diff options
| author |   Jory Pratt <anarchy@gentoo.org> | 2013-01-09 23:07:36 +0000 |
|---|---|---|
| committer | Jory Pratt <anarchy@gentoo.org> | 2013-01-09 23:07:36 +0000 |
| commit | d5646fd7f5313d16b35a6c070218caac30a982ac (patch) | |
| tree | 9a3ba837715f9a2a6373d689e44ffe1eee904b06 /dev-libs | |
| parent | Add arm love too. (diff) | |
| download | gentoo-2-d5646fd7f5313d16b35a6c070218caac30a982ac.tar.gz gentoo-2-d5646fd7f5313d16b35a6c070218caac30a982ac.tar.bz2 gentoo-2-d5646fd7f5313d16b35a6c070218caac30a982ac.zip | |
Security bump, bug #450940
(Portage version: 2.1.11.38/cvs/Linux x86_64, unsigned Manifest commit)
Diffstat (limited to 'dev-libs')
| -rw-r--r-- | dev-libs/nss/ChangeLog | 10 | ||||
| -rw-r--r-- | dev-libs/nss/files/nss-3.14.1-gentoo-fixups.patch | 243 | ||||
| -rw-r--r-- | dev-libs/nss/nss-3.14.1.ebuild | 212 |
3 files changed, 463 insertions, 2 deletions
diff --git a/dev-libs/nss/ChangeLog b/dev-libs/nss/ChangeLog index 5bcad43fa227..42f492c59091 100644 --- a/dev-libs/nss/ChangeLog +++ b/dev-libs/nss/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for dev-libs/nss -# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.271 2012/12/28 15:08:50 ago Exp $ +# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.272 2013/01/09 23:07:36 anarchy Exp $ + +*nss-3.14.1 (09 Jan 2013) + + 09 Jan 2013; <anarchy@gentoo.org> +nss-3.14.1.ebuild, + +files/nss-3.14.1-gentoo-fixups.patch: + Security bump, bug #450940 28 Dec 2012; Agostino Sarubbo <ago@gentoo.org> nss-3.14.ebuild: Stable for sparc, wrt bug #444318 diff --git a/dev-libs/nss/files/nss-3.14.1-gentoo-fixups.patch b/dev-libs/nss/files/nss-3.14.1-gentoo-fixups.patch new file mode 100644 index 000000000000..300da5d37b92 --- /dev/null +++ b/dev-libs/nss/files/nss-3.14.1-gentoo-fixups.patch @@ -0,0 +1,243 @@ +diff -urN a/mozilla/security/nss/config/Makefile b/mozilla/security/nss/config/Makefile +--- a/mozilla/security/nss/config/Makefile 1969-12-31 18:00:00.000000000 -0600 ++++ b/mozilla/security/nss/config/Makefile 2012-12-15 07:27:20.650148987 -0600 +@@ -0,0 +1,40 @@ ++CORE_DEPTH = ../.. ++DEPTH = ../.. ++ ++include $(CORE_DEPTH)/coreconf/config.mk ++ ++NSS_MAJOR_VERSION = `grep "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}'` ++NSS_MINOR_VERSION = `grep "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}'` ++NSS_PATCH_VERSION = `grep "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}'` ++PREFIX = /usr ++ ++all: export libs ++ ++export: ++ # Create the nss.pc file ++ mkdir -p $(DIST)/lib/pkgconfig ++ sed -e "s,@prefix@,$(PREFIX)," \ ++ -e "s,@exec_prefix@,\$${prefix}," \ ++ -e "s,@libdir@,\$${prefix}/gentoo/nss," \ ++ -e "s,@includedir@,\$${prefix}/include/nss," \ ++ -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \ ++ -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \ ++ -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \ ++ nss.pc.in > nss.pc ++ chmod 0644 nss.pc ++ ln -sf ../../../../../security/nss/config/nss.pc $(DIST)/lib/pkgconfig ++ ++ # Create the nss-config script ++ mkdir -p $(DIST)/bin ++ sed -e "s,@prefix@,$(PREFIX)," \ ++ -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \ ++ -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \ ++ -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \ ++ nss-config.in > nss-config ++ chmod 0755 nss-config ++ ln -sf ../../../../security/nss/config/nss-config $(DIST)/bin ++ ++libs: ++ ++dummy: all export libs ++ +diff -urN a/mozilla/security/nss/config/nss-config.in b/mozilla/security/nss/config/nss-config.in +--- a/mozilla/security/nss/config/nss-config.in 1969-12-31 18:00:00.000000000 -0600 ++++ b/mozilla/security/nss/config/nss-config.in 2012-12-15 07:27:20.651148959 -0600 +@@ -0,0 +1,145 @@ ++#!/bin/sh ++ ++prefix=@prefix@ ++ ++major_version=@NSS_MAJOR_VERSION@ ++minor_version=@NSS_MINOR_VERSION@ ++patch_version=@NSS_PATCH_VERSION@ ++ ++usage() ++{ ++ cat <<EOF ++Usage: nss-config [OPTIONS] [LIBRARIES] ++Options: ++ [--prefix[=DIR]] ++ [--exec-prefix[=DIR]] ++ [--includedir[=DIR]] ++ [--libdir[=DIR]] ++ [--version] ++ [--libs] ++ [--cflags] ++Dynamic Libraries: ++ nss ++ ssl ++ smime ++ nssutil ++EOF ++ exit $1 ++} ++ ++if test $# -eq 0; then ++ usage 1 1>&2 ++fi ++ ++lib_ssl=yes ++lib_smime=yes ++lib_nss=yes ++lib_nssutil=yes ++ ++while test $# -gt 0; do ++ case "$1" in ++ -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; ++ *) optarg= ;; ++ esac ++ ++ case $1 in ++ --prefix=*) ++ prefix=$optarg ++ ;; ++ --prefix) ++ echo_prefix=yes ++ ;; ++ --exec-prefix=*) ++ exec_prefix=$optarg ++ ;; ++ --exec-prefix) ++ echo_exec_prefix=yes ++ ;; ++ --includedir=*) ++ includedir=$optarg ++ ;; ++ --includedir) ++ echo_includedir=yes ++ ;; ++ --libdir=*) ++ libdir=$optarg ++ ;; ++ --libdir) ++ echo_libdir=yes ++ ;; ++ --version) ++ echo ${major_version}.${minor_version}.${patch_version} ++ ;; ++ --cflags) ++ echo_cflags=yes ++ ;; ++ --libs) ++ echo_libs=yes ++ ;; ++ ssl) ++ lib_ssl=yes ++ ;; ++ smime) ++ lib_smime=yes ++ ;; ++ nss) ++ lib_nss=yes ++ ;; ++ nssutil) ++ lib_nssutil=yes ++ ;; ++ *) ++ usage 1 1>&2 ++ ;; ++ esac ++ shift ++done ++ ++# Set variables that may be dependent upon other variables ++if test -z "$exec_prefix"; then ++ exec_prefix=`pkg-config --variable=exec_prefix nss` ++fi ++if test -z "$includedir"; then ++ includedir=`pkg-config --variable=includedir nss` ++fi ++if test -z "$libdir"; then ++ libdir=`pkg-config --variable=libdir nss` ++fi ++ ++if test "$echo_prefix" = "yes"; then ++ echo $prefix ++fi ++ ++if test "$echo_exec_prefix" = "yes"; then ++ echo $exec_prefix ++fi ++ ++if test "$echo_includedir" = "yes"; then ++ echo $includedir ++fi ++ ++if test "$echo_libdir" = "yes"; then ++ echo $libdir ++fi ++ ++if test "$echo_cflags" = "yes"; then ++ echo -I$includedir ++fi ++ ++if test "$echo_libs" = "yes"; then ++ libdirs="-Wl,-R$libdir -L$libdir" ++ if test -n "$lib_ssl"; then ++ libdirs="$libdirs -lssl${major_version}" ++ fi ++ if test -n "$lib_smime"; then ++ libdirs="$libdirs -lsmime${major_version}" ++ fi ++ if test -n "$lib_nss"; then ++ libdirs="$libdirs -lnss${major_version}" ++ fi ++ if test -n "$lib_nssutil"; then ++ libdirs="$libdirs -lnssutil${major_version}" ++ fi ++ echo $libdirs ++fi ++ +diff -urN a/mozilla/security/nss/config/nss.pc.in b/mozilla/security/nss/config/nss.pc.in +--- a/mozilla/security/nss/config/nss.pc.in 1969-12-31 18:00:00.000000000 -0600 ++++ b/mozilla/security/nss/config/nss.pc.in 2012-12-15 07:27:20.651148959 -0600 +@@ -0,0 +1,12 @@ ++prefix=@prefix@ ++exec_prefix=@exec_prefix@ ++libdir=@libdir@ ++includedir=@includedir@ ++ ++Name: NSS ++Description: Network Security Services ++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@ ++Requires: nspr >= 4.8 ++Libs: -L${libdir} -lssl3 -lsmime3 -lnssutil3 -lnss3 ++Cflags: -I${includedir} ++ +diff -urN a/mozilla/security/nss/Makefile b/mozilla/security/nss/Makefile +--- a/mozilla/security/nss/Makefile 2012-11-13 19:14:07.000000000 -0600 ++++ b/mozilla/security/nss/Makefile 2012-12-15 07:27:57.235162137 -0600 +@@ -44,7 +44,7 @@ + # (7) Execute "local" rules. (OPTIONAL). # + ####################################################################### + +-nss_build_all: build_coreconf build_nspr build_dbm all ++nss_build_all: build_coreconf build_dbm all + + nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber + +@@ -106,12 +106,6 @@ + --with-dist-prefix='$(NSPR_PREFIX)' \ + --with-dist-includedir='$(NSPR_PREFIX)/include' + +-build_nspr: $(NSPR_CONFIG_STATUS) +- $(MAKE) -C $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) +- +-clobber_nspr: $(NSPR_CONFIG_STATUS) +- $(MAKE) -C $(CORE_DEPTH)/../nsprpub/$(OBJDIR_NAME) clobber +- + build_dbm: + ifdef NSS_DISABLE_DBM + @echo "skipping the build of DBM" +diff -urN a/mozilla/security/nss/manifest.mn b/mozilla/security/nss/manifest.mn +--- a/mozilla/security/nss/manifest.mn 2012-03-20 09:46:49.000000000 -0500 ++++ b/mozilla/security/nss/manifest.mn 2012-12-15 07:27:20.652148933 -0600 +@@ -10,6 +10,6 @@ + + RELEASE = nss + +-DIRS = lib cmd ++DIRS = lib cmd config diff --git a/dev-libs/nss/nss-3.14.1.ebuild b/dev-libs/nss/nss-3.14.1.ebuild new file mode 100644 index 000000000000..13a002180649 --- /dev/null +++ b/dev-libs/nss/nss-3.14.1.ebuild @@ -0,0 +1,212 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.1 2013/01/09 23:07:36 anarchy Exp $ + +EAPI=3 +inherit eutils flag-o-matic multilib toolchain-funcs + +NSPR_VER="4.9.2" +RTM_NAME="NSS_${PV//./_}_RTM" + +DESCRIPTION="Mozilla's Network Security Services library that implements PKI support" +HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/" +SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz + http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch + http://dev.gentoo.org/~anarchy/patches/${PN}-3.13.3_pem.support" + +LICENSE="MPL-2.0 GPL-2 LGPL-2.1" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" +IUSE="utils" + +DEPEND="virtual/pkgconfig + >=dev-libs/nspr-${NSPR_VER}" + +RDEPEND=">=dev-libs/nspr-${NSPR_VER} + >=dev-db/sqlite-3.5 + sys-libs/zlib" + +src_setup() { + export LC_ALL="C" +} + +src_prepare() { + # Custom changes for gentoo + epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups.patch" + epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch" + epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch" + epatch "${DISTDIR}/${PN}-3.13.3_pem.support" + epatch "${FILESDIR}/${PN}-3.13.5-x32.patch" + + cd "${S}"/mozilla/security/coreconf || die + # hack nspr paths + echo 'INCLUDES += -I'"${EPREFIX}"'/usr/include/nspr -I$(DIST)/include/dbm' \ + >> headers.mk || die "failed to append include" + + # modify install path + sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \ + -i source.mk || die + + # Respect LDFLAGS + sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk || die + + # Ensure we stay multilib aware + sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib" + + # Fix pkgconfig file for Prefix + sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \ + "${S}"/mozilla/security/nss/config/Makefile || die + + epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch" + + # dirty hack + cd "${S}"/mozilla/security/nss || die + sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \ + lib/ssl/config.mk || die + sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \ + cmd/platlibs.mk || die +} + +src_compile() { + strip-flags + + echo > "${T}"/test.c || die + $(tc-getCC) ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o || die + case $(file "${T}"/test.o) in + *32-bit*x86-64*) export USE_x32=1;; + *64-bit*|*ppc64*|*x86_64*) export USE_64=1;; + *32-bit*|*ppc*|*i386*) ;; + *) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";; + esac + + export NSPR_INCLUDE_DIR=`nspr-config --includedir` + export NSPR_LIB_DIR=`nspr-config --libdir` + export BUILD_OPT=1 + export NSS_USE_SYSTEM_SQLITE=1 + export NSDISTMODE=copy + export NSS_ENABLE_ECC=1 + export XCFLAGS="${CFLAGS}" + export FREEBL_NO_DEPEND=1 + export ASFLAGS="" + + cd "${S}"/mozilla/security/coreconf || die + emake -j1 CC="$(tc-getCC)" || die "coreconf make failed" + cd "${S}"/mozilla/security/dbm || die + emake -j1 CC="$(tc-getCC)" || die "dbm make failed" + cd "${S}"/mozilla/security/nss || die + emake -j1 CC="$(tc-getCC)" || die "nss make failed" +} + +# Altering these 3 libraries breaks the CHK verification. +# All of the following cause it to break: +# - stripping +# - prelink +# - ELF signing +# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html +# Either we have to NOT strip them, or we have to forcibly resign after +# stripping. +#local_libdir="$(get_libdir)" +#export STRIP_MASK=" +# */${local_libdir}/libfreebl3.so* +# */${local_libdir}/libnssdbm3.so* +# */${local_libdir}/libsoftokn3.so*" + +export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" + +generate_chk() { + local shlibsign="$1" + local libdir="$2" + einfo "Resigning core NSS libraries for FIPS validation" + shift 2 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libname=lib${i}.so + local chkname=lib${i}.chk + "${shlibsign}" \ + -i "${libdir}"/${libname} \ + -o "${libdir}"/${chkname}.tmp \ + && mv -f \ + "${libdir}"/${chkname}.tmp \ + "${libdir}"/${chkname} \ + || die "Failed to sign ${libname}" + done +} + +cleanup_chk() { + local libdir="$1" + shift 1 + for i in ${NSS_CHK_SIGN_LIBS} ; do + local libfname="${libdir}/lib${i}.so" + # If the major version has changed, then we have old chk files. + [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ + && rm -f "${libfname}.chk" + done +} + +src_install () { + MINOR_VERSION=12 + cd "${S}"/mozilla/security/dist || die + + dodir /usr/$(get_libdir) || die + cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed" + # We generate these after stripping the libraries, else they don't match. + #cp -L */lib/*.chk "${ED}"/usr/$(get_libdir) || die "copying chk files failed" + cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed" + + # Install nss-config and pkgconfig file + dodir /usr/bin || die + cp -L */bin/nss-config "${ED}"/usr/bin || die + dodir /usr/$(get_libdir)/pkgconfig || die + cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die + + # all the include files + insinto /usr/include/nss + doins public/nss/*.h || die + cd "${ED}"/usr/$(get_libdir) || die + local n= + for file in *$(get_libname); do + n=${file%$(get_libname)}$(get_libname ${MINOR_VERSION}) + mv ${file} ${n} || die + ln -s ${n} ${file} || die + if [[ ${CHOST} == *-darwin* ]]; then + install_name_tool -id "${EPREFIX}/usr/$(get_libdir)/${n}" ${n} || die + fi + done + + local nssutils + # Always enabled because we need it for chk generation. + nssutils="shlibsign" + if use utils; then + # The tests we do not need to install. + #nssutils_test="bltest crmftest dbtest dertimetest + #fipstest remtest sdrtest" + nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert + cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit + nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode + pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt + symkeyutil tstclnt vfychain vfyserv" + fi + cd "${S}"/mozilla/security/dist/*/bin/ || die + for f in $nssutils; do + dobin ${f} || die + done + + # Prelink breaks the CHK files. We don't have any reliable way to run + # shlibsign after prelink. + declare -a libs + for l in ${NSS_CHK_SIGN_LIBS} ; do + libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so") + done + OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}" + echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" || die + unset libs liblist + doenvd "${T}/90nss" || die +} + +pkg_postinst() { + # We must re-sign the libraries AFTER they are stripped. + generate_chk "${EROOT}"/usr/bin/shlibsign "${EROOT}"/usr/$(get_libdir) +} + +pkg_postrm() { + cleanup_chk "${EROOT}"/usr/$(get_libdir) +} |