From 603ea2652fae4e43d45a77a4ec23b94655299cbd Mon Sep 17 00:00:00 2001
From: Domen Kožar <domen@dev.si>
Date: Fri, 11 Mar 2016 12:18:18 +0000
Subject: nss: 3.22 -> 3.22.2 (CVE-2016-1950)

---
 pkgs/development/libraries/nss/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'pkgs/development/libraries/nss/default.nix')

diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix
index d3c2deb609e..060aa20967f 100644
--- a/pkgs/development/libraries/nss/default.nix
+++ b/pkgs/development/libraries/nss/default.nix
@@ -11,11 +11,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "nss-${version}";
-  version = "3.22";
+  version = "3.22.2";
 
   src = fetchurl {
-    url = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_RTM/src/${name}.tar.gz";
-    sha256 = "30ebd121c77e725a1383618eff79a6752d6e9f0f21882ad825ddab12e7227611";
+    url = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_2_RTM/src/${name}.tar.gz";
+    sha256 = "0l1n5mwgqkcwfh10hizdv0vfj6gg9i4zip021wh33b17qn3r5m07";
   };
 
   buildInputs = [ nspr perl zlib sqlite ];
-- 
cgit 1.4.1


From 1a9b272c0946ff1d30bba0effb949d5e16dcf5c4 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Mon, 21 Mar 2016 04:09:04 +0100
Subject: nss: 3.22.2 -> 3.23 (security)

Fixes CVE-2016-1950.

See: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
---
 .../libraries/nss/85_security_load.patch           | 47 ++++++++++++----------
 pkgs/development/libraries/nss/default.nix         |  6 +--
 2 files changed, 28 insertions(+), 25 deletions(-)

(limited to 'pkgs/development/libraries/nss/default.nix')

diff --git a/pkgs/development/libraries/nss/85_security_load.patch b/pkgs/development/libraries/nss/85_security_load.patch
index 3e51e290887..632cc418425 100644
--- a/pkgs/development/libraries/nss/85_security_load.patch
+++ b/pkgs/development/libraries/nss/85_security_load.patch
@@ -1,7 +1,8 @@
-diff -ru nss-3.16-orig/nss/cmd/shlibsign/shlibsign.c nss-3.16/nss/cmd/shlibsign/shlibsign.c
---- nss-3.16-orig/nss/cmd/shlibsign/shlibsign.c	2014-03-14 21:31:59.000000000 +0100
-+++ nss-3.16/nss/cmd/shlibsign/shlibsign.c	2014-04-22 14:50:31.340743655 +0200
-@@ -852,6 +852,8 @@
+diff --git a/nss/cmd/shlibsign/shlibsign.c b/nss/cmd/shlibsign/shlibsign.c
+index 63a4836..a128c1d 100644
+--- a/nss/cmd/shlibsign/shlibsign.c
++++ b/nss/cmd/shlibsign/shlibsign.c
+@@ -862,6 +862,8 @@ int main(int argc, char **argv)
      libname = PR_GetLibraryName(NULL, "softokn3");
      assert(libname != NULL);
      lib = PR_LoadLibrary(libname);
@@ -10,21 +11,22 @@ diff -ru nss-3.16-orig/nss/cmd/shlibsign/shlibsign.c nss-3.16/nss/cmd/shlibsign/
      assert(lib != NULL);
      PR_FreeLibraryName(libname);
  
-Only in nss-3.16/nss/cmd/shlibsign: shlibsign.c.orig
-diff -ru nss-3.16-orig/nss/coreconf/config.mk nss-3.16/nss/coreconf/config.mk
---- nss-3.16-orig/nss/coreconf/config.mk	2014-03-14 21:31:59.000000000 +0100
-+++ nss-3.16/nss/coreconf/config.mk	2014-04-22 14:50:51.302731097 +0200
-@@ -188,3 +188,6 @@
- 
- # Hide old, deprecated, TLS cipher suite names when building NSS
- DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
+diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
+index 61d757b..b58a98b 100644
+--- a/nss/coreconf/config.mk
++++ b/nss/coreconf/config.mk
+@@ -205,3 +205,6 @@ $(error Setting NSS_ENABLE_TLS_1_3 and NSS_DISABLE_ECC isn't a good idea.)
+ endif
+ DEFINES += -DNSS_ENABLE_TLS_1_3
+ endif
 +
 +# Nix specific stuff.
 +DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"
-diff -ru nss-3.16-orig/nss/lib/pk11wrap/pk11load.c nss-3.16/nss/lib/pk11wrap/pk11load.c
---- nss-3.16-orig/nss/lib/pk11wrap/pk11load.c	2014-03-14 21:31:59.000000000 +0100
-+++ nss-3.16/nss/lib/pk11wrap/pk11load.c	2014-04-22 14:50:22.164749330 +0200
-@@ -406,6 +406,13 @@
+diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c
+index 5c5d2ca..026e528 100644
+--- a/nss/lib/pk11wrap/pk11load.c
++++ b/nss/lib/pk11wrap/pk11load.c
+@@ -429,6 +429,13 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
  	 * unload the library if anything goes wrong from here on out...
  	 */
  	library = PR_LoadLibrary(mod->dllName);
@@ -38,10 +40,11 @@ diff -ru nss-3.16-orig/nss/lib/pk11wrap/pk11load.c nss-3.16/nss/lib/pk11wrap/pk1
  	mod->library = (void *)library;
  
  	if (library == NULL) {
-diff -ru nss-3.16-orig/nss/lib/util/secload.c nss-3.16/nss/lib/util/secload.c
---- nss-3.16-orig/nss/lib/util/secload.c	2014-03-14 21:31:59.000000000 +0100
-+++ nss-3.16/nss/lib/util/secload.c	2014-04-22 14:50:31.342743654 +0200
-@@ -69,9 +69,14 @@
+diff --git a/nss/lib/util/secload.c b/nss/lib/util/secload.c
+index eb8a9ec..f94f67d 100644
+--- a/nss/lib/util/secload.c
++++ b/nss/lib/util/secload.c
+@@ -69,9 +69,14 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
  
      /* Remove the trailing filename from referencePath and add the new one */
      c = strrchr(referencePath, PR_GetDirectorySeparator());
@@ -57,7 +60,7 @@ diff -ru nss-3.16-orig/nss/lib/util/secload.c nss-3.16/nss/lib/util/secload.c
          if (fullName) {
              memcpy(fullName, referencePath, referencePathSize);
              strcpy(fullName + referencePathSize, name); 
-@@ -81,6 +86,11 @@
+@@ -81,6 +86,11 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
  #endif
              libSpec.type = PR_LibSpec_Pathname;
              libSpec.value.pathname = fullName;
@@ -69,7 +72,7 @@ diff -ru nss-3.16-orig/nss/lib/util/secload.c nss-3.16/nss/lib/util/secload.c
              dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
  #ifdef PR_LD_ALT_SEARCH_PATH
              /* allow library's dependencies to be found in the same directory
-@@ -88,6 +98,10 @@
+@@ -88,6 +98,10 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
                                            | PR_LD_ALT_SEARCH_PATH 
  #endif
                                            );
diff --git a/pkgs/development/libraries/nss/default.nix b/pkgs/development/libraries/nss/default.nix
index 060aa20967f..e8be7299952 100644
--- a/pkgs/development/libraries/nss/default.nix
+++ b/pkgs/development/libraries/nss/default.nix
@@ -11,11 +11,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "nss-${version}";
-  version = "3.22.2";
+  version = "3.23";
 
   src = fetchurl {
-    url = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_2_RTM/src/${name}.tar.gz";
-    sha256 = "0l1n5mwgqkcwfh10hizdv0vfj6gg9i4zip021wh33b17qn3r5m07";
+    url = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/${name}.tar.gz";
+    sha256 = "1kqidv91icq96m9m8zx50n7px08km2l88458rkgyjwcn3kiq7cwl";
   };
 
   buildInputs = [ nspr perl zlib sqlite ];
-- 
cgit 1.4.1