From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: [PATCHES] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]. Date: Thu, 20 Apr 2017 18:29:26 -0400 Message-ID: <87y3uun261.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46887) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1d1Kac-0004yE-To for guix-devel@gnu.org; Thu, 20 Apr 2017 18:30:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1d1KaZ-0008Sz-Np for guix-devel@gnu.org; Thu, 20 Apr 2017 18:30:14 -0400 Received: from world.peace.net ([50.252.239.5]:50952) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1d1KaZ-0008Sr-Ij for guix-devel@gnu.org; Thu, 20 Apr 2017 18:30:11 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain These patches update nss to 3.30.2 and disable long b64 tests which fail on some systems including armhf. I'll push them soon after some light testing. Mark --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-nss-Update-to-3.30.2-fixes-CVE-2017-5461.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461] From=20c1ba9c385a23ede10cb5e79c24f66dbb86c1f6fe Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 20 Apr 2017 14:55:31 -0400 Subject: [PATCH 1/2] gnu: nss: Update to 3.30.2 [fixes CVE-2017-5461]. * gnu/packages/gnuzilla.scm (nss): Update to 3.30.2. =2D-- gnu/packages/gnuzilla.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 87695329c..59f790a6e 100644 =2D-- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -194,7 +194,7 @@ in the Mozilla clients.") (define-public nss (package (name "nss") =2D (version "3.30") + (version "3.30.2") (source (origin (method url-fetch) (uri (let ((version-with-underscores @@ -205,7 +205,7 @@ in the Mozilla clients.") "nss-" version ".tar.gz"))) (sha256 (base32 =2D "1agkkwb51si4raw46p44vl3d0l7wzvdjcblpcdjjz6aymq6h1h58")) + "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-pkgconfig.patch" "nss-increase-test-timeout.patch"))= )) =2D-=20 2.12.2 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-gnu-nss-Disable-long-b64-tests.patch Content-Transfer-Encoding: quoted-printable Content-Description: [PATCH 2/2] gnu: nss: Disable long b64 tests From=20e07aa7534aa97617ce15fa07c244dc6f901af92f Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 20 Apr 2017 17:42:52 -0400 Subject: [PATCH 2/2] gnu: nss: Disable long b64 tests. Suggested by Marius Bakke in . * gnu/packages/patches/nss-disable-long-b64-tests.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (nss)[source]: Add patch. =2D-- gnu/local.mk | 1 + gnu/packages/gnuzilla.scm | 1 + .../patches/nss-disable-long-b64-tests.patch | 34 ++++++++++++++++++= ++++ 3 files changed, 36 insertions(+) create mode 100644 gnu/packages/patches/nss-disable-long-b64-tests.patch diff --git a/gnu/local.mk b/gnu/local.mk index ec27e8765..ed3683f19 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -814,6 +814,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/ngircd-handle-zombies.patch \ %D%/packages/patches/ninja-zero-mtime.patch \ %D%/packages/patches/node-9077.patch \ + %D%/packages/patches/nss-disable-long-b64-tests.patch \ %D%/packages/patches/nss-increase-test-timeout.patch \ %D%/packages/patches/nss-pkgconfig.patch \ %D%/packages/patches/ntfs-3g-CVE-2017-0358.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 59f790a6e..fd058d022 100644 =2D-- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -208,6 +208,7 @@ in the Mozilla clients.") "096frzvyp3z257x84rxknscfgsbavzh2a0gyibx7kvmw4vzpfjhd")) ;; Create nss.pc and nss-config. (patches (search-patches "nss-pkgconfig.patch" + "nss-disable-long-b64-tests.patch" "nss-increase-test-timeout.patch"))= )) (build-system gnu-build-system) (outputs '("out" "bin")) diff --git a/gnu/packages/patches/nss-disable-long-b64-tests.patch b/gnu/pa= ckages/patches/nss-disable-long-b64-tests.patch new file mode 100644 index 000000000..612d94128 =2D-- /dev/null +++ b/gnu/packages/patches/nss-disable-long-b64-tests.patch @@ -0,0 +1,34 @@ +Disable long b64 tests, which consistently fail on armhf. +This is based on an excerpt of the following upstream patch: + + https://hg.mozilla.org/projects/nss/rev/00b2cc2b33c7 + +(we exclude the part of the upstream patch that reverts +an earlier failed attempt, and adapt the file names) + +diff --git a/gtests/util_gtest/util_b64_unittest.cc b/gtests/util_gtest/ut= il_b64_unittest.cc +--- a/nss/gtests/util_gtest/util_b64_unittest.cc ++++ b/nss/gtests/util_gtest/util_b64_unittest.cc +@@ -63,17 +63,19 @@ TEST_F(B64EncodeDecodeTest, EncDecTest)=20 +=20 + TEST_F(B64EncodeDecodeTest, FakeDecTest) { EXPECT_TRUE(TestFakeDecode(100= )); } +=20 + TEST_F(B64EncodeDecodeTest, FakeEncDecTest) { + EXPECT_TRUE(TestFakeEncode(100)); + } +=20 + // These takes a while ... +-TEST_F(B64EncodeDecodeTest, LongFakeDecTest1) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeDecTest1) { + EXPECT_TRUE(TestFakeDecode(0x66666666)); + } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest1) { TestFakeEncode(0x3ffff= fff); } +-TEST_F(B64EncodeDecodeTest, LongFakeEncDecTest2) { ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest1) { ++ TestFakeEncode(0x3fffffff); ++} ++TEST_F(B64EncodeDecodeTest, DISABLED_LongFakeEncDecTest2) { + EXPECT_FALSE(TestFakeEncode(0x40000000)); + } +=20 + } // namespace nss_test =2D-=20 2.12.2 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE2RkJZc4DGZ6vKLO+fO8phHVixRYFAlj5NlYACgkQfO8phHVi xRYB+Q//acC7Y68eJisk8odJQC/HQc+OcjRM0Lr8qYfel+oiI/gxwYENL+HNFo2r 6zC16eVCK0cty92Edztts3C9DJ6eSUaAmEgn77iRHv0HcoPN7PcO8crgf5A+fnKA SmEnLJ0tjhZAotodrYmi4nYgAxTcFpS9/PJQH2tZtZ3MMMxb307jroJq2OAT0Zdv v8lnPWqoZm88u+iCQI1INJkm1YQEn0x7LRsrIQBiIyObZ03seM7/3hhRPZhipm6/ OduwpCpo6fJKcidIsQti7/E/xz5VwzCPw7nZJOcJx7wkCgeZQAq4sSi25v51BD/J yXQO1kj+5fcr3y17nfPMmRc7HV6coAKzN2ll/zdTmJrUjqjDtyQ+JdQUt0iIxAT1 3Yir/wV+24PRH9VoFm1Gi3Vk82nIK37RXCLTAtADtauEcA8/UNrmfrSeJ/Hv8wQR 3/5dadAjlNE+mu9jsSOZwMlrwRrWKx4xRncnUcDB9jyxspENQ9P4QnR94MZ7qh0w Am8QJBSZs4oAuJ1Pt/lo8CyGcGIgzLWg5MJfNGHdu1bYTOn44ppey0FJ3+fWaq4Y U60BR1I3XQHlkR0g9/Lgm/q8zU0Wwik/YON7IBfLYvW7p9pPPRuWYobBD3UqF7RR bRkbIL3HEr34s05FbIv3EJd1oCD8HfPTHW5XYmQbooEdLi1Ogjs= =qKo7 -----END PGP SIGNATURE----- --==-=-=--