From 0cdf41419af854acccee0f819d4add7e8cafb7dc Mon Sep 17 00:00:00 2001 From: Michael Stahl Date: Thu, 20 Apr 2017 22:19:45 +0200 Subject: nss: upgrade to release 3.29.5 - fixes CVE-2017-5461 and CVE-2017-5462 - drop ubsan-alignment.patch.0, there is apparently now some NO_SANITIZE_ALIGNMENT macro upstream to get this effect - drop some hunks to prevent hard-coding CC/CCC vars, upstream now respects environment vars (but doesn't quote them...) - drop first hunk of ubsan.patch.0, fixed upstream - drop hunk for gtest-internal.h, header looks much newer anyway Change-Id: I5c484c02c1235e185af1ef5166b069303d3378e1 Reviewed-on: https://gerrit.libreoffice.org/36756 Reviewed-by: Michael Stahl Tested-by: Michael Stahl --- download.lst | 4 +-- external/nss/ExternalProject_nss.mk | 1 + external/nss/UnpackedTarball_nss.mk | 1 - external/nss/nss-ios.patch | 4 +-- external/nss/nss-more-static.patch | 34 +++++++++++++------------- external/nss/nss.patch | 47 +++++++++++++++--------------------- external/nss/nss.utf8bom.patch.1 | 9 ------- external/nss/nss.windowbuild.patch.0 | 20 +++++++-------- external/nss/nss_macosx.patch | 19 ++------------- external/nss/ubsan-alignment.patch.0 | 40 ------------------------------ external/nss/ubsan.patch.0 | 11 --------- 11 files changed, 53 insertions(+), 137 deletions(-) delete mode 100644 external/nss/ubsan-alignment.patch.0 diff --git a/download.lst b/download.lst index 3d0418563c6d..a7441f81f784 100644 --- a/download.lst +++ b/download.lst @@ -162,8 +162,8 @@ export MYTHES_SHA256SUM := 1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz export NEON_SHA256SUM := 00c626c0dc18d094ab374dbd9a354915bfe4776433289386ed489c2ec0845cdd export NEON_TARBALL := 231adebe5c2f78fded3e3df6e958878e-neon-0.30.1.tar.gz -export NSS_SHA256SUM := c74ad468ed5da0304b58ec56fa627fa388b256451b1a44fd184145c6d8203820 -export NSS_TARBALL := 0e3eee39402386cf16fd7aaa7399ebef-nss-3.27-with-nspr-4.13.tar.gz +export NSS_SHA256SUM := 8cb8624147737d1b4587c50bf058afbb6effc0f3c205d69b5ef4077b3bfed0e4 +export NSS_TARBALL := nss-3.29.5-with-nspr-4.13.1.tar.gz export ODFGEN_SHA256SUM := 2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2 export ODFGEN_VERSION_MICRO := 6 export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2 diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk index 57a78b4a850c..f555975ee7fa 100644 --- a/external/nss/ExternalProject_nss.mk +++ b/external/nss/ExternalProject_nss.mk @@ -56,6 +56,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): $(call gb_ExternalProject $(MAKE) -j1 AR="$(AR)" \ RANLIB="$(RANLIB)" \ NMEDIT="$(NM)edit" \ + CCC="$(CXX)" \ $(if $(CROSS_COMPILING),NSPR_CONFIGURE_OPTS="--build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM)") \ nss_build_all \ && rm -f $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.a \ diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 7200e6ffdf65..09baf787e536 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -41,7 +41,6 @@ ifeq ($(COM_IS_CLANG),TRUE) ifneq ($(filter -fsanitize=%,$(CC)),) $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/asan.patch.1 \ - external/nss/ubsan-alignment.patch.0 \ )) endif endif diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch index d4107d77f954..9d4af2c724e9 100644 --- a/external/nss/nss-ios.patch +++ b/external/nss/nss-ios.patch @@ -52,8 +52,8 @@ --- a/a/nss/coreconf/Darwin.mk +++ a/a/nss/coreconf/Darwin.mk @@ -124,7 +124,7 @@ - # May override this with -bundle to create a loadable module. - DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names + DSO_LDOPTS += --coverage + endif -MKSHLIB = $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS) +MKSHLIB = touch $@; echo diff --git a/external/nss/nss-more-static.patch b/external/nss/nss-more-static.patch index 6b06a4e4a226..26948f0be24c 100644 --- a/external/nss/nss-more-static.patch +++ b/external/nss/nss-more-static.patch @@ -9,30 +9,30 @@ /* determine if hybrid platform, then actually load the DSO. */ static PRStatus @@ -136,9 +136,9 @@ - return PR_FAILURE; - } + return PR_FAILURE; + } -- handle = loader_LoadLibrary(name); -- if (handle) { -- PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector"); -+ handle = 0; -+ { -+ PRFuncPtr address = FREEBL_GetVector; - PRStatus status; - if (address) { - FREEBLGetVectorFn * getVector = (FREEBLGetVectorFn *)address; +- handle = loader_LoadLibrary(name); +- if (handle) { +- PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector"); ++ handle = 0; ++ { ++ PRFuncPtr address = FREEBL_GetVector; + if (address) { + FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address; + const FREEBLVector *dsoVector = getVector(); @@ -887,6 +887,7 @@ void BL_Unload(void) { +#if 0 - /* This function is not thread-safe, but doesn't need to be, because it is - * only called from functions that are also defined as not thread-safe, - * namely C_Finalize in softoken, and the SSL bypass shutdown callback called + /* This function is not thread-safe, but doesn't need to be, because it is + * only called from functions that are also defined as not thread-safe, + * namely C_Finalize in softoken, and the SSL bypass shutdown callback called @@ -905,6 +905,7 @@ - blLib = NULL; - } - loadFreeBLOnce = pristineCallOnce; + } + blLib = NULL; + loadFreeBLOnce = pristineCallOnce; +#endif } diff --git a/external/nss/nss.patch b/external/nss/nss.patch index 771ebf59baed..b3b932343d83 100644 --- a/external/nss/nss.patch +++ b/external/nss/nss.patch @@ -54,24 +54,16 @@ diff -ru a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk diff -ru nss.orig/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk --- a/nss.orig/nss/coreconf/arch.mk 2016-02-12 15:36:18.000000000 +0100 +++ b/nss/nss/coreconf/arch.mk 2016-02-23 20:48:31.595941079 +0100 -@@ -280,15 +280,21 @@ - # IMPL_STRATEGY may be defined too. - # - --ifdef CROSS_COMPILE --OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ --else --OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ --endif +@@ -280,11 +280,17 @@ + OBJDIR_NAME_COMPILER = $(COMPILER_TAG) + endif + OBJDIR_NAME_BASE = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(OBJDIR_NAME_COMPILER)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG) +-OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ +# OBJDIR_NAME is used to build the directory containing the built objects, for +# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ +# We need to deliver the contents of that folder into instdir. To make that +# easier in the makefile we rename this directory to "out". -+#ifdef CROSS_COMPILE -+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ -+#else -+#OBJDIR_NAME = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(COMPILER_TAG)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG).OBJ -+#endif ++#OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ +OBJDIR_NAME = out @@ -96,20 +88,6 @@ diff -ru a/nss/coreconf/FreeBSD.mk b/nss/coreconf/FreeBSD.mk diff -ru a/nss/coreconf/Linux.mk b/nss/coreconf/Linux.mk --- a/a/nss/coreconf/Linux.mk 2014-09-29 16:46:38.189421588 +0100 +++ b/b/nss/coreconf/Linux.mk 2014-09-29 16:47:42.985012235 +0100 -@@ -16,8 +16,11 @@ - IMPL_STRATEGY = _PTH - endif - --CC = gcc --CCC = g++ -+# CC is taken from environment automatically. -+#CC = gcc -+# Use CCC from environment. -+#CCC = g++ -+CCC = $(CXX) - RANLIB = ranlib - - DEFAULT_COMPILER = gcc @@ -157,7 +160,7 @@ # against the libsanitizer runtime built into the main executable. ZDEFS_FLAG = -Wl,-z,defs @@ -172,6 +150,19 @@ diff -ru a/nss/Makefile b/nss/Makefile #! gmake # # This Source Code Form is subject to the terms of the Mozilla Public +@@ -91,10 +91,10 @@ + NSPR_CONFIGURE_ENV = CC=gcc CXX=g++ + endif + ifdef CC +-NSPR_CONFIGURE_ENV = CC=$(CC) ++NSPR_CONFIGURE_ENV = CC="$(CC) " + endif + ifdef CCC +-NSPR_CONFIGURE_ENV += CXX=$(CCC) ++NSPR_CONFIGURE_ENV += CXX="$(CCC) " + endif + # Remove -arch definitions. NSPR can't handle that. + NSPR_CONFIGURE_ENV := $(filter-out -arch x86_64,$(NSPR_CONFIGURE_ENV)) diff -ru nss.orig/nss/coreconf/Werror.mk nss/nss/coreconf/Werror.mk --- a/nss.orig/nss/coreconf/Werror.mk 2016-02-12 15:36:18.000000000 +0100 +++ b/nss/nss/coreconf/Werror.mk 2016-02-23 23:58:15.119584046 +0100 diff --git a/external/nss/nss.utf8bom.patch.1 b/external/nss/nss.utf8bom.patch.1 index bc37f184ce64..e8c56abefcde 100644 --- a/external/nss/nss.utf8bom.patch.1 +++ b/external/nss/nss.utf8bom.patch.1 @@ -1,12 +1,3 @@ -diff -ur nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h ---- nss.org/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h 2016-03-31 18:26:06.763009800 +0800 -+++ nss/nss/external_tests/google_test/gtest/include/gtest/internal/gtest-internal.h 2016-03-31 19:17:11.724452000 +0800 -@@ -1,4 +1,4 @@ --// Copyright 2005, Google Inc. -+// Copyright 2005, Google Inc. - // All rights reserved. - // - // Redistribution and use in source and binary forms, with or without diff -ur nss.org/nss/lib/ckfw/builtins/certdata.perl nss/nss/lib/ckfw/builtins/certdata.perl --- nss.org/nss/lib/ckfw/builtins/certdata.perl 2016-03-31 18:26:07.890190900 +0800 +++ nss/nss/lib/ckfw/builtins/certdata.perl 2016-03-31 19:16:16.727269600 +0800 diff --git a/external/nss/nss.windowbuild.patch.0 b/external/nss/nss.windowbuild.patch.0 index 04b13a7bea27..c25ff4d6437b 100644 --- a/external/nss/nss.windowbuild.patch.0 +++ b/external/nss/nss.windowbuild.patch.0 @@ -1,5 +1,5 @@ ---- ./nss/external_tests/ssl_gtest/tls_connect.cc -+++ ./nss/external_tests/ssl_gtest/tls_connect.cc +--- ./nss/gtests/ssl_gtest/tls_connect.cc ++++ ./nss/gtests/ssl_gtest/tls_connect.cc @@ -375,6 +375,12 @@ } } @@ -13,8 +13,8 @@ void TlsConnectTestBase::EnableAlpn() { client_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_)); server_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_)); ---- ./nss/external_tests/ssl_gtest/tls_connect.h -+++ ./nss/external_tests/ssl_gtest/tls_connect.h +--- ./nss/gtests/ssl_gtest/tls_connect.h ++++ ./nss/gtests/ssl_gtest/tls_connect.h @@ -113,12 +113,6 @@ SessionResumptionMode expected_resumption_mode_; std::vector> session_ids_; @@ -26,10 +26,10 @@ - const uint8_t alpn_dummy_val_[4] = {0x01, 0x62, 0x01, 0x61}; - private: - void CheckResumption(SessionResumptionMode expected); - void CheckExtendedMasterSecret(); ---- ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc -+++ ./nss/external_tests/ssl_gtest/ssl_loopback_unittest.cc + static inline Mode ToMode(const std::string& str) { + return str == "TLS" ? STREAM : DGRAM; +--- ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc ++++ ./nss/gtests/ssl_gtest/ssl_loopback_unittest.cc @@ -51,6 +51,12 @@ CheckAlpn("a"); } @@ -43,8 +43,8 @@ TEST_P(TlsConnectGeneric, ConnectAlpnClone) { EnsureModelSockets(); client_model_->EnableAlpn(alpn_dummy_val_, sizeof(alpn_dummy_val_)); ---- ./nss/external_tests/ssl_gtest/databuffer.h -+++ ./nss/external_tests/ssl_gtest/databuffer.h +--- ./nss/gtests/ssl_gtest/databuffer.h ++++ ./nss/gtests/ssl_gtest/databuffer.h @@ -10,6 +10,7 @@ #include #include diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch index dfbad1a36f32..3144fa687761 100644 --- a/external/nss/nss_macosx.patch +++ b/external/nss/nss_macosx.patch @@ -13,21 +13,6 @@ diff -ru a/nspr/configure b/nspr/configure diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk --- a/a/nss/coreconf/Darwin.mk 2014-09-29 16:50:22.992304799 +0100 +++ b/b/nss/coreconf/Darwin.mk 2014-09-29 16:51:59.214931953 +0100 -@@ -8,8 +8,12 @@ - - DEFAULT_COMPILER = gcc - --CC = gcc --CCC = g++ -+# CC is taken from environment automatically. -+#CC = cc -+# Use CCC from environment. -+#CCC = c++ -+CCC = $(CXX) -+ - RANLIB = ranlib - - ifndef CPU_ARCH @@ -20,13 +24,17 @@ ifeq (,$(filter-out i%86,$(CPU_ARCH))) @@ -71,8 +56,8 @@ diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk -DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names +DSO_LDOPTS = -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names - MKSHLIB = $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS) - DLL_SUFFIX = dylib + ifdef USE_GCOV + OS_CFLAGS += --coverage diff -ru a/nss/Makefile b/nss/Makefile --- a/a/nss/Makefile 2014-09-29 16:50:22.990304789 +0100 +++ b/b/nss/Makefile 2014-09-29 16:51:59.207931908 +0100 diff --git a/external/nss/ubsan-alignment.patch.0 b/external/nss/ubsan-alignment.patch.0 deleted file mode 100644 index 651939f7bc88..000000000000 --- a/external/nss/ubsan-alignment.patch.0 +++ /dev/null @@ -1,40 +0,0 @@ ---- nss/lib/freebl/md5.c -+++ nss/lib/freebl/md5.c -@@ -445,7 +445,7 @@ - /* Iterate over 64-byte chunks of the message. */ - while (inputLen >= MD5_BUFFER_SIZE) { - #ifdef IS_LITTLE_ENDIAN --#ifdef NSS_X86_OR_X64 -+#if 0 - /* x86 can handle arithmetic on non-word-aligned buffers */ - wBuf = (PRUint32 *)input; - #else ---- nss/lib/freebl/sha_fast.c -+++ nss/lib/freebl/sha_fast.c -@@ -16,7 +16,7 @@ - #include "ssltrace.h" - #endif - --static void shaCompress(volatile SHA_HW_t *X, const PRUint32 *datain); -+static void shaCompress(volatile SHA_HW_t *X, const unsigned char *datain); - - #define W u.w - #define B u.b -@@ -241,7 +241,7 @@ - * code on AMD64. - */ - static void --shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf) -+shaCompress(volatile SHA_HW_t *X, const unsigned char *inbuf) - { - register SHA_HW_t A, B, C, D, E; - -@@ -277,7 +277,7 @@ - a = SHA_ROTL(b, 5) + SHA_F4(c, d, e) + a + XW(n) + K3; \ - c = SHA_ROTL(c, 30) - --#define LOAD(n) XW(n) = SHA_HTONL(inbuf[n]) -+#define LOAD(n) XW(n) = (((PRUint32)inbuf[4*n])<<24)|(((PRUint32)inbuf[4*n+1])<<16)|(((PRUint32)inbuf[4*n+2])<<8)|((PRUint32)inbuf[4*n+3]) - - A = XH(0); - B = XH(1); diff --git a/external/nss/ubsan.patch.0 b/external/nss/ubsan.patch.0 index 1254afd0c4ad..059a9f3b2c0a 100644 --- a/external/nss/ubsan.patch.0 +++ b/external/nss/ubsan.patch.0 @@ -1,14 +1,3 @@ ---- nss/lib/certdb/crl.c -+++ nss/lib/certdb/crl.c -@@ -1982,7 +1982,7 @@ - return SECSuccess; - } - /* all CRLs are good, sort them by thisUpdate */ -- qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate); -+ if (cache->ncrls != 0) qsort(cache->crls, cache->ncrls, sizeof(CachedCrl*), SortCRLsByThisUpdate); - - if (cache->ncrls) { - /* pick the newest CRL */ --- nss/lib/softoken/legacydb/pk11db.c +++ nss/lib/softoken/legacydb/pk11db.c @@ -65,7 +65,7 @@ -- cgit