configure.ac | 2
download.lst | 4
external/nss/UnpackedTarball_nss.mk | 1
external/nss/nss-android.patch.1 | 6
external/nss/nss-ios.patch | 216 ++++++++++++++-
external/nss/nss-restore-manual-pre-dependencies.patch.1 | 4
external/nss/nss.getopt.patch.0 | 25 -
external/nss/nss_macosx.patch | 14
8 files changed, 210 insertions(+), 62 deletions(-)
New commits:
commit df733806129c54ff25ca8dbf4cc26d51107bee7a
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Tue Oct 19 15:17:39 2021 +0200
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Sun Jan 2 21:19:33 2022 +0100
nss: upgrade to release 3.73
Fixes:
CVE-2021-43527 Memory corruption via DER-encoded DSA and RSA-PSS signatures
Includes: nss: upgrade to release 3.71
* external/nss/nss.getopt.patch.0: fixed upstream
* external/nss/nss-win-arm64.patch: fixed upstream
* external/nss/nss_macosx.patch: one hunk was fixed upstream
Conflicts:
download.lst
Change-Id: I5c3f169c57fc2763029b07ad7e325b2f53b7e28f
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126218
Tested-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
Reviewed-by: Thorsten Behrens <thorsten.behr...@allotropia.de>
(cherry picked from commit c8e21d246bcb4289cb25c82be440cd07b7418436)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126252
Tested-by: Jenkins
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
diff --git a/download.lst b/download.lst
index 42c3ad26bfa0..f6a0836c8128 100644
--- a/download.lst
+++ b/download.lst
@@ -191,8 +191,8 @@ export MYTHES_SHA256SUM :=
1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b
export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
export NEON_SHA256SUM :=
db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca
export NEON_TARBALL := neon-0.30.2.tar.gz
-export NSS_SHA256SUM :=
ec6032d78663c6ef90b4b83eb552dedf721d2bce208cec3bf527b8f637db7e45
-export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz
+export NSS_SHA256SUM :=
07a9e5b70f121a62706140d4cacc3006d3efb869da40f3a2bf7a65d37847f4d9
+export NSS_TARBALL := nss-3.73-with-nspr-4.32.tar.gz
export ODFGEN_SHA256SUM :=
2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2
export ODFGEN_VERSION_MICRO := 6
export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2
diff --git a/external/nss/UnpackedTarball_nss.mk
b/external/nss/UnpackedTarball_nss.mk
index dab244c867b8..4f8499e8a835 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -27,7 +27,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
external/nss/nss-bz1646594.patch.1 \
external/nss/macos-dlopen.patch.0 \
external/nss/nss-restore-manual-pre-dependencies.patch.1 \
- external/nss/nss.getopt.patch.0 \
$(if $(filter iOS,$(OS)), \
external/nss/nss-ios.patch) \
$(if $(filter ANDROID,$(OS)), \
diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1
index b77663c59eb3..7fb10ae522c7 100644
--- a/external/nss/nss-android.patch.1
+++ b/external/nss/nss-android.patch.1
@@ -10,9 +10,9 @@ diff -ur nss.org/nspr/build/autoconf/config.sub
nss/nspr/build/autoconf/config.s
+if test $1 = "i686-pc-linux-android"; then echo $1; exit; fi
+if test $1 = "x86_64-pc-linux-android"; then echo $1; exit; fi
+
- # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
- # Here we must recognize all the valid KERNEL-OS combinations.
- maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
diff -ur nss.org/nspr/configure nss/nspr/configure
--- nss.org/nspr/configure 2017-09-07 15:29:45.018246359 +0200
+++ nss/nspr/configure 2017-09-07 15:31:47.604075663 +0200
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
index 9d4af2c724e9..4263ecbe5f3d 100644
--- a/external/nss/nss-ios.patch
+++ b/external/nss/nss-ios.patch
@@ -1,3 +1,201 @@
+--- a/a/nss/Makefile
++++ a/a/nss/Makefile
+@@ -96,13 +96,11 @@
+ ifdef NS_USE_GCC
+ NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
+ endif
+-# Make sure to remove -arch arguments. NSPR can't handle that.
+-remove_arch = $(filter-out __REMOVEME%,$(subst $(NULL) -arch ,
__REMOVEME,$(1)))
+ ifdef CC
+-NSPR_CONFIGURE_ENV = CC="$(call remove_arch,$(CC))"
++NSPR_CONFIGURE_ENV = CC="$(CC)"
+ endif
+ ifdef CCC
+-NSPR_CONFIGURE_ENV += CXX="$(call remove_arch,$(CCC))"
++NSPR_CONFIGURE_ENV += CXX="$(CCC)"
+ endif
+
+ #
+@@ -140,7 +140,6 @@
+
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+- $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+
+ install_nspr: build_nspr
+ $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+--- a/a/nss/lib/ckfw/builtins/manifest.mn
++++ a/a/nss/lib/ckfw/builtins/manifest.mn
+@@ -5,7 +5,7 @@
+
+ CORE_DEPTH = ../../..
+
+-DIRS = testlib
++DIRS =
+
+ MODULE = nss
+
+--- a/a/nss/lib/nss/nssinit.c
++++ a/a/nss/lib/nss/nssinit.c
+@@ -278,6 +278,7 @@
+ const char *secmodprefix,
+ char **retoldpath, char **retnewpath)
+ {
++#ifndef NSS_STATIC_PKCS11
+ char *path, *oldpath = NULL, *lastsep;
+ int len, path_len, secmod_len, dll_len;
+
+@@ -309,6 +309,10 @@
+ }
+ *retoldpath = oldpath;
+ *retnewpath = path;
++#else
++ *retoldpath = NULL;
++ *retnewpath = PORT_Strdup("NSSCKBI");
++#endif
+ return;
+ }
+
+--- a/a/nss/lib/pk11wrap/pk11load.c
++++ a/a/nss/lib/pk11wrap/pk11load.c
+@@ -389,6 +389,8 @@
+ /*
+ * load a new module into our address space and initialize it.
+ */
++extern CK_RV NSSCKBI_C_GetFunctionList();
++
+ SECStatus
+ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ {
+@@ -465,6 +465,7 @@
+ /* load the library. If this succeeds, then we have to remember to
+ * unload the library if anything goes wrong from here on out...
+ */
++#ifndef NSS_STATIC_PKCS11 // With NSS_STATIC_PKCS11, the only module wodule
we load here is nssckbi
+ library = PR_LoadLibrary(mod->dllName);
+ mod->library = (void *)library;
+
+@@ -487,6 +487,11 @@
+ mod->moduleDBFunc = (void *)
+ PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+ }
++#else
++ if (strcmp(mod->dllName, "NSSCKBI") == 0)
++ fentry = NSSCKBI_C_GetFunctionList;
++#endif
++
+ if (mod->moduleDBFunc == NULL)
+ mod->isModuleDB = PR_FALSE;
+ if ((ientry == NULL) && (fentry == NULL)) {
+@@ -624,10 +624,12 @@
+ }
+ fail:
+ mod->functionList = NULL;
++#ifndef NSS_STATIC_PKCS11
+ disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+ if (library && !disableUnload) {
+ PR_UnloadLibrary(library);
+ }
++#endif
+ return SECFailure;
+ }
+
+--- a/a/nss/lib/ckfw/nssck.api
++++ a/a/nss/lib/ckfw/nssck.api
+@@ -1842,7 +1842,11 @@
+
+ /* This one is always present */
+ CK_RV CK_ENTRY
++#ifndef NSS_STATIC_PKCS11
+ C_GetFunctionList
++#else
++NSSCKBI_C_GetFunctionList
++#endif
+ (
+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+ )
+--- a/a/nss/lib/freebl/loader.c
++++ a/a/nss/lib/freebl/loader.c
+@@ -35,6 +35,7 @@
+ static PRStatus
+ freebl_LoadDSO(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+ PRLibrary *handle;
+ const char *name = getLibName();
+
+@@ -47,32 +47,42 @@
+ if (handle) {
+ PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
+ if (address) {
+- FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
++#else
++ FREEBLGetVectorFn *getVector = FREEBL_GetVector;
++#endif
+ const FREEBLVector *dsoVector = getVector();
+ if (dsoVector) {
+ unsigned short dsoVersion = dsoVector->version;
+ unsigned short myVersion = FREEBL_VERSION;
+ if (MSB(dsoVersion) == MSB(myVersion) &&
+ LSB(dsoVersion) >= LSB(myVersion) &&
+ dsoVector->length >= sizeof(FREEBLVector)) {
+ vector = dsoVector;
++#ifndef NSS_STATIC_FREEBL
+ libraryName = name;
+ blLib = handle;
++#else
++ libraryName = "self";
++#endif
+ return PR_SUCCESS;
+ }
+ }
++ else
++ return PR_FAILURE;
++#ifndef NSS_STATIC_FREEBL
+ }
+ #ifdef DEBUG
+ if (blLib) {
+ PRStatus status = PR_UnloadLibrary(blLib);
+ PORT_Assert(PR_SUCCESS == status);
+ }
+ #else
+ if (blLib)
+ PR_UnloadLibrary(blLib);
+ #endif
+ }
+ return PR_FAILURE;
++#endif
+ }
+
+ static const PRCallOnceType pristineCallOnce;
+@@ -837,6 +837,7 @@
+ void
+ BL_Unload(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+ /* This function is not thread-safe, but doesn't need to be, because it is
+ * only called from functions that are also defined as not thread-safe,
+ * namely C_Finalize in softoken, and the SSL bypass shutdown callback
called
+@@ -852,6 +852,7 @@
+ PR_UnloadLibrary(blLib);
+ #endif
+ }
++#endif
+ blLib = NULL;
+ loadFreeBLOnce = pristineCallOnce;
+ }
+--- a/a/nspr/build/autoconf/config.sub 2017-09-07 15:29:45.031246453 +0200
++++ a/a/nspr/build/autoconf/config.sub 2017-09-07 15:32:13.087235423 +0200
+@@ -111,6 +111,9 @@
+ exit 1;;
+ esac
+
++if test $1 = "arm64-apple-darwin"; then echo $1; exit; fi
++if test $1 = "aarch64-apple-darwin"; then echo $1; exit; fi
++
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
--- a/a/nspr/config/autoconf.mk.in
+++ a/a/nspr/config/autoconf.mk.in
@@ -67,7 +67,7 @@
@@ -62,7 +260,7 @@
MKSHLIB += -exported_symbols_list $(MAPFILE)
--- a/a/nss/coreconf/UNIX.mk
+++ a/a/nss/coreconf/UNIX.mk
-@@ -21,10 +21,14 @@
+@@ -19,10 +19,14 @@
ifdef BUILD_TREE
NSINSTALL_DIR = $(BUILD_TREE)/nss
@@ -76,7 +274,7 @@
+endif
endif
- MKDEPEND_DIR = $(CORE_DEPTH)/coreconf/mkdepend
+ ####################################################################
--- a/a/nspr/pr/include/md/_darwin.h
+++ a/a/nspr/pr/include/md/_darwin.h
@@ -26,6 +26,8 @@
@@ -88,24 +286,14 @@
#elif defined(__aarch64__)
#define _PR_SI_ARCHITECTURE "aarch64"
#else
---- a/a/nspr/pr/src/Makefile.in
-+++ a/a/nspr/pr/src/Makefile.in
-@@ -180,7 +180,7 @@
- endif
-
- ifeq ($(OS_TARGET),MacOSX)
--OS_LIBS = -framework CoreServices -framework CoreFoundation
-+OS_LIBS = -framework CoreFoundation
- endif
-
- EXTRA_LIBS += $(OS_LIBS)
--- a/a/nss/cmd/shlibsign/sign.sh
+++ a/a/nss/cmd/shlibsign/sign.sh
-@@ -2,6 +2,8 @@
+@@ -2,6 +2,9 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
++# Pointless to sign anything for iOS as we don't build any real shared
libraries
+exit 0
# arguments:
diff --git a/external/nss/nss-restore-manual-pre-dependencies.patch.1
b/external/nss/nss-restore-manual-pre-dependencies.patch.1
index ebcc5b48c540..06691b1ec957 100644
--- a/external/nss/nss-restore-manual-pre-dependencies.patch.1
+++ b/external/nss/nss-restore-manual-pre-dependencies.patch.1
@@ -79,5 +79,5 @@ summary: Bug 1637083 Replace pre-dependency with shell
hack r=rrelyea
+ $(MAKE) -C lib/base libs
+ IGNORE_DIRS=1 $(MAKE) -C lib/ckfw/builtins libs
- all: prepare_build
- $(MAKE) libs
+ lib: coreconf
+ cmd: lib
diff --git a/external/nss/nss.getopt.patch.0 b/external/nss/nss.getopt.patch.0
deleted file mode 100644
index aeabb33f9b97..000000000000
--- a/external/nss/nss.getopt.patch.0
+++ /dev/null
@@ -1,25 +0,0 @@
-# pr/tests/sel_spd.c:427:20: error: implicit declaration of function 'getopt'
is invalid in C99 [-Werror,-Wimplicit-function-declaration]
---- nspr/pr/tests/sel_spd.c
-+++ nspr/pr/tests/sel_spd.c
-@@ -15,6 +15,9 @@
- #include <stdio.h>
- #include <errno.h>
- #include <string.h>
-+
-+extern char *optarg;
-+int getopt(int argc, char *const argv[], const char *optstring);
-
- #ifdef DEBUG
- #define PORT_INC_DO +100
---- nspr/pr/tests/testfile.c
-+++ nspr/pr/tests/testfile.c
-@@ -23,6 +23,9 @@
- #include <getopt.h>
- #include <errno.h>
- #endif /* XP_OS2 */
-+
-+extern char *optarg;
-+int getopt(int argc, char *const argv[], const char *optstring);
-
- static int _debug_on = 0;
-
diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch
index 07b60a5ed00d..1e7599be6133 100644
--- a/external/nss/nss_macosx.patch
+++ b/external/nss/nss_macosx.patch
@@ -88,17 +88,3 @@ diff -ru a/nss/Makefile b/nss/Makefile
ifdef USE_DEBUG_RTL
NSPR_CONFIGURE_OPTS += --enable-debug-rtl
endif
---- a/a/nspr/pr/include/md/_darwin.h
-+++ b/b/nspr/pr/include/md/_darwin.h
-@@ -40,11 +40,7 @@
-
- #undef HAVE_STACK_GROWING_UP
- #define HAVE_DLL
--#if defined(__x86_64__) || TARGET_OS_IPHONE
- #define USE_DLFCN
--#else
--#define USE_MACH_DYLD
--#endif
- #define _PR_HAVE_SOCKADDR_LEN
- #define _PR_STAT_HAS_ST_ATIMESPEC
- #define _PR_HAVE_LARGE_OFF_T
commit f18b9277af617049a51f59b069df28121de11e27
Author: Andras Timar <andras.ti...@collabora.com>
AuthorDate: Tue Nov 16 09:36:47 2021 +0100
Commit: Andras Timar <andras.ti...@collabora.com>
CommitDate: Tue Nov 16 09:36:47 2021 +0100
Bump version to 7.0.7.0.M8
Change-Id: I590e7570e2b5ea189cd6507e67940c98a22a6e96
diff --git a/configure.ac b/configure.ac
index 36e39a8c5109..5ce98203def7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,7 +9,7 @@ dnl in order to create a configure script.
# several non-alphanumeric characters, those are split off and used only for
the
# ABOUTBOXPRODUCTVERSIONSUFFIX in openoffice.lst. Why that is necessary, no
idea.
-AC_INIT([LibreOffice],[7.0.7.0.M7],[],[],[http://documentfoundation.org/])
+AC_INIT([LibreOffice],[7.0.7.0.M8],[],[],[http://documentfoundation.org/])
dnl libnumbertext needs autoconf 2.68, but that can pick up autoconf268 just
fine if it is installed
dnl whereas aclocal (as run by autogen.sh) insists on using autoconf and fails
hard
