libnss: security bump to version 3.30.2

CVE-2017-5461 - Out-of-bounds write in Base64 encoding in NSS. Might cause
remote arbitrary code execution
(https://access.redhat.com/errata/RHSA-2017:1100).

CVE-2017-5462 - DRBG flaw in NSS

Drop 0001-cross-compile.patch and TARGET* variables. Upstream Makefile now
allows override of CC, so use TARGET_CONFIGURE_OPTS instead.

Drop upstream 0003-it-uninitialized-fix.patch.

Renumber the remaining patch.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Baruch Siach 2017-04-20 20:34:29 +03:00 committed by Thomas Petazzoni
parent 7e1f3171ac
commit 09b8e1079e
5 changed files with 6 additions and 82 deletions

View File

@ -1,48 +0,0 @@
This patch allows us to set a value for the cross compiler via TARGETCC without
setting CC on the command line. CC is used for host tools as well as cross
compiled code so we cannot define it on the command line without breaking
the host tools build.
[Gustavo: update for nss 3.16.1]
[baruch: add OPTIMIZER handling]
Signed-off-by: Will Newton <will.newton@imgtec.com>
diff -Nuar nss-3.16.1-orig/nss/coreconf/Linux.mk nss-3.16.1/nss/coreconf/Linux.mk
--- nss-3.16.1-orig/nss/coreconf/Linux.mk 2014-05-02 06:27:18.000000000 +0300
+++ nss-3.16.1/nss/coreconf/Linux.mk 2014-07-01 02:38:18.701480512 +0300
@@ -16,9 +16,13 @@
IMPL_STRATEGY = _PTH
endif
-CC = gcc
-CCC = g++
-RANLIB = ranlib
+TARGETCC = gcc
+TARGETCCC = g++
+TARGETRANLIB = ranlib
+
+CC = $(TARGETCC)
+CCC = $(TARGETCCC)
+RANLIB = $(TARGETRANLIB)
DEFAULT_COMPILER = gcc
@@ -125,6 +129,7 @@
endif
endif
+OPTIMIZER = $(TARGET_OPTIMIZER)
ifeq ($(USE_PTHREADS),1)
OS_PTHREAD = -lpthread
diff -Nuar nss-3.16.1-orig/nss/coreconf/nsinstall/Makefile nss-3.16.1/nss/coreconf/nsinstall/Makefile
--- nss-3.16.1-orig/nss/coreconf/nsinstall/Makefile 2014-05-02 06:27:18.000000000 +0300
+++ nss-3.16.1/nss/coreconf/nsinstall/Makefile 2014-07-01 02:38:48.102185011 +0300
@@ -31,6 +31,7 @@
ifdef NATIVE_FLAGS
OS_CFLAGS=$(NATIVE_FLAGS)
+OPTIMIZER=
endif
include $(DEPTH)/coreconf/rules.mk

View File

@ -1,24 +0,0 @@
# HG changeset patch
# User catdesk <catdesk@tuta.io>
# Date 1477710600 -7200
# Sat Oct 29 05:10:00 2016 +0200
# Node ID b9ef971b94ab110302d49255339077bc1b4aed7f
# Parent eb8c96563cd70aa69d48b01516085f7d2fb46178
Bug 1313846 - Declare 'it = NULL' earlier. r=franziskus
[Thomas: patch taken from upstream mercurial repository, revision
12791.]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
diff -r eb8c96563cd7 -r b9ef971b94ab lib/jar/jarfile.c
--- a/nss/lib/jar/jarfile.c Mon Oct 31 17:31:20 2016 +0100
+++ b/nss/lib/jar/jarfile.c Sat Oct 29 05:10:00 2016 +0200
@@ -657,7 +657,7 @@
jar_listzip(JAR *jar, JAR_FILE fp)
{
ZZLink *ent;
- JAR_Item *it;
+ JAR_Item *it = NULL;
JAR_Physical *phy = NULL;
struct ZipLocal *Local = PORT_ZNew(struct ZipLocal);
struct ZipCentral *Central = PORT_ZNew(struct ZipCentral);

View File

@ -1,2 +1,2 @@
# From https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_27_2_RTM/src/SHA256SUMS # From https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_30_2_RTM/src/SHA256SUMS
sha256 dc8ac8524469d0230274fd13a53fdcd74efe4aa67205dde1a4a92be87dc28524 nss-3.27.2.tar.gz sha256 0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24 nss-3.30.2.tar.gz

View File

@ -4,7 +4,7 @@
# #
################################################################################ ################################################################################
LIBNSS_VERSION = 3.27.2 LIBNSS_VERSION = 3.30.2
LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
LIBNSS_DISTDIR = dist LIBNSS_DISTDIR = dist
@ -33,9 +33,6 @@ LIBNSS_BUILD_VARS = \
NSS_USE_SYSTEM_SQLITE=1 \ NSS_USE_SYSTEM_SQLITE=1 \
NSS_ENABLE_ECC=1 \ NSS_ENABLE_ECC=1 \
NATIVE_CC="$(HOSTCC)" \ NATIVE_CC="$(HOSTCC)" \
TARGETCC="$(TARGET_CC)" \
TARGETCCC="$(TARGET_CXX)" \
TARGETRANLIB="$(TARGET_RANLIB)" \
OS_ARCH="Linux" \ OS_ARCH="Linux" \
OS_RELEASE="2.6" \ OS_RELEASE="2.6" \
OS_TEST="$(ARCH)" OS_TEST="$(ARCH)"
@ -55,17 +52,16 @@ endif
endif endif
define LIBNSS_BUILD_CMDS define LIBNSS_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE1) -C $(@D)/nss coreconf \ $(TARGET_CONFIGURE_OPTS) $(MAKE1) -C $(@D)/nss coreconf \
SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \ SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \
DIST=$(@D)/$(LIBNSS_DISTDIR) \ DIST=$(@D)/$(LIBNSS_DISTDIR) \
CHECKLOC= \ CHECKLOC= \
$(LIBNSS_BUILD_VARS) $(LIBNSS_BUILD_VARS)
$(TARGET_MAKE_ENV) $(MAKE1) -C $(@D)/nss lib/dbm all \ $(TARGET_CONFIGURE_OPTS) $(MAKE1) -C $(@D)/nss lib/dbm all \
SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \ SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \
DIST=$(@D)/$(LIBNSS_DISTDIR) \ DIST=$(@D)/$(LIBNSS_DISTDIR) \
CHECKLOC= \ CHECKLOC= \
$(LIBNSS_BUILD_VARS) TARGET_OPTIMIZER="$(TARGET_CFLAGS)" \ $(LIBNSS_BUILD_VARS) NATIVE_FLAGS="$(HOST_CFLAGS)"
NATIVE_FLAGS="$(HOST_CFLAGS)"
endef endef
define LIBNSS_INSTALL_STAGING_CMDS define LIBNSS_INSTALL_STAGING_CMDS