a6238c3fba
Fixes CVE-2019-11745. Remove nss.fix-freebl-add-lcc-support.patch.1, fixed upstream. Change-Id: I72e35c90fabb0a83f547a787dbaee774e35f9c08 Reviewed-on: https://gerrit.libreoffice.org/83673 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@cib.de>
155 lines
5.9 KiB
Diff
155 lines
5.9 KiB
Diff
--- a/a/nspr/configure 2017-08-29 23:44:13.686045013 +0530
|
|
+++ b/b/nspr/configure 2017-08-29 23:46:53.774768655 +0530
|
|
@@ -7034,7 +7034,7 @@
|
|
PR_MD_CSRCS=linux.c
|
|
MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@'
|
|
DSO_CFLAGS=-fPIC
|
|
- DSO_LDOPTS='-shared -Wl,-soname -Wl,$(notdir $@)'
|
|
+ DSO_LDOPTS='-shared -Wl,-soname -Wl,$(notdir $@) $(if $(filter-out $(OS),ANDROID),-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\$$ORIGIN)'
|
|
_OPTIMIZE_FLAGS=-O2
|
|
_DEBUG_FLAGS="-g -fno-inline" # most people on linux use gcc/gdb, and that
|
|
# combo is not yet good at debugging inlined
|
|
--- a/nss.orig/nspr/pr/src/misc/prnetdb.c 2017-08-29 23:44:13.690045031 +0530
|
|
+++ b/nss/nspr/pr/src/misc/prnetdb.c 2017-08-29 23:47:03.810814019 +0530
|
|
@@ -438,7 +438,7 @@
|
|
char *buf = *bufp;
|
|
PRIntn buflen = *buflenp;
|
|
|
|
- if (align && ((long)buf & (align - 1))) {
|
|
+ if (align && ((ptrdiff_t)buf & (align - 1))) {
|
|
PRIntn skip = align - ((ptrdiff_t)buf & (align - 1));
|
|
if (buflen < skip) {
|
|
return 0;
|
|
--- a/a/nss/cmd/platlibs.mk 2017-08-29 23:44:13.554044416 +0530
|
|
+++ b/b/nss/cmd/platlibs.mk 2017-08-29 23:46:09.638569150 +0530
|
|
@@ -10,17 +10,22 @@
|
|
|
|
ifeq ($(OS_ARCH), SunOS)
|
|
ifeq ($(USE_64), 1)
|
|
-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
|
|
+#In OOo we would probable put the executables next to libs
|
|
+EXTRA_SHARED_LIBS += -R '$$ORIGIN'
|
|
else
|
|
-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
|
|
+EXTRA_SHARED_LIBS += -R '$$ORIGIN'
|
|
endif
|
|
endif
|
|
|
|
+ifeq ($(OS_ARCH), FreeBSD)
|
|
+EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
|
|
+endif
|
|
+
|
|
ifeq ($(OS_ARCH), Linux)
|
|
ifeq ($(USE_64), 1)
|
|
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
|
|
+EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
|
|
else
|
|
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
|
|
+EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
|
|
endif
|
|
endif
|
|
|
|
--- a/nss.org/nss/coreconf/arch.mk 2017-08-29 23:44:13.646044832 +0530
|
|
+++ b/nss/nss/coreconf/arch.mk 2017-08-29 23:45:51.494487134 +0530
|
|
@@ -305,11 +305,17 @@
|
|
OBJDIR_NAME_COMPILER = $(COMPILER_TAG)
|
|
endif
|
|
OBJDIR_NAME_BASE = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(OBJDIR_NAME_COMPILER)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG)
|
|
-OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
|
|
+# OBJDIR_NAME is used to build the directory containing the built objects, for
|
|
+# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ
|
|
+# We need to deliver the contents of that folder into instdir. To make that
|
|
+# easier in the makefile we rename this directory to "out".
|
|
+#OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
|
|
+OBJDIR_NAME = out
|
|
|
|
|
|
ifeq (,$(filter-out WIN%,$(OS_TARGET)))
|
|
-ifndef BUILD_OPT
|
|
+ifdef THIS_HAS_BEEN_DISABLED_TO_GET_out
|
|
+
|
|
#
|
|
# Define USE_DEBUG_RTL if you want to use the debug runtime library
|
|
# (RTL) in the debug build
|
|
--- a/nss.org/nss/coreconf/FreeBSD.mk 2017-08-29 23:44:13.642044814 +0530
|
|
+++ b/nss/nss/coreconf/FreeBSD.mk 2017-08-29 23:45:20.850348615 +0530
|
|
@@ -25,6 +25,7 @@
|
|
|
|
DSO_CFLAGS = -fPIC
|
|
DSO_LDOPTS = -shared -Wl,-soname -Wl,$(notdir $@)
|
|
+DSO_LDOPTS += -Wl,-z,origin '-Wl,-rpath,$$ORIGIN'
|
|
|
|
#
|
|
# The default implementation strategy for FreeBSD is pthreads.
|
|
--- a/nss.org/nss/coreconf/Linux.mk 2017-08-29 23:44:13.642044814 +0530
|
|
+++ b/nss/nss/coreconf/Linux.mk 2017-08-29 23:47:26.318915759 +0530
|
|
@@ -147,7 +147,7 @@
|
|
# Also, -z defs conflicts with Address Sanitizer, which emits relocations
|
|
# against the libsanitizer runtime built into the main executable.
|
|
ZDEFS_FLAG = -Wl,-z,defs
|
|
-DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
|
|
+DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) $(if $(filter-out $(OS),ANDROID),-Wl$(COMMA)-z$(COMMA)origin '-Wl$(COMMA)-rpath$(COMMA)$$ORIGIN')
|
|
LDFLAGS += $(ARCHFLAG) -z noexecstack
|
|
|
|
# On Maemo, we need to use the -rpath-link flag for even the standard system
|
|
@@ -177,8 +177,13 @@
|
|
endif
|
|
endif
|
|
|
|
+ifneq ($(SYSTEM_ZLIB),)
|
|
+# Currently (3.12.4) only the tools modutil and signtool are linked with libz
|
|
+# If USE_SYSTEM_ZLIB is not set then the tools link statically libzlib.a which
|
|
+# is also built in nss.
|
|
USE_SYSTEM_ZLIB = 1
|
|
ZLIB_LIBS = -lz
|
|
+endif
|
|
|
|
# The -rpath '$$ORIGIN' linker option instructs this library to search for its
|
|
# dependencies in the same directory where it resides.
|
|
--- a/nss.org/nss/coreconf/rules.mk 2017-08-29 23:44:13.646044832 +0530
|
|
+++ b/nss/nss/coreconf/rules.mk 2017-08-29 23:47:37.442966042 +0530
|
|
@@ -261,7 +261,7 @@
|
|
ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
|
|
$(AR) $(subst /,\\,$(OBJS))
|
|
else
|
|
- $(AR) $(OBJS)
|
|
+ $(AR) cr $@ $(OBJS)
|
|
endif
|
|
$(RANLIB) $@
|
|
|
|
--- a/nss.org/nss/coreconf/SunOS5.mk 2017-08-29 23:44:13.646044832 +0530
|
|
+++ b/nss/nss/coreconf/SunOS5.mk 2017-08-29 23:45:00.902258445 +0530
|
|
@@ -48,8 +48,11 @@
|
|
# OPTIMIZER += -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer
|
|
endif
|
|
else
|
|
- CC = cc
|
|
- CCC = CC
|
|
+ # CC is taken from environment automatically.
|
|
+ # CC = cc
|
|
+ # Use CXX from environment.
|
|
+ # CCC = CC
|
|
+ CCC = $(CXX)
|
|
ASFLAGS += -Wa,-P
|
|
OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG)
|
|
ifndef BUILD_OPT
|
|
--- a/nss.org/nss/coreconf/Werror.mk 2017-08-29 23:44:13.646044832 +0530
|
|
+++ b/nss/nss/coreconf/Werror.mk 2017-08-29 23:44:23.994091608 +0530
|
|
@@ -94,7 +94,8 @@
|
|
endif #ndef NSS_ENABLE_WERROR
|
|
|
|
ifeq ($(NSS_ENABLE_WERROR),1)
|
|
- WARNING_CFLAGS += -Werror
|
|
+ # We do not treat warnings as errors.
|
|
+ # WARNING_CFLAGS += -Werror
|
|
else
|
|
# Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
|
|
# Use this to disable use of that #pragma and the warnings it suppresses.
|
|
--- a/nss.org/nss/Makefile 2017-08-29 23:44:13.402043729 +0530
|
|
+++ b/nss/nss/Makefile 2017-08-29 23:44:39.774162939 +0530
|
|
@@ -1,3 +1,5 @@
|
|
+export AR
|
|
+export RANLIB
|
|
#! gmake
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|