mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-24 05:18:07 -05:00
gnu: icecat: Add fixes from upstream mozilla-esr60 [security fixes].
Includes fixes for CVE-2018-12383 and CVE-2018-12385. * gnu/packages/patches/icecat-CVE-2018-12383.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Adapt to apply cleanly to IceCat 60. * gnu/packages/gnuzilla.scm (mozilla-patch): Update to fetch from mozilla-esr60. (icecat): Add selected changesets from upstream mozilla-esr60.
This commit is contained in:
parent
91294b5361
commit
ae71cd8ac9
4 changed files with 119 additions and 13 deletions
|
@ -810,6 +810,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
|
||||
%D%/packages/patches/hydra-disable-darcs-test.patch \
|
||||
%D%/packages/patches/icecat-avoid-bundled-libraries.patch \
|
||||
%D%/packages/patches/icecat-CVE-2018-12383.patch \
|
||||
%D%/packages/patches/icecat-use-system-graphite2.patch \
|
||||
%D%/packages/patches/icecat-use-system-harfbuzz.patch \
|
||||
%D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch \
|
||||
|
|
|
@ -469,10 +469,10 @@ (define-public nss
|
|||
(license license:mpl2.0)))
|
||||
|
||||
(define (mozilla-patch file-name changeset hash)
|
||||
"Return an origin for CHANGESET from the mozilla-esr52 repository."
|
||||
"Return an origin for CHANGESET from the mozilla-esr60 repository."
|
||||
(origin
|
||||
(method url-fetch)
|
||||
(uri (string-append "https://hg.mozilla.org/releases/mozilla-esr52/raw-rev/"
|
||||
(uri (string-append "https://hg.mozilla.org/releases/mozilla-esr60/raw-rev/"
|
||||
changeset))
|
||||
(sha256 (base32 hash))
|
||||
(file-name file-name)))
|
||||
|
@ -498,7 +498,9 @@ (define-public icecat
|
|||
(search-patch "icecat-avoid-bundled-libraries.patch")
|
||||
;; FIXME (search-patch "icecat-use-system-harfbuzz.patch")
|
||||
;; FIXME (search-patch "icecat-use-system-graphite2.patch")
|
||||
))
|
||||
(mozilla-patch "icecat-CVE-2018-12385.patch" "80a4a7ef2813" "1vgcbimpnfjqj934v0cryq1g13xac3wfmd4jyhcb5s60x8xyssf5")
|
||||
(search-patch "icecat-CVE-2018-12383.patch")
|
||||
(mozilla-patch "icecat-bug-1489744.patch" "6546ee839d30" "11mhvj77r789b428bfxqq5wdx8yr7lbrdjzr8qjj6fw197pldn51")))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
'(begin
|
||||
|
|
103
gnu/packages/patches/icecat-CVE-2018-12383.patch
Normal file
103
gnu/packages/patches/icecat-CVE-2018-12383.patch
Normal file
|
@ -0,0 +1,103 @@
|
|||
Based on upstream changeset:
|
||||
https://hg.mozilla.org/releases/mozilla-esr60/rev/300efdbc9fe1
|
||||
but with the git binary patch and related test changes omitted,
|
||||
and adapted to apply cleanly to GNU IceCat.
|
||||
|
||||
# HG changeset patch
|
||||
# User David Keeler <dkeeler@mozilla.com>
|
||||
# Date 1531860660 25200
|
||||
# Node ID 300efdbc9fe1f9165428c7934861033935b5abfa
|
||||
# Parent 80a4a7ef281374dbb2afda8edac54665b14b9ef8
|
||||
Bug 1475775 - Clean up old NSS DB file after upgrade if necessary. r=franziskus, r=mattn, a=RyanVM
|
||||
|
||||
Reviewers: franziskus, mattn
|
||||
|
||||
Bug #: 1475775
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D2202
|
||||
|
||||
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
|
||||
--- a/security/manager/ssl/nsNSSComponent.cpp
|
||||
+++ b/security/manager/ssl/nsNSSComponent.cpp
|
||||
@@ -1935,16 +1935,61 @@ AttemptToRenameBothPKCS11ModuleDBVersion
|
||||
NS_NAMED_LITERAL_CSTRING(sqlModuleDBFilename, "pkcs11.txt");
|
||||
nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath,
|
||||
legacyModuleDBFilename);
|
||||
if (NS_FAILED(rv)) {
|
||||
return rv;
|
||||
}
|
||||
return AttemptToRenamePKCS11ModuleDB(profilePath, sqlModuleDBFilename);
|
||||
}
|
||||
+
|
||||
+// When we changed from the old dbm database format to the newer sqlite
|
||||
+// implementation, the upgrade process left behind the existing files. Suppose a
|
||||
+// user had not set a password for the old key3.db (which is about 99% of
|
||||
+// users). After upgrading, both the old database and the new database are
|
||||
+// unprotected. If the user then sets a password for the new database, the old
|
||||
+// one will not be protected. In this scenario, we should probably just remove
|
||||
+// the old database (it would only be relevant if the user downgraded to a
|
||||
+// version of IceCat before 58, but we have to trade this off against the
|
||||
+// user's old private keys being unexpectedly unprotected after setting a
|
||||
+// password).
|
||||
+// This was never an issue on Android because we always used the new
|
||||
+// implementation.
|
||||
+static void
|
||||
+MaybeCleanUpOldNSSFiles(const nsACString& profilePath)
|
||||
+{
|
||||
+ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
|
||||
+ if (!slot) {
|
||||
+ return;
|
||||
+ }
|
||||
+ // Unfortunately we can't now tell the difference between "there already was a
|
||||
+ // password when the upgrade happened" and "there was not a password but then
|
||||
+ // the user added one after upgrading".
|
||||
+ bool hasPassword = PK11_NeedLogin(slot.get()) &&
|
||||
+ !PK11_NeedUserInit(slot.get());
|
||||
+ if (!hasPassword) {
|
||||
+ return;
|
||||
+ }
|
||||
+ nsCOMPtr<nsIFile> dbFile = do_CreateInstance("@mozilla.org/file/local;1");
|
||||
+ if (!dbFile) {
|
||||
+ return;
|
||||
+ }
|
||||
+ nsresult rv = dbFile->InitWithNativePath(profilePath);
|
||||
+ if (NS_FAILED(rv)) {
|
||||
+ return;
|
||||
+ }
|
||||
+ NS_NAMED_LITERAL_CSTRING(keyDBFilename, "key3.db");
|
||||
+ rv = dbFile->AppendNative(keyDBFilename);
|
||||
+ if (NS_FAILED(rv)) {
|
||||
+ return;
|
||||
+ }
|
||||
+ // Since this isn't a directory, the `recursive` argument to `Remove` is
|
||||
+ // irrelevant.
|
||||
+ Unused << dbFile->Remove(false);
|
||||
+}
|
||||
#endif // ifndef ANDROID
|
||||
|
||||
// Given a profile directory, attempt to initialize NSS. If nocertdb is true,
|
||||
// (or if we don't have a profile directory) simply initialize NSS in no DB mode
|
||||
// and return. Otherwise, first attempt to initialize in read/write mode, and
|
||||
// then read-only mode if that fails. If both attempts fail, we may be failing
|
||||
// to initialize an NSS DB collection that has FIPS mode enabled. Attempt to
|
||||
// ascertain if this is the case, and if so, rename the offending PKCS#11 module
|
||||
@@ -1966,16 +2011,19 @@ InitializeNSSWithFallbacks(const nsACStr
|
||||
|
||||
// Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules.
|
||||
#ifndef ANDROID
|
||||
PRErrorCode savedPRErrorCode1;
|
||||
#endif // ifndef ANDROID
|
||||
SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode);
|
||||
if (srv == SECSuccess) {
|
||||
MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
|
||||
+#ifndef ANDROID
|
||||
+ MaybeCleanUpOldNSSFiles(profilePath);
|
||||
+#endif // ifndef ANDROID
|
||||
return NS_OK;
|
||||
}
|
||||
#ifndef ANDROID
|
||||
savedPRErrorCode1 = PR_GetError();
|
||||
PRErrorCode savedPRErrorCode2;
|
||||
#endif // ifndef ANDROID
|
||||
// That failed. Try read-only mode.
|
||||
srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode);
|
|
@ -1,8 +1,8 @@
|
|||
Fixes needed when avoiding bundled libraries.
|
||||
|
||||
--- icecat-52.0.2/xpcom/build/moz.build.orig
|
||||
+++ icecat-52.0.2/xpcom/build/moz.build
|
||||
@@ -93,10 +93,5 @@
|
||||
--- icecat-60.2.0/xpcom/build/moz.build.orig 2018-09-13 17:46:49.000000000 -0400
|
||||
+++ icecat-60.2.0/xpcom/build/moz.build 2018-09-22 04:26:50.659564554 -0400
|
||||
@@ -99,10 +99,5 @@
|
||||
'/docshell/base',
|
||||
]
|
||||
|
||||
|
@ -13,9 +13,9 @@ Fixes needed when avoiding bundled libraries.
|
|||
-
|
||||
if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
|
||||
CXXFLAGS += CONFIG['TK_CFLAGS']
|
||||
--- icecat-52.0.2/storage/moz.build.orig
|
||||
+++ icecat-52.0.2/storage/moz.build
|
||||
@@ -114,7 +114,6 @@
|
||||
--- icecat-60.2.0/storage/moz.build.orig 2018-09-13 17:51:11.000000000 -0400
|
||||
+++ icecat-60.2.0/storage/moz.build 2018-09-22 04:26:50.659564554 -0400
|
||||
@@ -117,7 +117,6 @@
|
||||
DEFINES['MOZ_MEMORY_TEMP_STORE_PRAGMA'] = True
|
||||
|
||||
LOCAL_INCLUDES += [
|
||||
|
@ -23,13 +23,13 @@ Fixes needed when avoiding bundled libraries.
|
|||
'/dom/base',
|
||||
]
|
||||
|
||||
--- icecat-52.0.2/dom/indexedDB/moz.build.orig
|
||||
+++ icecat-52.0.2/dom/indexedDB/moz.build
|
||||
@@ -101,7 +101,6 @@
|
||||
--- icecat-60.2.0/dom/indexedDB/moz.build.orig 2018-09-13 17:49:42.000000000 -0400
|
||||
+++ icecat-60.2.0/dom/indexedDB/moz.build 2018-09-22 04:26:50.663564574 -0400
|
||||
@@ -102,7 +102,6 @@
|
||||
CXXFLAGS += ['-Wno-error=shadow']
|
||||
|
||||
LOCAL_INCLUDES += [
|
||||
- '/db/sqlite3/src',
|
||||
'/dom/base',
|
||||
'/dom/storage',
|
||||
'/dom/workers',
|
||||
'/ipc/glue',
|
||||
|
|
Loading…
Reference in a new issue