From d7925c5f0dff50820e1a1ffc672ad1d0775fb18e Mon Sep 17 00:00:00 2001
From: Michael Stahl <michael.stahl@allotropia.de>
Date: Tue, 19 Oct 2021 15:17:39 +0200
Subject: nss: upgrade to release 3.73

Fixes:
CVE-2021-43527 Memory corruption via DER-encoded DSA and RSA-PSS signatures

Includes: nss: upgrade to release 3.71

* external/nss/nss.getopt.patch.0: fixed upstream
* external/nss/nss-win-arm64.patch: fixed upstream
* external/nss/nss_macosx.patch: one hunk was fixed upstream

Conflicts:
     download.lst

Change-Id: I5c3f169c57fc2763029b07ad7e325b2f53b7e28f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126218
Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de>
(cherry picked from commit c8e21d246bcb4289cb25c82be440cd07b7418436)
(cherry picked from commit c99f4359a2901bde5d6cfb623a47f99ba2d5e18a)
---
 download.lst                                       |   4 +-
 external/nss/UnpackedTarball_nss.mk                |   2 -
 external/nss/nss-android.patch.1                   |   6 +-
 external/nss/nss-ios.patch                         | 112 ---------------------
 .../nss-restore-manual-pre-dependencies.patch.1    |   4 +-
 5 files changed, 7 insertions(+), 121 deletions(-)
 delete mode 100644 external/nss/nss-ios.patch

diff --git a/download.lst b/download.lst
index 2632c4e06f8f..5b19920c281b 100644
--- a/download.lst
+++ b/download.lst
@@ -183,8 +183,8 @@ export MYTHES_SHA256SUM := 1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b
 export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
 export NEON_SHA256SUM := db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca
 export NEON_TARBALL := neon-0.30.2.tar.gz
-export NSS_SHA256SUM := ec6032d78663c6ef90b4b83eb552dedf721d2bce208cec3bf527b8f637db7e45
-export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz
+export NSS_SHA256SUM := 07a9e5b70f121a62706140d4cacc3006d3efb869da40f3a2bf7a65d37847f4d9
+export NSS_TARBALL := nss-3.73-with-nspr-4.32.tar.gz
 export ODFGEN_SHA256SUM := 55200027fd46623b9bdddd38d275e7452d1b0ff8aeddcad6f9ae6dc25f610625
 export ODFGEN_VERSION_MICRO := 8
 export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.xz
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index f49d55fab46e..017dc8def922 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -25,8 +25,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/nss-bz1646594.patch.1 \
     external/nss/macos-dlopen.patch.0 \
     external/nss/nss-restore-manual-pre-dependencies.patch.1 \
-    $(if $(filter iOS,$(OS)), \
-        external/nss/nss-ios.patch) \
     $(if $(filter ANDROID,$(OS)), \
         external/nss/nss-android.patch.1) \
     $(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \
diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1
index f8b4cdaf3753..9677caebbcec 100644
--- a/external/nss/nss-android.patch.1
+++ b/external/nss/nss-android.patch.1
@@ -9,9 +9,9 @@ diff -ur nss.org/nspr/build/autoconf/config.sub nss/nspr/build/autoconf/config.s
 +if test $1 = "i686-pc-linux-android"; then echo $1; exit; fi
 +if test $1 = "x86_64-pc-linux-android"; then echo $1; exit; fi
 +
- # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
- # Here we must recognize all the valid KERNEL-OS combinations.
- maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
 diff -ur nss.org/nspr/configure nss/nspr/configure
 --- nss.org/nspr/configure	2017-09-07 15:29:45.018246359 +0200
 +++ nss/nspr/configure	2017-09-07 15:31:47.604075663 +0200
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
deleted file mode 100644
index 9d4af2c724e9..000000000000
--- a/external/nss/nss-ios.patch
+++ /dev/null
@@ -1,112 +0,0 @@
---- a/a/nspr/config/autoconf.mk.in
-+++ a/a/nspr/config/autoconf.mk.in
-@@ -67,7 +67,7 @@
- MSC_VER		= @MSC_VER@
- AR		= @AR@
- AR_FLAGS	= @AR_FLAGS@
--LD		= @LD@
-+LD		= echo
- RANLIB		= @RANLIB@
- PERL		= @PERL@
- RC		= @RC@
---- a/a/nspr/configure
-+++ a/a/nspr/configure
-@@ -755,7 +755,7 @@
- OBJDIR='$(OBJDIR_NAME)'
- OBJDIR_NAME=.
- OBJDIR_SUFFIX=OBJ
--NSINSTALL='$(MOD_DEPTH)/config/$(OBJDIR_NAME)/nsinstall'
-+NSINSTALL=${NSINSTALL?'$(MOD_DEPTH)/config/$(OBJDIR_NAME)/nsinstall'}
- NOSUCHFILE=/no-such-file
- LIBNSPR='-L$(dist_libdir) -lnspr$(MOD_MAJOR_VERSION)'
- LIBPLC='-L$(dist_libdir) -lplc$(MOD_MAJOR_VERSION)'
-@@ -3060,7 +3060,7 @@
- LIB_SUFFIX=a
- DLL_SUFFIX=so
- ASM_SUFFIX=s
--MKSHLIB='$(LD) $(DSO_LDOPTS) -o $@'
-+MKSHLIB='touch $@; echo'
- PR_MD_ASFILES=
- PR_MD_CSRCS=
- PR_MD_ARCH_DIR=unix
-@@ -3904,7 +3904,7 @@
-     DSO_CFLAGS=-fPIC
-     DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @__________________________________________________OOO/$@ -headerpad_max_install_names'
-     _OPTIMIZE_FLAGS=-O2
--    MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@'
-+    MKSHLIB=touch $@
-     STRIP="$STRIP -x -S"
-     DLL_SUFFIX=dylib
-     USE_PTHREADS=1
---- a/a/nss/coreconf/ruleset.mk
-+++ a/a/nss/coreconf/ruleset.mk
-@@ -68,7 +68,7 @@
- endif
- 
- ifeq ($(MKPROG),)
--    MKPROG = $(CC)
-+    MKPROG = touch $@; echo
- endif
- 
- #
---- a/a/nss/coreconf/Darwin.mk
-+++ a/a/nss/coreconf/Darwin.mk
-@@ -124,7 +124,7 @@
-    DSO_LDOPTS += --coverage
- endif
- 
--MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
-+MKSHLIB		= touch $@; echo
- DLL_SUFFIX	= dylib
- ifdef MAPFILE
- 	MKSHLIB += -exported_symbols_list $(MAPFILE)
---- a/a/nss/coreconf/UNIX.mk
-+++ a/a/nss/coreconf/UNIX.mk
-@@ -21,10 +21,14 @@
- 
- ifdef BUILD_TREE
- NSINSTALL_DIR  = $(BUILD_TREE)/nss
-+ifndef NSINSTALL
- NSINSTALL      = $(BUILD_TREE)/nss/nsinstall
-+endif
- else
- NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
-+ifndef NSINSTALL
- NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
-+endif
- endif
- 
- MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
---- a/a/nspr/pr/include/md/_darwin.h
-+++ a/a/nspr/pr/include/md/_darwin.h
-@@ -26,6 +26,8 @@
- #define _PR_SI_ARCHITECTURE "ppc"
- #elif defined(__arm__)
- #define _PR_SI_ARCHITECTURE "arm"
-+#elif defined(__arm64__)
-+#define _PR_SI_ARCHITECTURE "arm64"
- #elif defined(__aarch64__)
- #define _PR_SI_ARCHITECTURE "aarch64"
- #else
---- a/a/nspr/pr/src/Makefile.in
-+++ a/a/nspr/pr/src/Makefile.in
-@@ -180,7 +180,7 @@
- endif
- 
- ifeq ($(OS_TARGET),MacOSX)
--OS_LIBS		= -framework CoreServices -framework CoreFoundation
-+OS_LIBS		= -framework CoreFoundation
- endif
- 
- EXTRA_LIBS += $(OS_LIBS)
---- a/a/nss/cmd/shlibsign/sign.sh
-+++ a/a/nss/cmd/shlibsign/sign.sh
-@@ -2,6 +2,8 @@
- # This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-+
-+exit 0
- 
- # arguments:
- # 1: full path to DIST/OBJDIR (parent dir of "lib")
diff --git a/external/nss/nss-restore-manual-pre-dependencies.patch.1 b/external/nss/nss-restore-manual-pre-dependencies.patch.1
index ebcc5b48c540..06691b1ec957 100644
--- a/external/nss/nss-restore-manual-pre-dependencies.patch.1
+++ b/external/nss/nss-restore-manual-pre-dependencies.patch.1
@@ -79,5 +79,5 @@ summary:     Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
 +	$(MAKE) -C lib/base libs
 +	IGNORE_DIRS=1 $(MAKE) -C lib/ckfw/builtins libs
  
- all: prepare_build
- 	$(MAKE) libs
+ lib: coreconf
+ cmd: lib
-- 
cgit