From ae71cd8ac93245360ffe73d6ab260975ec0d742f Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sat, 22 Sep 2018 04:47:54 -0400 Subject: gnu: icecat: Add fixes from upstream mozilla-esr60 [security fixes]. Includes fixes for CVE-2018-12383 and CVE-2018-12385. * gnu/packages/patches/icecat-CVE-2018-12383.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Adapt to apply cleanly to IceCat 60. * gnu/packages/gnuzilla.scm (mozilla-patch): Update to fetch from mozilla-esr60. (icecat): Add selected changesets from upstream mozilla-esr60. --- gnu/local.mk | 1 + gnu/packages/gnuzilla.scm | 8 +- gnu/packages/patches/icecat-CVE-2018-12383.patch | 103 +++++++++++++++++++++ .../patches/icecat-avoid-bundled-libraries.patch | 20 ++-- 4 files changed, 119 insertions(+), 13 deletions(-) create mode 100644 gnu/packages/patches/icecat-CVE-2018-12383.patch diff --git a/gnu/local.mk b/gnu/local.mk index daf96ea4b6..fe2b573dd5 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -810,6 +810,7 @@ dist_patch_DATA = \ %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \ %D%/packages/patches/hydra-disable-darcs-test.patch \ %D%/packages/patches/icecat-avoid-bundled-libraries.patch \ + %D%/packages/patches/icecat-CVE-2018-12383.patch \ %D%/packages/patches/icecat-use-system-graphite2.patch \ %D%/packages/patches/icecat-use-system-harfbuzz.patch \ %D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index db8f85cfb1..653cee93d5 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -469,10 +469,10 @@ security standards.") (license license:mpl2.0))) (define (mozilla-patch file-name changeset hash) - "Return an origin for CHANGESET from the mozilla-esr52 repository." + "Return an origin for CHANGESET from the mozilla-esr60 repository." (origin (method url-fetch) - (uri (string-append "https://hg.mozilla.org/releases/mozilla-esr52/raw-rev/" + (uri (string-append "https://hg.mozilla.org/releases/mozilla-esr60/raw-rev/" changeset)) (sha256 (base32 hash)) (file-name file-name))) @@ -498,7 +498,9 @@ security standards.") (search-patch "icecat-avoid-bundled-libraries.patch") ;; FIXME (search-patch "icecat-use-system-harfbuzz.patch") ;; FIXME (search-patch "icecat-use-system-graphite2.patch") - )) + (mozilla-patch "icecat-CVE-2018-12385.patch" "80a4a7ef2813" "1vgcbimpnfjqj934v0cryq1g13xac3wfmd4jyhcb5s60x8xyssf5") + (search-patch "icecat-CVE-2018-12383.patch") + (mozilla-patch "icecat-bug-1489744.patch" "6546ee839d30" "11mhvj77r789b428bfxqq5wdx8yr7lbrdjzr8qjj6fw197pldn51"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2018-12383.patch b/gnu/packages/patches/icecat-CVE-2018-12383.patch new file mode 100644 index 0000000000..17ca0f3773 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2018-12383.patch @@ -0,0 +1,103 @@ +Based on upstream changeset: + https://hg.mozilla.org/releases/mozilla-esr60/rev/300efdbc9fe1 +but with the git binary patch and related test changes omitted, +and adapted to apply cleanly to GNU IceCat. + +# HG changeset patch +# User David Keeler +# Date 1531860660 25200 +# Node ID 300efdbc9fe1f9165428c7934861033935b5abfa +# Parent 80a4a7ef281374dbb2afda8edac54665b14b9ef8 +Bug 1475775 - Clean up old NSS DB file after upgrade if necessary. r=franziskus, r=mattn, a=RyanVM + +Reviewers: franziskus, mattn + +Bug #: 1475775 + +Differential Revision: https://phabricator.services.mozilla.com/D2202 + +diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp +--- a/security/manager/ssl/nsNSSComponent.cpp ++++ b/security/manager/ssl/nsNSSComponent.cpp +@@ -1935,16 +1935,61 @@ AttemptToRenameBothPKCS11ModuleDBVersion + NS_NAMED_LITERAL_CSTRING(sqlModuleDBFilename, "pkcs11.txt"); + nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath, + legacyModuleDBFilename); + if (NS_FAILED(rv)) { + return rv; + } + return AttemptToRenamePKCS11ModuleDB(profilePath, sqlModuleDBFilename); + } ++ ++// When we changed from the old dbm database format to the newer sqlite ++// implementation, the upgrade process left behind the existing files. Suppose a ++// user had not set a password for the old key3.db (which is about 99% of ++// users). After upgrading, both the old database and the new database are ++// unprotected. If the user then sets a password for the new database, the old ++// one will not be protected. In this scenario, we should probably just remove ++// the old database (it would only be relevant if the user downgraded to a ++// version of IceCat before 58, but we have to trade this off against the ++// user's old private keys being unexpectedly unprotected after setting a ++// password). ++// This was never an issue on Android because we always used the new ++// implementation. ++static void ++MaybeCleanUpOldNSSFiles(const nsACString& profilePath) ++{ ++ UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); ++ if (!slot) { ++ return; ++ } ++ // Unfortunately we can't now tell the difference between "there already was a ++ // password when the upgrade happened" and "there was not a password but then ++ // the user added one after upgrading". ++ bool hasPassword = PK11_NeedLogin(slot.get()) && ++ !PK11_NeedUserInit(slot.get()); ++ if (!hasPassword) { ++ return; ++ } ++ nsCOMPtr dbFile = do_CreateInstance("@mozilla.org/file/local;1"); ++ if (!dbFile) { ++ return; ++ } ++ nsresult rv = dbFile->InitWithNativePath(profilePath); ++ if (NS_FAILED(rv)) { ++ return; ++ } ++ NS_NAMED_LITERAL_CSTRING(keyDBFilename, "key3.db"); ++ rv = dbFile->AppendNative(keyDBFilename); ++ if (NS_FAILED(rv)) { ++ return; ++ } ++ // Since this isn't a directory, the `recursive` argument to `Remove` is ++ // irrelevant. ++ Unused << dbFile->Remove(false); ++} + #endif // ifndef ANDROID + + // Given a profile directory, attempt to initialize NSS. If nocertdb is true, + // (or if we don't have a profile directory) simply initialize NSS in no DB mode + // and return. Otherwise, first attempt to initialize in read/write mode, and + // then read-only mode if that fails. If both attempts fail, we may be failing + // to initialize an NSS DB collection that has FIPS mode enabled. Attempt to + // ascertain if this is the case, and if so, rename the offending PKCS#11 module +@@ -1966,16 +2011,19 @@ InitializeNSSWithFallbacks(const nsACStr + + // Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules. + #ifndef ANDROID + PRErrorCode savedPRErrorCode1; + #endif // ifndef ANDROID + SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode); + if (srv == SECSuccess) { + MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode")); ++#ifndef ANDROID ++ MaybeCleanUpOldNSSFiles(profilePath); ++#endif // ifndef ANDROID + return NS_OK; + } + #ifndef ANDROID + savedPRErrorCode1 = PR_GetError(); + PRErrorCode savedPRErrorCode2; + #endif // ifndef ANDROID + // That failed. Try read-only mode. + srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode); diff --git a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch index 114631517a..b5e9fb887e 100644 --- a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch +++ b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch @@ -1,8 +1,8 @@ Fixes needed when avoiding bundled libraries. ---- icecat-52.0.2/xpcom/build/moz.build.orig -+++ icecat-52.0.2/xpcom/build/moz.build -@@ -93,10 +93,5 @@ +--- icecat-60.2.0/xpcom/build/moz.build.orig 2018-09-13 17:46:49.000000000 -0400 ++++ icecat-60.2.0/xpcom/build/moz.build 2018-09-22 04:26:50.659564554 -0400 +@@ -99,10 +99,5 @@ '/docshell/base', ] @@ -13,9 +13,9 @@ Fixes needed when avoiding bundled libraries. - if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa': CXXFLAGS += CONFIG['TK_CFLAGS'] ---- icecat-52.0.2/storage/moz.build.orig -+++ icecat-52.0.2/storage/moz.build -@@ -114,7 +114,6 @@ +--- icecat-60.2.0/storage/moz.build.orig 2018-09-13 17:51:11.000000000 -0400 ++++ icecat-60.2.0/storage/moz.build 2018-09-22 04:26:50.659564554 -0400 +@@ -117,7 +117,6 @@ DEFINES['MOZ_MEMORY_TEMP_STORE_PRAGMA'] = True LOCAL_INCLUDES += [ @@ -23,13 +23,13 @@ Fixes needed when avoiding bundled libraries. '/dom/base', ] ---- icecat-52.0.2/dom/indexedDB/moz.build.orig -+++ icecat-52.0.2/dom/indexedDB/moz.build -@@ -101,7 +101,6 @@ +--- icecat-60.2.0/dom/indexedDB/moz.build.orig 2018-09-13 17:49:42.000000000 -0400 ++++ icecat-60.2.0/dom/indexedDB/moz.build 2018-09-22 04:26:50.663564574 -0400 +@@ -102,7 +102,6 @@ CXXFLAGS += ['-Wno-error=shadow'] LOCAL_INCLUDES += [ - '/db/sqlite3/src', '/dom/base', '/dom/storage', - '/dom/workers', + '/ipc/glue', -- cgit v1.2.3