projects / buildroot.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 449a71f)
libnss: security bump to version 3.16.1
authorGustavo Zacarias <gustavo@zacarias.com.ar>
Wed, 18 Jun 2014 14:46:20 +0000 (11:46 -0300)
committerPeter Korsgaard <peter@korsgaard.com>
Wed, 18 Jun 2014 21:58:25 +0000 (23:58 +0200)
Fixes:

CVE-2014-1492 - The cert_TestHostName function in lib/certdb/certdb.c in
the certificate-checking implementation in Mozilla Network Security
Services (NSS) before 3.16 accepts a wildcard character that is embedded
in an internationalized domain name's U-label, which might allow
man-in-the-middle attackers to spoof SSL servers via a crafted
certificate.

CVE-2014-1491 - Mozilla Network Security Services (NSS) before 3.15.4,
as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3,
Thunderbird before 24.3, SeaMonkey before 2.24, and other products, does
not properly restrict public values in Diffie-Hellman key exchanges,
which makes it easier for remote attackers to bypass cryptographic
protection mechanisms in ticket handling by leveraging use of a certain
value.

CVE-2014-1490 - Race condition in libssl in Mozilla Network Security
Services (NSS) before 3.15.4, as used in Mozilla Firefox before 27.0,
Firefox ESR 24.x before 24.3, Thunderbird before 24.3, SeaMonkey before
2.24, and other products, allows remote attackers to cause a denial of
service (use-after-free) or possibly have unspecified other impact via
vectors involving a resumption handshake that triggers incorrect
replacement of a session ticket.

CVE-2013-1740 - The ssl_Do1stHandshake function in sslsecur.c in libssl
in Mozilla Network Security Services (NSS) before 3.15.4, when the TLS
False Start feature is enabled, allows man-in-the-middle attackers to
spoof SSL servers by using an arbitrary X.509 certificate during certain
handshake traffic.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
package/libnss/libnss-0001-cross-compile.patch [new file with mode: 0644] patch | blob
package/libnss/libnss-0002-uclibc.patch [new file with mode: 0644] patch | blob
package/libnss/libnss-cross.patch [deleted file] patch | blob | history
package/libnss/libnss-uclibc.patch [deleted file] patch | blob | history
package/libnss/libnss.mk patch | blob | history

diff --git a/package/libnss/libnss-0001-cross-compile.patch b/package/libnss/libnss-0001-cross-compile.patch
new file mode 100644 (file)
index 0000000..3259116
--- /dev/null
+++ b/package/libnss/libnss-0001-cross-compile.patch
@@ -0,0 +1,28 @@
+This patch allows us to set a value for the cross compiler via TARGETCC without
+setting CC on the command line. CC is used for host tools as well as cross
+compiled code so we cannot define it on the command line without breaking
+the host tools build.
+
+[Gustavo: update for nss 3.16.1]
+Signed-off-by: Will Newton <will.newton@imgtec.com>
+
+diff -Nura nss-3.16.1.orig/nss/coreconf/Linux.mk nss-3.16.1/nss/coreconf/Linux.mk
+--- nss-3.16.1.orig/nss/coreconf/Linux.mk      2014-06-18 10:34:30.503996123 -0300
++++ nss-3.16.1/nss/coreconf/Linux.mk   2014-06-18 10:35:02.233068390 -0300
+@@ -16,9 +16,13 @@
+       IMPL_STRATEGY = _PTH
+ endif
+-CC                    = gcc
+-CCC                   = g++
+-RANLIB                        = ranlib
++TARGETCC              = gcc
++TARGETCCC             = g++
++TARGETRANLIB          = ranlib
++
++CC                    = $(TARGETCC)
++CCC                   = $(TARGETCCC)
++RANLIB                        = $(TARGETRANLIB)
+ DEFAULT_COMPILER = gcc
diff --git a/package/libnss/libnss-0002-uclibc.patch b/package/libnss/libnss-0002-uclibc.patch
new file mode 100644 (file)
index 0000000..b81db93
--- /dev/null
+++ b/package/libnss/libnss-0002-uclibc.patch
@@ -0,0 +1,20 @@
+uCLibc does not define RTLD_NOLOAD.
+
+[Gustavo: update for nss 3.16.1]
+Signed-off-by: Will Newton <will.newton@imgtec.com>
+
+diff -Nura nss-3.16.1.orig/nss/lib/freebl/stubs.c nss-3.16.1/nss/lib/freebl/stubs.c
+--- nss-3.16.1.orig/nss/lib/freebl/stubs.c     2014-06-18 10:34:30.529997002 -0300
++++ nss-3.16.1/nss/lib/freebl/stubs.c  2014-06-18 10:36:25.508882650 -0300
+@@ -594,6 +594,11 @@
+     return SECSuccess;
+ }
++/* uClibc does not define RTLD_NOLOAD. */
++#ifndef RTLD_NOLOAD
++#define RTLD_NOLOAD 0
++#endif
++
+ /*
+  * fetch the library if it's loaded. For NSS it should already be loaded
+  */
diff --git a/package/libnss/libnss-cross.patch b/package/libnss/libnss-cross.patch
deleted file mode 100644 (file)
index 8a5cd10..0000000
--- a/package/libnss/libnss-cross.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-
-This patch allows us to set a value for the cross compiler via TARGETCC without
-setting CC on the command line. CC is used for host tools as well as cross
-compiled code so we cannot define it on the command line without breaking
-the host tools build.
-
-Signed-off-by: Will Newton <will.newton@imgtec.com>
-
---- libnss-3.12.9.old/mozilla/security/coreconf/Linux.mk       2011-03-01 10:31:21.517847183 +0000
-+++ libnss-3.12.9/mozilla/security/coreconf/Linux.mk   2011-03-01 10:33:42.688648237 +0000
-@@ -46,9 +46,13 @@
-       IMPL_STRATEGY = _PTH
- endif
--CC                    = gcc
--CCC                   = g++
--RANLIB                        = ranlib
-+TARGETCC              = gcc
-+TARGETCCC             = g++
-+TARGETRANLIB          = ranlib
-+
-+CC                    = $(TARGETCC)
-+CCC                   = $(TARGETCCC)
-+RANLIB                        = $(TARGETRANLIB)
- DEFAULT_COMPILER = gcc
diff --git a/package/libnss/libnss-uclibc.patch b/package/libnss/libnss-uclibc.patch
deleted file mode 100644 (file)
index 17e8080..0000000
--- a/package/libnss/libnss-uclibc.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-
-uCLibc does not define RTLD_NOLOAD.
-
-Signed-off-by: Will Newton <will.newton@imgtec.com>
-
---- nss-3.12.9.old/mozilla/security/nss/lib/freebl/stubs.c     2011-07-08 13:32:54.964338355 +0100
-+++ nss-3.12.9/mozilla/security/nss/lib/freebl/stubs.c 2011-07-08 13:33:57.255337490 +0100
-@@ -535,6 +535,11 @@
-     return SECSuccess;
- }
-+/* uClibc does not define RTLD_NOLOAD. */
-+#ifndef RTLD_NOLOAD
-+#define RTLD_NOLOAD 0
-+#endif
-+
- /*
-  * fetch the library if it's loaded. For NSS it should already be loaded
-  */
diff --git a/package/libnss/libnss.mk b/package/libnss/libnss.mk
index dcbf8bbb739f508d404c2ac34af295af57390dcd..47b78df72cea551b2442da6b3c189523e78aa8b6 100644 (file)
--- a/package/libnss/libnss.mk
+++ b/package/libnss/libnss.mk
@@ -4,15 +4,14 @@
 #
 ################################################################################
 
-LIBNSS_VERSION = 3.14.5
+LIBNSS_VERSION = 3.16.1
 LIBNSS_SOURCE = nss-$(LIBNSS_VERSION).tar.gz
 LIBNSS_SITE = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_$(subst .,_,$(LIBNSS_VERSION))_RTM/src
-LIBNSS_SUBDIR = mozilla/security
-LIBNSS_DISTDIR = mozilla/dist
+LIBNSS_DISTDIR = dist
 LIBNSS_INSTALL_STAGING = YES
 LIBNSS_DEPENDENCIES = libnspr sqlite zlib
 LIBNSS_LICENSE = MPLv2.0
-LIBNSS_LICENSE_FILES = mozilla/security/nss/COPYING
+LIBNSS_LICENSE_FILES = nss/COPYING
 
 LIBNSS_BUILD_VARS = MOZILLA_CLIENT=1 \
                NSPR_INCLUDE_DIR=$(STAGING_DIR)/usr/include/nspr \
@@ -39,12 +38,12 @@ endif
 
 
 define LIBNSS_BUILD_CMDS
-       $(MAKE1) -C $(@D)/$(LIBNSS_SUBDIR)/nss build_coreconf \
+       $(MAKE1) -C $(@D)/nss coreconf \
                        SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \
                        DIST=$(@D)/$(LIBNSS_DISTDIR) \
                        CHECKLOC= \
                        $(LIBNSS_BUILD_VARS)
-       $(MAKE1) -C $(@D)/$(LIBNSS_SUBDIR)/nss build_dbm all \
+       $(MAKE1) -C $(@D)/nss lib/dbm all \
                        SOURCE_MD_DIR=$(@D)/$(LIBNSS_DISTDIR) \
                        DIST=$(@D)/$(LIBNSS_DISTDIR) \
                        CHECKLOC= \