unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].
@ 2017-04-20 22:29 Mark H Weaver
  2017-04-21 17:59 ` Mark H Weaver
  0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2017-04-20 22:29 UTC (permalink / raw)
  To: guix-devel


[-- Attachment #1.1: Type: text/plain, Size: 166 bytes --]

These patches update nss to 3.30.2 and disable long b64 tests which fail
on some systems including armhf.  I'll push them soon after some light
testing.

     Mark



[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] --]
[-- Type: text/x-patch, Size: 1302 bytes --]

From c1ba9c385a23ede10cb5e79c24f66dbb86c1f6fe Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 14:55:31 -0400
Subject: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461].

* gnu/packages/gnuzilla.scm (nss): Update to 3.30.2.
---
 gnu/packages/gnuzilla.scm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 87695329c..59f790a6e 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -194,7 +194,7 @@ in the Mozilla clients.")
 (define-public nss
   (package
     (name "nss")
-    (version "3.30")
+    (version "3.30.2")
     (source (origin
               (method url-fetch)
               (uri (let ((version-with-underscores
@@ -205,7 +205,7 @@ in the Mozilla clients.")
                       "nss-" version ".tar.gz")))
               (sha256
                (base32
-                "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58"))
+                "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
                                        "nss-increase-test-timeout.patch"))))
-- 
2.12.2


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: [PATCH 2/2] gnu: nss: Disable long b64 tests --]
[-- Type: text/x-patch, Size: 3598 bytes --]

From e07aa7534aa97617ce15fa07c244dc6f901af92f Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 20 Apr 2017 17:42:52 -0400
Subject: [PATCH 2/2] gnu: nss: Disable long b64 tests.

Suggested by Marius Bakke <mbakke@fastmail.com> in
<https://lists.gnu.org/archive/html/guix-devel/2017-04/msg00440.html>.

* gnu/packages/patches/nss-disable-long-b64-tests.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (nss)[source]: Add patch.
---
 gnu/local.mk                                       |  1 +
 gnu/packages/gnuzilla.scm                          |  1 +
 .../patches/nss-disable-long-b64-tests.patch       | 34 ++++++++++++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 gnu/packages/patches/nss-disable-long-b64-tests.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index ec27e8765..ed3683f19 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -814,6 +814,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/ngircd-handle-zombies.patch		\
   %D%/packages/patches/ninja-zero-mtime.patch			\
   %D%/packages/patches/node-9077.patch				\
+  %D%/packages/patches/nss-disable-long-b64-tests.patch		\
   %D%/packages/patches/nss-increase-test-timeout.patch		\
   %D%/packages/patches/nss-pkgconfig.patch			\
   %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 59f790a6e..fd058d022 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -208,6 +208,7 @@ in the Mozilla clients.")
                 "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd"))
               ;; Create nss.pc and nss-config.
               (patches (search-patches "nss-pkgconfig.patch"
+                                       "nss-disable-long-b64-tests.patch"
                                        "nss-increase-test-timeout.patch"))))
     (build-system gnu-build-system)
     (outputs '("out" "bin"))
diff --git a/gnu/packages/patches/nss-disable-long-b64-tests.patch b/gnu/packages/patches/nss-disable-long-b64-tests.patch
new file mode 100644
index 000000000..612d94128
--- /dev/null
+++ b/gnu/packages/patches/nss-disable-long-b64-tests.patch
@@ -0,0 +1,34 @@
+Disable long b64 tests, which consistently fail on armhf.
+This is based on an excerpt of the following upstream patch:
+
+  https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7
+
+(we exclude the part of the upstream patch that reverts
+an earlier failed attempt, and adapt the file names)
+
+diff --git a/gtests/util_gtest/util_b64_unittest.cc b/gtests/util_gtest/util_b64_unittest.cc
+--- a/nss/gtests/util_gtest/util_b64_unittest.cc
++++ b/nss/gtests/util_gtest/util_b64_unittest.cc
+@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest) 
+ 
+ TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100)); }
+ 
+ TEST_F(B64EncodeDecodeTest, FakeEncDecTest) {
+   EXPECT_TRUE(TestFakeEncode(100));
+ }
+ 
+ // These takes a while ...
+-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) {
+   EXPECT_TRUE(TestFakeDecode(0x66666666));
+ }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3fffffff); }
+-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) {
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) {
++  TestFakeEncode(0x3fffffff);
++}
++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) {
+   EXPECT_FALSE(TestFakeEncode(0x40000000));
+ }
+ 
+ }  // namespace nss_test
-- 
2.12.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply related	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2017-04-23  9:40 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-04-20 22:29 [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] Mark H Weaver
2017-04-21 17:59 ` Mark H Weaver
2017-04-22  7:40   ` Marius Bakke
2017-04-22 19:51     ` Mark H Weaver
2017-04-23  9:40       ` Marius Bakke

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).