diff --git a/gnu/local.mk b/gnu/local.mk index 68a87b1255..48ee438a6e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -811,7 +811,6 @@ dist_patch_DATA = \ %D%/packages/patches/hplip-remove-imageprocessor.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ %D%/packages/patches/icecat-avoid-bundled-libraries.patch \ - %D%/packages/patches/icecat-CVE-2018-12383.patch \ %D%/packages/patches/icecat-use-system-graphite2+harfbuzz.patch \ %D%/packages/patches/icecat-use-system-media-libs.patch \ %D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 1dd0e930d3..36ac0dfe6a 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -482,83 +482,21 @@ (define (mozilla-patch file-name changeset hash) (define-public icecat (package (name "icecat") - (version "60.2.0-gnu1") + (version "60.3.0-gnu1") (source (origin (method url-fetch) - ;; Temporary URL pending official release: - (uri "https://alpha.gnu.org/gnu/gnuzilla/60.2.0/icecat-60.2.0-gnu1.tar.bz2") - #; (uri (string-append "mirror://gnu/gnuzilla/" (first (string-split version #\-)) "/" name "-" version ".tar.bz2")) (sha256 (base32 - "0lqx7g79x15941rhjr3qsfwsny6vzc7d7abdmvjy6jjbqkqlc1zl")) + "0icnl64nxcyf7dprpdpygxhabsvyhps8c3ixysj9bcdlj9q34ib1")) (patches (list (search-patch "icecat-avoid-bundled-libraries.patch") (search-patch "icecat-use-system-graphite2+harfbuzz.patch") - (search-patch "icecat-use-system-media-libs.patch") - (mozilla-patch "icecat-CVE-2018-12385.patch" "80a4a7ef2813" "1vgcbimpnfjqj934v0cryq1g13xac3wfmd4jyhcb5s60x8xyssf5") - (search-patch "icecat-CVE-2018-12383.patch") - (mozilla-patch "icecat-bug-1489744.patch" "6546ee839d30" "11mhvj77r789b428bfxqq5wdx8yr7lbrdjzr8qjj6fw197pldn51") - (mozilla-patch "icecat-CVE-2018-12386.patch" "4808fcb2e6ca" "05sc881l7sh8bag8whd2ggdn198lskqcxq8f41scfpqscw6xs5d5") - (mozilla-patch "icecat-CVE-2018-12387.patch" "b8f5c37486e1" "0lvmbh126m695kgdbasy1y5xh9n1j08cwdhn071mgvj6yn8cns5z") - (mozilla-patch "icecat-bug-1464751.patch" "d5d00faf0465" "1mj7dbb06brwrk0mvap0z4lfl2hwz1cj6dwjvdrisxm046pdw98i") - (mozilla-patch "icecat-bug-1472538.patch" "11462f2b98f2" "1nxgh0plzilylx8r73r7d74pv66qwjqxmd7nqii33p0snl2jjfzs") - (mozilla-patch "icecat-bug-1478685.patch" "098585dc86fc" "1b0x4qdh6isvffmibvc8ad8z62m3iky9q6jq0z6gyvn8q252cqal") - (mozilla-patch "icecat-bug-1486080.patch" "3f8d57d936ea" "0pz2c18wcgj44v0j8my9xbm90m4bsjcvzmavj569fi8bh6s6zz8p") - (mozilla-patch "icecat-bug-1423278.patch" "878ceaee5634" "0i47s5nvrx9vqbnj6s9y9f4ffww20p8nviqa6frg676y1188xlyl") - (mozilla-patch "icecat-CVE-2018-12390-pt01.patch" "87be1b98ec9a" "15f4l18c7hz9aqn89gg3dwmdidfwgn10dywgpzydm8mps45amx7j") - (mozilla-patch "icecat-bug-1484559.patch" "99e58b5307ce" "02fdgbliwzi2r2376wg6k1rky1isfka0smac4ii2cll01jhpfrn6") - (mozilla-patch "icecat-CVE-2018-12390-pt02.patch" "f25ce451a492" "18nzg39iyxza1686180qk9cc88l5j2hf1h35d62lrqmdgd9vcj33") - (mozilla-patch "icecat-CVE-2018-12390-pt03.patch" "35c26bc231df" "0qh8d4z6y03h5xh7djci26a01l6zq667lg2k11f6zzg7z2j0h67x") - (mozilla-patch "icecat-bug-1488061.patch" "050d0cfa8e3d" "05ql798ynbyz5pvyri4b95j4ixmgnny3zl7sd2ckfrrbm9mxh627") - (mozilla-patch "icecat-bug-1434963-pt1.patch" "1e6dad87efed" "1v00a6cmgswjk54041jyv1ib129fxshpzwk6mn6lr0v5hylk3bx9") - (mozilla-patch "icecat-bug-1434963-pt2.patch" "6558c46df9ea" "0vdy9dm9w5k1flhcfxwvvff0aa415b5mgmmq5r37i83686768xfb") - (mozilla-patch "icecat-bug-1434963-pt3.patch" "686fcfa8abd6" "0ihqr11aq4b0y7mx7bwn8yzn25mv3k2gdphm951mj1g85qg35ann") - (mozilla-patch "icecat-bug-1491132.patch" "14120e0c74d6" "188c5fbhqqhmlk88p70l6d97skh7xy4jhqdby1ri3h9ix967515j") - (mozilla-patch "icecat-bug-1492065.patch" "ec4b5969c6ae" "18gfwn15kh0826vlg6lhrx3q4gv82i7v1k3y5jp72mvrjq154gy0") - (mozilla-patch "icecat-bug-1492064.patch" "528cabdd9665" "0rdwpkfma24hn8namfb9saw4rgi9yyyj4af5h2ijrvadw6r8lyyn") - (mozilla-patch "icecat-bug-1489757.patch" "46f19852aaa6" "0dga7mw847klm8x6il2fyzpjxqxxgx1q5cya658f1w66kxms1f29") - (mozilla-patch "icecat-bug-1492897.patch" "c3a48066f383" "09n6sdck4jzzmznzrq0iixg5nsgrc5ibpdfsh3i7ppwad3fsy2m3") - (mozilla-patch "icecat-bug-1492915.patch" "2d280e557331" "11x2n61pw5way9cg8lbrfl3lqvgfnbmcs1fwm78i06kmfwj0msk3") - (mozilla-patch "icecat-CVE-2018-12390-pt04.patch" "b80f94262165" "1hw43h4sgf77x323745rixyp6cci3fb6d3fnp33q82m4ssdb5623") - (mozilla-patch "icecat-bug-1492484.patch" "1b3e6759cf3a" "1yn2cd2227ncg90c88ymdi5fyfs4hk335bd16vkkgljs0924yy0m") - (mozilla-patch "icecat-bug-1493590.patch" "d9fe3b2025fc" "06783hj1aqms2f9a3mp18bk8hgijk3pz70bpccn173v4w0zlbbd4") - (mozilla-patch "icecat-CVE-2018-12390-pt05.patch" "20c59797e994" "1vxnhpirjsj040hrq9xmq2xhkpq4l5mnnzqy0nda92dfh47zvidj") - (mozilla-patch "icecat-CVE-2018-12390-pt06.patch" "1749661dfd28" "0g0sj2fgp3asj0yvxksnhrc59yxncn35bz5nzlvkpgdf7h06gscd") - (mozilla-patch "icecat-CVE-2018-12390-pt07.patch" "a511a9242406" "1hhfrvdmkccnhs4skbi06174x37rmvf4ic86xawyyzr67yga73b2") - (mozilla-patch "icecat-bug-1495404.patch" "3232bb3b622f" "1pnaxf8r9h0wldjc4qgl7z3rk34fpz9h1vd3zmhswa6mvyln5jhg") - (mozilla-patch "icecat-bug-1465388.patch" "a9577451dcc2" "0v29s0v3vv9vblkcachhh46qvwjcrmv2bkcdb7sj2asc503l0lqv") - (mozilla-patch "icecat-CVE-2018-12390-pt08.patch" "e965f6f6ed75" "0hh091854xj5j0x1r8pg46xmn00fqi5n212xhzbdpgyf96rsf513") - (mozilla-patch "icecat-bug-1445528.patch" "8a503e022a29" "1y2ll3h0yz8sfdddjmk90qjfxcr1ffhw7a9ww3yw26gyhnbpg404") - (mozilla-patch "icecat-bug-1409570.patch" "8d326641d1c0" "0w29s6dixi7b7q3nicshrp29n9sj5awssdln00yx664m8a8a8ihs") - (mozilla-patch "icecat-bug-1496094.patch" "6cdd6d88eca9" "1ssqa4fy2xpbr63ph3av3hkpl92g4yszx402fq9d2xn9482q43dp") - (mozilla-patch "icecat-CVE-2018-12391.patch" "0fa07c704ca4" "055xdyb3g2l4rj188235i579qnr50v19q36jjpliws9nik129iqy") - (mozilla-patch "icecat-bug-1462162.patch" "739e898cb7c8" "17m9y0pskmqx15dkgkw4k93njph14mpsf37wb1azwkq3xx7s0fhx") - (mozilla-patch "icecat-bug-1492764.patch" "16310ab35452" "1kq5r3w9i4n6q9msmw2qsqa0jd4qw1mjlyyz8aq14fwlbkhvv199") - (mozilla-patch "icecat-CVE-2018-12390-pt09.patch" "9b669d047d55" "063ig49gx9468nvc9w8259j819qfdjvq0sbbz8n4kj5r6hcxjc5l") - (mozilla-patch "icecat-CVE-2018-12390-pt10.patch" "9d51e65c797a" "0m23cq9zl22w80dvx5rlgpbam1l3d6v56h7g9wzamzl21bwxq9fv") - (mozilla-patch "icecat-CVE-2018-12390-pt11.patch" "efc0596dd381" "1alvbb6wvawxxh6isisk9c40vhdiv59fy0af0n10yn1dgy8ffv5i") - (mozilla-patch "icecat-CVE-2018-12393.patch" "c4fb48bb5d28" "09izww9dsg9n8cish8f3y7phxibsnd12bfkcxd7rzcdhg10nr4pl") - (mozilla-patch "icecat-CVE-2018-12390-pt12.patch" "b3359becd7b1" "188byxmbgrvrid2fcz34w5xdvaw571frxx1c6nqaa9k03iljdzjr") - (mozilla-patch "icecat-CVE-2018-12390-pt13.patch" "791c8ecf252d" "02h37594aba0pklxm3g7w1wv8vz9xmcf30fd0az8pfaccsklmx74") - (mozilla-patch "icecat-bug-1494328.patch" "333276fac37c" "0qyq42jl0al63m6pwj9gva7nj82l76szzbj7sklsygx0a9mqs13z") - (mozilla-patch "icecat-CVE-2018-12397.patch" "cb73374a0e4e" "0x2s1nwgwdag9df5hkwzvjj0qznp5c3d6w6y63rn2y287jn9m3vl") - (mozilla-patch "icecat-CVE-2018-12392.patch" "f6bb138ad0ab" "0f0z9dsyw2a11p4p31mdyic571153jpfgy2q04i4v6dmmcz76pm3") - (mozilla-patch "icecat-CVE-2018-12396.patch" "f27145bd5502" "0vznmlm1fbl3ynax2zpi6xxzr9qp9b83afr3mv90jgrhlgpzdbcz") - (mozilla-patch "icecat-CVE-2018-12395-pt1.patch" "133a99a8f3ca" "0im7m4jmc273mg9kih0i70hxsgzy04j6ydm9zmaz2933hkhdf4iw") - (mozilla-patch "icecat-CVE-2018-12395-pt2.patch" "82176a4a9b14" "0g3yqx4854d4mx5a0ghb7p7saj6y5d5bm2lfhabvkwybcd477zmc") - (mozilla-patch "icecat-bug-1474265.patch" "e8abd9a8ce6e" "1q2sv5h081rvnhsx6g1y8a43hwv6hsg0cr6zdcij58mkgzf6hyvd") - (mozilla-patch "icecat-bug-1492737-pt1.patch" "eeb9060379dc" "1d2mf0x4rni7anvi0sgra4dg87fmc6g7zhizzl9jv2x8va27ycbp") - (mozilla-patch "icecat-bug-1492737-pt2.patch" "99eae0d15092" "0f9j6cvhrbrrxa95p4pkcn285r9wmi9yj13nwj5x0gkglwx6idbk") - (mozilla-patch "icecat-CVE-2018-12389-pt1.patch" "23b23e12c548" "0nsdycggki5rhh59yvmh41nf1ahjmgii89fx38jryprhspy3wg62") - (mozilla-patch "icecat-CVE-2018-12390-pt14.patch" "023133ff02ec" "1g22qxnmgiy8bgrn2nv6har6vpz4p2h5pdas8ib1yyz7p2ic8652") - (mozilla-patch "icecat-CVE-2018-12390-pt15.patch" "9461988ff462" "0yq2cr5grqskr0kz4nxcwmnywy9g0xyv6k6q44i490jcj8x2y1vw") - (mozilla-patch "icecat-CVE-2018-12390-pt16.patch" "09939be135d8" "1546xlk368v4hnjd3hf4w868i6m8r4wfd34qxz4wg1cdpr4m5mik") - (mozilla-patch "icecat-CVE-2018-12389-pt2.patch" "ea9412b18ca8" "0fmdncrylbmjh0bcb6dmw1rq7zww8a0v9v9p1pxqfz0vbc6v9l5d"))) + (search-patch "icecat-use-system-media-libs.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2018-12383.patch b/gnu/packages/patches/icecat-CVE-2018-12383.patch deleted file mode 100644 index 17ca0f3773..0000000000 --- a/gnu/packages/patches/icecat-CVE-2018-12383.patch +++ /dev/null @@ -1,103 +0,0 @@ -Based on upstream changeset: - https://hg.mozilla.org/releases/mozilla-esr60/rev/300efdbc9fe1 -but with the git binary patch and related test changes omitted, -and adapted to apply cleanly to GNU IceCat. - -# HG changeset patch -# User David Keeler -# Date 1531860660 25200 -# Node ID 300efdbc9fe1f9165428c7934861033935b5abfa -# Parent 80a4a7ef281374dbb2afda8edac54665b14b9ef8 -Bug 1475775 - Clean up old NSS DB file after upgrade if necessary. r=franziskus, r=mattn, a=RyanVM - -Reviewers: franziskus, mattn - -Bug #: 1475775 - -Differential Revision: https://phabricator.services.mozilla.com/D2202 - -diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp ---- a/security/manager/ssl/nsNSSComponent.cpp -+++ b/security/manager/ssl/nsNSSComponent.cpp -@@ -1935,16 +1935,61 @@ AttemptToRenameBothPKCS11ModuleDBVersion - NS_NAMED_LITERAL_CSTRING(sqlModuleDBFilename, "pkcs11.txt"); - nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath, - legacyModuleDBFilename); - if (NS_FAILED(rv)) { - return rv; - } - return AttemptToRenamePKCS11ModuleDB(profilePath, sqlModuleDBFilename); - } -+ -+// When we changed from the old dbm database format to the newer sqlite -+// implementation, the upgrade process left behind the existing files. Suppose a -+// user had not set a password for the old key3.db (which is about 99% of -+// users). After upgrading, both the old database and the new database are -+// unprotected. If the user then sets a password for the new database, the old -+// one will not be protected. In this scenario, we should probably just remove -+// the old database (it would only be relevant if the user downgraded to a -+// version of IceCat before 58, but we have to trade this off against the -+// user's old private keys being unexpectedly unprotected after setting a -+// password). -+// This was never an issue on Android because we always used the new -+// implementation. -+static void -+MaybeCleanUpOldNSSFiles(const nsACString& profilePath) -+{ -+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); -+ if (!slot) { -+ return; -+ } -+ // Unfortunately we can't now tell the difference between "there already was a -+ // password when the upgrade happened" and "there was not a password but then -+ // the user added one after upgrading". -+ bool hasPassword = PK11_NeedLogin(slot.get()) && -+ !PK11_NeedUserInit(slot.get()); -+ if (!hasPassword) { -+ return; -+ } -+ nsCOMPtr dbFile = do_CreateInstance("@mozilla.org/file/local;1"); -+ if (!dbFile) { -+ return; -+ } -+ nsresult rv = dbFile->InitWithNativePath(profilePath); -+ if (NS_FAILED(rv)) { -+ return; -+ } -+ NS_NAMED_LITERAL_CSTRING(keyDBFilename, "key3.db"); -+ rv = dbFile->AppendNative(keyDBFilename); -+ if (NS_FAILED(rv)) { -+ return; -+ } -+ // Since this isn't a directory, the `recursive` argument to `Remove` is -+ // irrelevant. -+ Unused << dbFile->Remove(false); -+} - #endif // ifndef ANDROID - - // Given a profile directory, attempt to initialize NSS. If nocertdb is true, - // (or if we don't have a profile directory) simply initialize NSS in no DB mode - // and return. Otherwise, first attempt to initialize in read/write mode, and - // then read-only mode if that fails. If both attempts fail, we may be failing - // to initialize an NSS DB collection that has FIPS mode enabled. Attempt to - // ascertain if this is the case, and if so, rename the offending PKCS#11 module -@@ -1966,16 +2011,19 @@ InitializeNSSWithFallbacks(const nsACStr - - // Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules. - #ifndef ANDROID - PRErrorCode savedPRErrorCode1; - #endif // ifndef ANDROID - SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode); - if (srv == SECSuccess) { - MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode")); -+#ifndef ANDROID -+ MaybeCleanUpOldNSSFiles(profilePath); -+#endif // ifndef ANDROID - return NS_OK; - } - #ifndef ANDROID - savedPRErrorCode1 = PR_GetError(); - PRErrorCode savedPRErrorCode2; - #endif // ifndef ANDROID - // That failed. Try read-only mode. - srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode);