gnu: nss: Graft with version 3.98 [security fixes].

This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743.

* gnu/packages/nss.scm (nss) [replacement]: New field.
(nss-3.98): Rename variable to...
(nss/fixed): ... this.  Make it a hidden package.
* gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with
nss/fixed.

Change-Id: I8cc667c53a270dfe00738bf731923f1342036624

2 files changed, 38 insertions, 35 deletions

diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ StartupWMClass=Navigator"))
                   mesa
                   mit-krb5
                   nspr
-                  nss-3.98
+                  nss/fixed
                   pango
                   pciutils
                   pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ in the Mozilla clients.")
     ;; version and source to avoid a top-level variable reference & module
     ;; cycle.
     (version "3.88.1")
+    (replacement nss/fixed)
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
 security standards.")
     (license license:mpl2.0)))
 
-(define-public nss-3.98
-  (package
-    (inherit nss)
-    (version "3.98")
-    (source (origin
-              (inherit (package-source nss))
-              (uri (let ((version-with-underscores
-                          (string-join (string-split version #\.) "_")))
-                     (string-append
-                      "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
-                      "releases/NSS_" version-with-underscores "_RTM/src/"
-                      "nss-" version ".tar.gz")))
-              (sha256
-               (base32
-                "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
-    (arguments
-     (substitute-keyword-arguments (package-arguments nss)
-       ((#:phases phases)
-        #~(modify-phases #$phases
-            (replace 'check
-              (lambda* (#:key tests? #:allow-other-keys)
-                (if tests?
-                    (begin
-                      ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
-                      ;; testing.  The latter requires a working DNS or /etc/hosts.
-                      (setenv "DOMSUF" "localdomain")
-                      (setenv "USE_IP" "TRUE")
-                      (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+  (let ((actual-version "3.98"))
+    (hidden-package
+     (package
+       (inherit nss)
+       (version (string-append actual-version ".0")) ;for grafts requirements
+       (source (origin
+                 (inherit (package-source nss))
+                 (uri (let ((version-with-underscores
+                             (string-join (string-split actual-version #\.) "_")))
+                        (string-append
+                         "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+                         "releases/NSS_" version-with-underscores "_RTM/src/"
+                         "nss-" actual-version ".tar.gz")))
+                 (sha256
+                  (base32
+                   "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+       (arguments
+        (substitute-keyword-arguments (package-arguments nss)
+          ((#:phases phases)
+           #~(modify-phases #$phases
+               (replace 'check
+                 (lambda* (#:key tests? #:allow-other-keys)
+                   (if tests?
+                       (begin
+                         ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+                         ;; testing.  The latter requires a working DNS or /etc/hosts.
+                         (setenv "DOMSUF" "localdomain")
+                         (setenv "USE_IP" "TRUE")
+                         (setenv "IP_ADDRESS" "127.0.0.1")
 
-                      ;; The "PayPalEE.cert" certificate expires every six months,
-                      ;; leading to test failures:
-                      ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
-                      ;; work around that, set the time to roughly the release date.
-                      (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
-                    (format #t "test suite not run~%"))))))))))
+                         ;; The "PayPalEE.cert" certificate expires every six months,
+                         ;; leading to test failures:
+                         ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>.  To
+                         ;; work around that, set the time to roughly the release date.
+                         (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+                       (format #t "test suite not run~%"))))))))))))