE-2015-7196
CVE-2015-7197
CVE-2015-7198
CVE-2015-7199
CVE-2015-7200
CVE-2015-7575
CVE-2016-1938
CVE-2016-1950
CVE-2016-1978
CVE-2016-1979
Whether any of these actually impacts OpenOffice is not known.
Rebase the nss patches to the new version and move any non-conflicting
changes from the platform-specific patch files to nss.patch. The
nss.patch.mingw file was already out of date and was not updated.
Disable nss tests which require at least partial c++11 (-stdc++0x)
support because they use nullptr. This reportedly requires at least
gcc 4.6, which is newer that some of what is provided by some of
our supported platforms.
Fix build issue on FreeBSD 11.0 and other platforms with picky compilers.
The result of shifting a negative signed value is undefined in C and C++.
The generated code does the expected thing in my experience and this
construct just generates a compiler warning, but
nss-3.24/nss/lib/zlib/inflate.c is compiled with -Werror, which breaks
the build. Fix the issue by doing the calculations using the equivalent
unsigned type. The function return should probably also be changed, but
that is more invasive.
Patch pratom.h to no include <intrin.H> inside an extern "C" block
because it breaks the build on Windows.
Recent versions of nss include a new shared library, libfreeblpriv3.so,
so package it so that it gets installed.
Temporarily change nss download URL from https to http to avoid breaking
bootstrap on the buildbots.
Notes
Notes:
prefer: f3fff04ddd411ab001cedfa43d6bbbb733440557
Diffstat (limited to 'nss/nss.patch')
| -rw-r--r-- | nss/nss.patch | 241 |
1 files changed, 162 insertions, 79 deletions
diff --git a/nss/nss.patch b/nss/nss.patch index d27de91b250a..5caa67b34484 100644 --- a/nss/nss.patch +++ b/nss/nss.patch @@ -1,6 +1,7 @@ ---- misc/nss-3.14.4/mozilla/nsprpub/config/rules.mk 2009-12-09 22:24:37.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/nsprpub/config/rules.mk 2010-06-11 16:35:54.946870871 +0200 -@@ -377,7 +377,12 @@ +diff -ur misc/nss-3.25/nspr/config/rules.mk misc/build/nss-3.25/nspr/config/rules.mk +--- misc/nss-3.25/nspr/config/rules.mk 2016-02-12 05:51:25.000000000 -0800 ++++ misc/build/nss-3.25/nspr/config/rules.mk 2016-07-14 23:47:54.492034000 -0700 +@@ -382,7 +382,12 @@ ifdef NS_USE_GCC $(RC) $(RCFLAGS) $(filter-out -U%,$(DEFINES)) $(INCLUDES:-I%=--include-dir %) -o $@ $< else @@ -14,9 +15,10 @@ endif # GCC @echo $(RES) finished endif ---- misc/nss-3.14.4/mozilla/nsprpub/configure 2010-02-08 19:41:35.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/nsprpub/configure 2010-06-11 16:35:54.960188991 +0200 -@@ -4443,7 +4443,7 @@ +diff -ur misc/nss-3.25/nspr/configure misc/build/nss-3.25/nspr/configure +--- misc/nss-3.25/nspr/configure 2016-02-12 05:51:25.000000000 -0800 ++++ misc/build/nss-3.25/nspr/configure 2016-07-14 23:47:54.531323000 -0700 +@@ -6992,7 +6992,7 @@ PR_MD_CSRCS=linux.c MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@' DSO_CFLAGS=-fPIC @@ -25,11 +27,86 @@ _OPTIMIZE_FLAGS=-O2 _DEBUG_FLAGS="-g -fno-inline" # most people on linux use gcc/gdb, and that # combo is not yet good at debugging inlined ---- misc/nss-3.14.4/mozilla/security/coreconf/Darwin.mk 2010-02-04 19:59:10.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/security/coreconf/Darwin.mk 2010-06-11 16:35:54.966185975 +0200 -@@ -5,10 +5,12 @@ +diff -ur misc/nss-3.25/nspr/pr/include/pratom.h misc/build/nss-3.25/nspr/pr/include/pratom.h +--- misc/nss-3.25/nspr/pr/include/pratom.h 2016-02-12 05:51:25.000000000 -0800 ++++ misc/build/nss-3.25/nspr/pr/include/pratom.h 2016-07-14 23:47:54.538325000 -0700 +@@ -81,7 +81,9 @@ + #if defined(_WIN32) && !defined(_WIN32_WCE) && \ + (!defined(_MSC_VER) || (_MSC_VER >= 1310)) ++PR_END_EXTERN_C + #include <intrin.h> ++PR_BEGIN_EXTERN_C + + #ifdef _MSC_VER + #pragma intrinsic(_InterlockedIncrement) +diff -ur misc/nss-3.25/nss/Makefile misc/build/nss-3.25/nss/Makefile +--- misc/nss-3.25/nss/Makefile 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/Makefile 2016-07-14 23:47:54.544021000 -0700 +@@ -76,6 +76,9 @@ + ifeq ($(OS_TARGET),WIN95) + NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95 + endif ++ifdef MACOS_SDK_DIR ++NSPR_CONFIGURE_OPTS += --with-macos-sdk=$(MACOS_SDK_DIR) ++endif + ifdef USE_DEBUG_RTL + NSPR_CONFIGURE_OPTS += --enable-debug-rtl + endif +diff -ur misc/nss-3.25/nss/cmd/platlibs.mk misc/build/nss-3.25/nss/cmd/platlibs.mk +--- misc/nss-3.25/nss/cmd/platlibs.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/cmd/platlibs.mk 2016-07-14 23:47:54.549839000 -0700 +@@ -10,17 +10,18 @@ + + ifeq ($(OS_ARCH), SunOS) + ifeq ($(USE_64), 1) +-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64' ++#In AOO we would probable put the executables next to libs ++EXTRA_SHARED_LIBS += -R '$$ORIGIN' + else +-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' ++EXTRA_SHARED_LIBS += -R '$$ORIGIN' + endif + endif + + ifeq ($(OS_ARCH), Linux) + ifeq ($(USE_64), 1) +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' ++EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN' + else +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' ++EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN' + endif + endif + +diff -ur misc/nss-3.25/nss/cmd/shlibsign/Makefile misc/build/nss-3.25/nss/cmd/shlibsign/Makefile +--- misc/nss-3.25/nss/cmd/shlibsign/Makefile 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/cmd/shlibsign/Makefile 2016-07-14 23:47:54.554784000 -0700 +@@ -49,10 +49,15 @@ + CHECKLIBS = + CHECKLOC = + else +-CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) +-CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) ++# Signing causes loading of some system library which in turn loads ++# libsqlite3. Then it loads libsqulite3 from nss, which does not have the proper ++# version. Therefore signing fails. ++# We cannot build with the system sqlite3, because it is too old (SDK ++# 10.4). Otherwise one could set NSS_USE_SYSTEM_SQLITE=1 and use the system lib. ++#CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) ++#CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) + ifndef NSS_DISABLE_DBM +-CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) ++#CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) + endif + CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) + +diff -ur misc/nss-3.25/nss/coreconf/Darwin.mk misc/build/nss-3.25/nss/coreconf/Darwin.mk +--- misc/nss-3.25/nss/coreconf/Darwin.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/Darwin.mk 2016-07-14 23:47:54.560325000 -0700 +@@ -6,10 +6,12 @@ include $(CORE_DEPTH)/coreconf/UNIX.mk + include $(CORE_DEPTH)/coreconf/Werror.mk -DEFAULT_COMPILER = gcc +DEFAULT_COMPILER = cc @@ -43,8 +120,33 @@ RANLIB = ranlib ifndef CPU_ARCH ---- misc/nss-3.14.4/mozilla/security/coreconf/Linux.mk 2010-01-15 23:19:00.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/security/coreconf/Linux.mk 2010-06-11 16:35:54.981151732 +0200 +diff -ur misc/nss-3.25/nss/coreconf/FreeBSD.mk misc/build/nss-3.25/nss/coreconf/FreeBSD.mk +--- misc/nss-3.25/nss/coreconf/FreeBSD.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/FreeBSD.mk 2016-07-14 23:47:54.564724000 -0700 +@@ -5,9 +5,8 @@ + + include $(CORE_DEPTH)/coreconf/UNIX.mk + +-DEFAULT_COMPILER = gcc +-CC = gcc +-CCC = g++ ++DEFAULT_COMPILER = $(CC) ++CCC = $(CXX) + RANLIB = ranlib + + CPU_ARCH = $(OS_TEST) +@@ -21,7 +20,7 @@ + CPU_ARCH = x86_64 + endif + +-OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK ++OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_UNISTD_H -DHAVE_BSD_FLOCK + + DSO_CFLAGS = -fPIC + DSO_LDOPTS = -shared -Wl,-soname -Wl,$(notdir $@) +diff -ur misc/nss-3.25/nss/coreconf/Linux.mk misc/build/nss-3.25/nss/coreconf/Linux.mk +--- misc/nss-3.25/nss/coreconf/Linux.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/Linux.mk 2016-07-14 23:47:54.569918000 -0700 @@ -16,8 +16,11 @@ IMPL_STRATEGY = _PTH endif @@ -59,16 +161,25 @@ RANLIB = ranlib DEFAULT_COMPILER = gcc -@@ -143,7 +146,7 @@ +@@ -139,7 +142,7 @@ + OS_PTHREAD = -lpthread + endif + +-OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR ++OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -pipe -ffunction-sections -fdata-sections -DLINUX -Dlinux -DHAVE_STRERROR -DHAVE_UNISTD_H + OS_LIBS = $(OS_PTHREAD) -ldl -lc + + ifdef USE_PTHREADS +@@ -149,7 +152,7 @@ + ARCH = linux + + DSO_CFLAGS = -fPIC +-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections ++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections '-Wl,-rpath,$$ORIGIN' + # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) # incorrectly reports undefined references in the libraries we link with, so # we don't use -z defs there. - ZDEFS_FLAG = -Wl,-z,defs --DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) -+DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) '-Wl,-rpath,$$ORIGIN' - LDFLAGS += $(ARCHFLAG) - - # On Maemo, we need to use the -rpath-link flag for even the standard system -@@ -174,8 +177,13 @@ +@@ -189,8 +192,13 @@ endif endif @@ -82,8 +193,9 @@ # The -rpath '$$ORIGIN' linker option instructs this library to search for its # dependencies in the same directory where it resides. ---- misc/nss-3.14.4/mozilla/security/coreconf/SunOS5.mk 2009-06-11 02:55:32.000000000 +0200 -+++ misc/build/nss-3.14.4/mozilla/security/coreconf/SunOS5.mk 2010-06-11 16:35:54.985571182 +0200 +diff -ur misc/nss-3.25/nss/coreconf/SunOS5.mk misc/build/nss-3.25/nss/coreconf/SunOS5.mk +--- misc/nss-3.25/nss/coreconf/SunOS5.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/SunOS5.mk 2016-07-14 23:47:54.575211000 -0700 @@ -48,8 +48,12 @@ # OPTIMIZER += -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer endif @@ -99,25 +211,27 @@ ASFLAGS += -Wa,-P OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG) ifndef BUILD_OPT ---- misc/nss-3.14.4/mozilla/security/coreconf/arch.mk 2009-06-05 04:14:49.000000000 +0200 -+++ misc/build/nss-3.14.4/mozilla/security/coreconf/arch.mk 2010-06-11 16:35:54.990913282 +0200 -@@ -302,7 +302,12 @@ - # IMPL_STRATEGY may be defined too. - # - +diff -ur misc/nss-3.25/nss/coreconf/arch.mk misc/build/nss-3.25/nss/coreconf/arch.mk +--- misc/nss-3.25/nss/coreconf/arch.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/arch.mk 2016-07-14 23:47:54.579901000 -0700 +@@ -294,7 +294,12 @@ + ifdef CROSS_COMPILE + OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ + else -OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ -+# OBJDIR_NAME is used to build the directory containing the built objects, for ++# OBJDIR_NAME is used to build the directory containing the built objects, for +# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ +# We need to deliver the contents of that folder into the solver. To make that easier -+# in the makefile we rename this directory to "out". ++# in the makefile we rename this directory to "out". +#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ +OBJDIR_NAME = out + endif - ifeq (,$(filter-out WIN%,$(OS_TARGET))) - ifndef BUILD_OPT ---- misc/nss-3.14.4/mozilla/security/coreconf/rules.mk 2009-12-08 02:33:36.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/security/coreconf/rules.mk 2010-06-11 16:35:54.996448704 +0200 -@@ -318,7 +318,12 @@ + +diff -ur misc/nss-3.25/nss/coreconf/rules.mk misc/build/nss-3.25/nss/coreconf/rules.mk +--- misc/nss-3.25/nss/coreconf/rules.mk 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/coreconf/rules.mk 2016-07-14 23:47:54.586736000 -0700 +@@ -322,7 +322,12 @@ ifdef NS_USE_GCC $(RC) $(filter-out -U%,$(DEFINES)) $(INCLUDES:-I%=--include-dir %) -o $@ $< else @@ -131,49 +245,18 @@ endif @echo $(RES) finished endif ---- misc/nss-3.14.4/mozilla/security/nss/cmd/platlibs.mk 2010-02-04 19:59:10.000000000 +0100 -+++ misc/build/nss-3.14.4/mozilla/security/nss/cmd/platlibs.mk 2010-06-11 16:35:55.004869805 +0200 -@@ -10,17 +10,18 @@ - - ifeq ($(OS_ARCH), SunOS) - ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64' -+#In AOO we would probable put the executables next to libs -+EXTRA_SHARED_LIBS += -R '$$ORIGIN' - else --EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' -+EXTRA_SHARED_LIBS += -R '$$ORIGIN' - endif - endif - - ifeq ($(OS_ARCH), Linux) - ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' -+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN' - else --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' -+EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN' - endif - endif - ---- misc/nss-3.14.4/mozilla/security/nss/cmd/shlibsign/Makefile 2009-08-07 21:06:37.000000000 +0200 -+++ misc/build/nss-3.14.4/mozilla/security/nss/cmd/shlibsign/Makefile 2010-06-11 16:35:55.009851148 +0200 -@@ -46,10 +46,15 @@ - - # sign any and all shared libraries that contain the word freebl - --CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) --CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) -+# Signing causes loading of some system library which in turn loads -+# libsqlite3. Then it loads libsqulite3 from nss, which does not have the proper -+# version. Therefore signing fails. -+# We cannot build with the system sqlite3, because it is too old (SDK -+# 10.4). Otherwise one could set NSS_USE_SYSTEM_SQLITE=1 and use the system lib. -+#CHECKLIBS = $(DIST)/lib/$(DLL_PREFIX)softokn3.$(DLL_SUFFIX) -+#CHECKLIBS += $(wildcard $(DIST)/lib/$(DLL_PREFIX)freebl*3.$(DLL_SUFFIX)) - ifndef NSS_DISABLE_DBM --CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) -+#CHECKLIBS += $(DIST)/lib/$(DLL_PREFIX)nssdbm3.$(DLL_SUFFIX) - endif - CHECKLOC = $(CHECKLIBS:.$(DLL_SUFFIX)=.chk) +diff -ur misc/nss-3.25/nss/lib/zlib/inflate.c misc/build/nss-3.25/nss/lib/zlib/inflate.c +--- misc/nss-3.25/nss/lib/zlib/inflate.c 2016-06-20 10:11:28.000000000 -0700 ++++ misc/build/nss-3.25/nss/lib/zlib/inflate.c 2016-07-14 23:47:54.598199000 -0700 +@@ -1472,9 +1472,9 @@ + { + struct inflate_state FAR *state; +- if (strm == Z_NULL || strm->state == Z_NULL) return -1L << 16; ++ if (strm == Z_NULL || strm->state == Z_NULL) return ~0UL << 16; + state = (struct inflate_state FAR *)strm->state; +- return ((long)(state->back) << 16) + ++ return ((unsigned long)(state->back) << 16) + + (state->mode == COPY ? state->length : + (state->mode == MATCH ? state->was - state->length : 0)); + } |