download.lst | 8 ++--
external/expat/0001-Fix-compiler-warnings.patch | 47 ++++++++++++++++++++++++
external/expat/UnpackedTarball_expat.mk | 3 +
external/nss/README | 26 +++++--------
4 files changed, 65 insertions(+), 19 deletions(-)
New commits:
commit d7ee61c6b976992ceeaef7a57616ed7968fa13be
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Fri Feb 9 03:42:30 2024 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Feb 16 17:16:14 2024 +0100
Expat: upgrade to release 2.6.0
Fixes CVE-2023-52425 and CVE-2023-52426.
Change-Id: Id135bbaea893a83129bdbee44948c09322a64c07
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163146
Tested-by: Jenkins
Reviewed-by: Taichi Haradaguchi <20001...@ymail.ne.jp>
(cherry picked from commit b7e4078033b064bfc3847db0916a4df389117817)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163393
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 0ba4dfa1000a9177f1ea855ec4ffaddf7fc44c19)
diff --git a/download.lst b/download.lst
index ba1d0bbaf6a8..4f76904b1b35 100644
--- a/download.lst
+++ b/download.lst
@@ -102,8 +102,8 @@ ETONYEK_TARBALL :=
libetonyek-0.1.$(ETONYEK_VERSION_MICRO).tar.xz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-EXPAT_SHA256SUM :=
ef2420f0232c087801abf705e89ae65f6257df6b7931d37846a193ef2e8cdcbe
-EXPAT_TARBALL := expat-2.5.0.tar.xz
+EXPAT_SHA256SUM :=
cb5f5a8ea211e1cabd59be0a933a52e3c02cc326e86a4d387d8d218e7ee47a3e
+EXPAT_TARBALL := expat-2.6.0.tar.xz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/expat/0001-Fix-compiler-warnings.patch
b/external/expat/0001-Fix-compiler-warnings.patch
new file mode 100644
index 000000000000..adec5ed0d9be
--- /dev/null
+++ b/external/expat/0001-Fix-compiler-warnings.patch
@@ -0,0 +1,47 @@
+From 3f60a47cb5716bb810789a12ef6024c1dc448164 Mon Sep 17 00:00:00 2001
+From: Taichi Haradaguchi <20001...@ymail.ne.jp>
+Date: Fri, 9 Feb 2024 19:28:35 +0900
+Subject: [PATCH] Fix compiler warnings
+
+> In file included from ./../lib/internal.h:149,
+> from codepage.c:38:
+> ./../lib/expat.h:1045:5: warning: "XML_GE" is not defined, evaluates to 0
[-Wundef]
+> 1045 | #if XML_GE == 1
+> | ^~~~~~
+> ./../lib/internal.h:158:5: warning: "XML_GE" is not defined, evaluates to 0
[-Wundef]
+> 158 | #if XML_GE == 1
+> | ^~~~~~
+---
+ expat/lib/expat.h | 2 +-
+ expat/lib/internal.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/expat/lib/expat.h b/expat/lib/expat.h
+index 95464b0d..79bbfb61 100644
+--- a/expat/lib/expat.h
++++ b/expat/lib/expat.h
+@@ -1042,7 +1042,7 @@ typedef struct {
+ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+
+-#if XML_GE == 1
++#if defined(XML_GE) && XML_GE == 1
+ /* Added in Expat 2.4.0 for XML_DTD defined and
+ * added in Expat 2.6.0 for XML_GE == 1. */
+ XMLPARSEAPI(XML_Bool)
+diff --git a/expat/lib/internal.h b/expat/lib/internal.h
+index cce71e4c..208c6b67 100644
+--- a/expat/lib/internal.h
++++ b/expat/lib/internal.h
+@@ -155,7 +155,7 @@ extern "C" {
+ void _INTERNAL_trim_to_complete_utf8_characters(const char *from,
+ const char **fromLimRef);
+
+-#if XML_GE == 1
++#if defined(XML_GE) && XML_GE == 1
+ unsigned long long testingAccountingGetCountBytesDirect(XML_Parser parser);
+ unsigned long long testingAccountingGetCountBytesIndirect(XML_Parser parser);
+ const char *unsignedCharToPrintable(unsigned char c);
+--
+2.43.1
+
diff --git a/external/expat/UnpackedTarball_expat.mk
b/external/expat/UnpackedTarball_expat.mk
index 5d4f41f6d147..465105f2ca8c 100644
--- a/external/expat/UnpackedTarball_expat.mk
+++ b/external/expat/UnpackedTarball_expat.mk
@@ -13,7 +13,10 @@ $(eval $(call
gb_UnpackedTarball_set_tarball,expat,$(EXPAT_TARBALL)))
$(eval $(call gb_UnpackedTarball_update_autoconf_configs,expat,conftools))
+# * external/expat/0001-Fix-compiler-warnings.patch was sent to upstream as
+# <https://github.com/libexpat/libexpat/pull/819> "Fix compiler warnings":
$(eval $(call gb_UnpackedTarball_add_patches,expat,\
+ external/expat/0001-Fix-compiler-warnings.patch \
external/expat/expat-winapi.patch \
))
commit 1089221d76dfffb4731aa6c7e31eb3b41da0351a
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Fri Feb 16 10:34:54 2024 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Feb 16 16:44:56 2024 +0100
nss: upgrade to release 3.98
Fixes CVE-2023-5388
Also update README, and remove obsolete documentation of Debian's
mangled SONAME; relevant Debian changelog:
nss (2:3.13.4-2) unstable; urgency=low
* debian/control, debian/libnss3*, debian/rules,
mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
Move to unversioned library. ABI compatibility is ensured upstream, and
the SO version, if it needed a change at any time, would be a change in
the library name. There is no reason to keep making compatibility more
difficult with other distros and upstream binary releases. While
previous
versions were one-way compatible (binaries built against other distros
or
upstream nspr could work on Debian), this approach works both ways.
-- Mike Hommey <gland...@debian.org> Thu, 17 May 2012 09:45:36 +0200
Change-Id: Ifc1eae68827fa88ae001a3903c8555af67b488ac
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163494
Tested-by: Jenkins
Reviewed-by: Christian Lohmaier <lohmaier+libreoff...@googlemail.com>
(cherry picked from commit cd94b0af38d712fa6eb0e0f43ce13ac6e72535d9)
diff --git a/download.lst b/download.lst
index 3852df3e209e..ba1d0bbaf6a8 100644
--- a/download.lst
+++ b/download.lst
@@ -414,8 +414,8 @@ NEON_TARBALL := neon-0.30.2.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-NSS_SHA256SUM :=
a7a920d295998563b33d9e06c1a36b799201493d81b64537fab42f2a733411ce
-NSS_TARBALL := nss-3.97-with-nspr-4.35.tar.gz
+NSS_SHA256SUM :=
59bb55a59b02e4004fc26ad0aa1a13fe8d73c6c90c447dd2f2efb73fb81083ed
+NSS_TARBALL := nss-3.98-with-nspr-4.35.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/nss/README b/external/nss/README
index 6997cea6ca06..09931f64ea20 100644
--- a/external/nss/README
+++ b/external/nss/README
@@ -1,5 +1,16 @@
Contains the Network Security Services (NSS) libraries from Mozilla
+== ESR versions ==
+
+Upstream releases both regular and "ESR" versions, the latter go into Firefox
+ESR and Thunderbird.
+
+There is a new ESR version about once a year, and a ESR version gets micro
+updates only when there are security issues to fix, and it's not always obvious
+from the release notes of a regular release if there are security issues that
+are relevant to LibreOffice, hence it's probably best to bundle only the ESR
+versions and upgrade for every micro release (as recommended by upstream).
+
== Fips 140 and signed libraries ==
Fips 140 mode is not supported. That is, the *.chk files containing the
@@ -20,18 +31,3 @@ With all supported macOS SDK we use
NSS_USE_SYSTEM_SQLITE=1
to build using the system sqlite.
-== system NSS on Linux ==
-
-Note that different Linux distributions use different SONAMEs for the
-NSS libraries, so it is not possible to use --with-system-nss and build
-a portable generic LO installation set, despite NSS upstream apparently
-maintaining ABI compatibility.
-
-Debian Squeeze:
-0x000000000000000e (SONAME) Library soname: [libnss3.so.1d]
-Fedora 20:
-0x000000000000000e (SONAME) Library soname: [libnss3.so]
-
-For the record, the LSB specified SONAME is libnss3.so
-http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libnss3.html
-
commit 4cff2bb28f997bc91c054a2cb7ce684c456362ad
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Wed Feb 14 22:18:30 2024 +0100
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Feb 16 16:44:51 2024 +0100
nss: upgrade to release 3.97
Change-Id: If0eaf6a93f57239d81491c635922745bf3f38fd5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163410
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
(cherry picked from commit f25b7efba56757b085f7a836f57d9c2fc8fd14b8)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163408
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit 85c6a7a4944efa5b91e25a35860997e254d35f4c)
diff --git a/download.lst b/download.lst
index b0e8892bc26f..3852df3e209e 100644
--- a/download.lst
+++ b/download.lst
@@ -414,8 +414,8 @@ NEON_TARBALL := neon-0.30.2.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-NSS_SHA256SUM :=
f78ab1d911cae8bbc94758fb3bd0f731df4087423a4ff5db271ba65381f6b739
-NSS_TARBALL := nss-3.90-with-nspr-4.35.tar.gz
+NSS_SHA256SUM :=
a7a920d295998563b33d9e06c1a36b799201493d81b64537fab42f2a733411ce
+NSS_TARBALL := nss-3.97-with-nspr-4.35.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
commit f80a562b8e8defadc54cd75800d6062101f60a6d
Author: Taichi Haradaguchi <20001...@ymail.ne.jp>
AuthorDate: Thu Jun 15 07:09:06 2023 +0900
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Feb 16 16:44:45 2024 +0100
nss: upgrade to release 3.90
Change-Id: Ic446f33abd5355886b8c8c181a088c07ea4605c1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153096
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
(cherry picked from commit 3f6bb9565d4edce563dbd938c655ae853926d362)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/153083
Reviewed-by: Xisco Fauli <xiscofa...@libreoffice.org>
(cherry picked from commit ead11155b611a355d0f4bfa91454b345a0cd15e0)
diff --git a/download.lst b/download.lst
index 1874fbbf3846..b0e8892bc26f 100644
--- a/download.lst
+++ b/download.lst
@@ -414,8 +414,8 @@ NEON_TARBALL := neon-0.30.2.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-NSS_SHA256SUM :=
fcfa26d2738ec5b0cf72ab4be784eac832a75132cda2e295799c04d62a93607a
-NSS_TARBALL := nss-3.88.1-with-nspr-4.35.tar.gz
+NSS_SHA256SUM :=
f78ab1d911cae8bbc94758fb3bd0f731df4087423a4ff5db271ba65381f6b739
+NSS_TARBALL := nss-3.90-with-nspr-4.35.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
