46 Commits

Author SHA1 Message Date
Wang Mingyu adf0c1d6c0 nss: upgrade 3.102 -> 3.103
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-08-09 14:25:16 -07:00
Alexandre Truong c8c4433e23 nss: modify UPSTREAM_CHECK_* to fix UNKNOWN_BROKEN status
Modifying existing UPSTREAM_CHECK_URI and UPSTREAM_CHECK_REGEX
fix UNKNOWN_BROKEN status from running devtool check-upgrade-status.

The next version of the package can be found from upstream
sources.

Signed-off-by: Alexandre Truong <alexandre.truong@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
2024-07-24 08:56:45 -07:00
Markus Volk 975c047a1f nss: update 3.101 > 3.102
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-07-16 08:24:26 -07:00
Khem Raj d4a7efe3a8 nss: Upgrade to 3.101 release
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-06-14 10:23:13 -07:00
Khem Raj ffc64e9c6f recipes: Start WORKDIR -> UNPACKDIR transition
Replace references of WORKDIR with UNPACKDIR where it makes sense to do
so in preparation for changing the default value of UNPACKDIR.

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-05-23 08:44:44 -07:00
Mingli Yu 05afab094d nss: Upgrade 3.74 -> 3.98
* Remove one backported patch and rebase two patches to the new version.

* License update:
  Copyright year updated to 2023

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2024-03-08 10:07:26 -08:00
Andrej Valek 8af2f17a6f cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-07-27 08:54:40 -07:00
Peter Marko 81c18e0797 nss: ignore CVE-2022-3479
Investigation based on https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 leads to following:
* fixed in 3.87
  (https://hg.mozilla.org/projects/nss/rev/a7f363511333b8062945557607691002fd6e40b9)
* changed code was introduced in 3.77
  (https://hg.mozilla.org/projects/nss/rev/be6a97823bfe10fa08e17c9584938a2d525a38da)
* NVD claims fix in 3.81, but there is no evidence for it in commit history
  (https://hg.mozilla.org/projects/nss/graph/a7f363511333b8062945557607691002fd6e40b9)
* Debian also says for old versions "nss <not-affected> (Vulnerable code not present/was introduced later)"
  (https://security-tracker.debian.org/tracker/CVE-2022-3479)

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-06-04 22:29:45 -07:00
Wentao Zhang 366af48fa5 nss: fix failed test of nss.
The expiration date of the "PayPalEE.cert" test certificate in the nss package
is Jan 12 2022 and causing a test failure.

Signed-off-by: Wentao Zhang <wentao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2023-04-10 20:13:28 -07:00
Mathieu Dubois-Briand 90645db2fa nss: Whitelist CVEs related to libnssdbm
These CVEs only affect libnssdbm, compiled when --enable-legacy-db is
used.

https://bugzilla.mozilla.org/show_bug.cgi?id=1360782#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778#c8
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-12-09 10:39:27 -08:00
Mathieu Dubois-Briand 8e0432fd54 nss: Add missing CVE product
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-12-09 10:39:27 -08:00
Dmitry Baryshkov da1ff7a5ae nss: fix cross-compilation error
Change OS_TEST to be soft assignment so that the cross-compilation
doens't fail with the errors like (note the difference in CPU tags):

| make[4]: *** No rule to make target
'../certhigh/Linux3.4_x86_64_glibc_PTH_64_OPT.OBJ/certhtml.o', needed by
'Linux3.4_aarch64_glibc_PTH_64_OPT.OBJ/libnss3.so'.  Stop.

Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-11-25 18:11:10 -08:00
Martin Jansa 74f131ffe8 nss: fix SRC_URI
* http://ftp.mozilla.org/pub/mozilla.org now returns 404, but the SRC_URI still works without
  "mozilla.org" directory

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-11-15 08:26:44 -08:00
Khem Raj 14c7d8a0d7 recipes: Update LICENSE variable to use SPDX license identifiers
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-03-04 17:41:45 -08:00
Khem Raj f2df270179 recipes: Use new CVE_CHECK_IGNORE variable
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-21 18:12:04 -08:00
Sakib Sajal a29f3b1003 nss: uprev v3.73.1 -> v3.74
Upgrade to newer version to resolve CVE-2022-22747.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2022-02-03 15:14:43 -08:00
Sakib Sajal 1d2145c3e2 nss: upgrade 3.64 -> 3.73.1
Upgrade to 3.73.1 fixes CVE-2021-43527.

Signed-off-by: Sakib Sajal <sakib.sajal@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-12-24 15:48:38 -08:00
Martin Jansa c61dc077bb Convert to new override syntax
This is the result of automated script (0.9.1) conversion:

oe-core/scripts/contrib/convert-overrides.py .

converting the metadata to use ":" as the override character instead of "_".

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
2021-08-03 10:21:25 -07:00
Masaki Ambai 44113dcb5f nss: add CVE-2006-5201 to allowlist
CVE-2006-5201 affects only using an RSA key with exponent 3 on Sun Solaris.

Signed-off-by: Masaki Ambai <ambai.masaki@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-06-24 12:55:11 -07:00
Marek Vasut 30148b33b5 nss: Fix build on Centos 7
Centos 7 has glibc 2.18 and nss-native build fails due to implicit
declaration of function putenv during build. This is because of the
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):

  putenv(): _XOPEN_SOURCE
      || /* Glibc since 2.19: */ _DEFAULT_SOURCE
      || /* Glibc versions <= 2.19: */ _SVID_SOURCE

and because nss coreconf/Linux.mk only defines

 -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE

So on such system with glibc 2.18, neither macro makes putenv()
available. Add -D_XOPEN_SOURCE for the Centos 7 and glibc 2.18
native build case.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Armin Kuster <akuster808@gmail.com>
Cc: Armin Kuster <akuster@mvista.com>
Cc: Khem Raj <raj.khem@gmail.com>
Cc: Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-06-03 16:47:04 -07:00
Ross Burton 7fa165e0df nss: remove -march vs -mcpu workaround
NSS's build tries to be clever and passes for example -march=armv8-a+crypto
explicitly, instead of relying on the person doing the compilation to
set the right flags.

This conflicts with our compiler flags which typically pass the ideal
tune for the target, for example -mcpu=cortex-a55+crc+crypto.

When this happens GCC warns that the flags conflict (which was promoted
to an error, now fixed) and -march takes precedence over -mcpu.

As there's a huge number of potential tune flags to remove to avoid the
conflict, now that warnings are not fatal we can stop removing the flags
and let GCC warn as the generated code is the same.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-05-14 07:27:26 -07:00
Ross Burton c16459a2e6 nss: disable -Werror
-Werror should be used by developers and not packagers, because new
compiler flags or GCC versions can use new warnings.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-05-14 07:27:26 -07:00
zangrc a7d0d87854 nss: upgrade 3.63 -> 3.64
-License-Update: Add the license of MIT.

Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-23 21:41:26 -07:00
Khem Raj 5178615b43 nss: Re-enable -Werror
GCC-11 has fixed the problem [1]

[1] https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=da879e01ecd35737c18be1da3324f4560aba1961
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-04-16 08:30:19 -07:00
zangrc e0ff02fc3c nss: upgrade 3.62 -> 3.63
Signed-off-by: Zang Ruochen <zangrc.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-28 12:12:58 -07:00
Randy MacLeod d7aa1a60f6 nss: upgrade 3.60.1 -> 3.62
The patch: nss-fix-nsinstall-build.patch is embedded specific
so set it's Upstream-Status to inappropriate.

Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-09 08:33:51 -08:00
Khem Raj 9b62982d6c nss: Disable Werror
with newer compilers we are seeing new warnings, e.g.

error: argument 1 of type 'int[1]' with mismatched bound [-Werror=array-parameter=]
    8 |     extern void pr_static_assert(int arg[(((long unsigned int)-1) > (long unsigned int)1) ? 1 : -1]);
      |                                  ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

with gcc11 and clang has its own set which triggers here as well, its
better to disable werror therefore, we still have warnings if someone
wants to fix them but they wont break the builds

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-05 12:22:57 -08:00
Andrei Gherzan dad2aef6be nss: Fix warnings generated by getcwd
getcwd() conforms to POSIX.1-2001 which leaves the behaviour when the
buf argument is NULL, undefined. This makes gcc 10+ throw the following
warning:

argument 1 is null but the corresponding size argument 2 value is 4096

Initially, this was fixed by disabling NSS_ENABLE_WERROR. This patch
re-enables NSS_ENABLE_WERROR (by leaving it to its default value) and
takes advantage of the existing functionality in nss that wraps the
getcwd call into a function making sure that the buf argument is always
properly allocated.

Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-03-03 19:55:28 -08:00
Khem Raj 8c1c0ad349 nss: Add powerpc64 little endian support
Fix build with clang/ppc64le while here

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-02-23 11:08:21 -08:00
Yi Zhao 1c2b1b919c nss: upgrade 3.60 -> 3.60.1
Bugs fixed in NSS 3.60.1:
Bug 1682863 - Fix remaining hang issues with slow third-party PKCS #11
              tokens.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-01-21 00:26:41 -08:00
zangrc 2f47e6bb43 nss: upgrade 3.59 -> 3.60
Signed-off-by: Zang Ruochen <zangrc.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2021-01-05 09:16:27 -08:00
Yi Zhao 4a4c6a9aee nss: upgrade 3.57 -> 3.59
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-11-23 13:00:55 -08:00
Andrej Valek fc08abf6e0 nss: upgrade 3.56 -> 3.57
- Refresh freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
- Drop pkix-Do-not-use-NULL-where-0-is-needed.patch

Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-10-19 22:18:11 -07:00
Martin Jansa 9f0a83f9af nss: remove signlibs.sh
Looks like my "solution" also isn't working well at least for images with read-only-rootfs in IMAGE_FEATURES.

pkg_postinst_ontarget_${PN} is always forced to run on the target, which for read-only-rootfs results in:
log.do_rootfs:
...
NOTE: If an image is being built, the postinstalls for the following packages will be postponed for first boot: nss
...
ERROR: The following packages could not be configured offline and rootfs is read-only: ['nss']

and now looking at the /usr/bin/signlibs.sh and it does pretty much
the same as the postinst script when D isn't empty.

>From oe-core git history it shows that signlibs.sh was added first:
https://git.openembedded.org/openembedded-core/commit/?id=a4580f967c8064294a06d406acf5deb24aee2acc
then the offline version of postinst was added to support read-only-rootfs in:
https://git.openembedded.org/openembedded-core/commit/?id=64e87fc6e99bc1d4807034166735034b1f92bad8
and nss-native should always provide the shlibsign since:
https://git.openembedded.org/openembedded-core/commit/?id=88540c5b08dea069660d1a68e506aebdd68e6ae0
and only after
https://git.openembedded.org/openembedded-core/commit/?id=8f782f7095e718dd9452055af53363beb6bdbece
it looked like signlibs.sh was something special only for target.

So it looks to me, that we should just remove signlibs.sh script and let the same postinst be used on target and offline
(with or without D being empty).

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-09-01 20:24:44 -07:00
Martin Jansa 00bd5ad72f nss: fix postinst in do_rootfs for target
Partially revert "nss: fix postinst script for nativesdk build"

This reverts commit 31552510b1.

When running in do_rootfs we need to run shlibsign provided
by nss-native, otherwise it fails when /usr/bin/shlibsign
doesn't exist on host builder:

do_rootfs: Postinstall scriptlets of ['nss'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.

Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-28 17:16:57 -07:00
Khem Raj 3bc89dc7b3 nss: Upgrade to 3.56
Forward port 0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-28 17:16:52 -07:00
Khem Raj 9bbe3ff102 nss: Disable Werror across all recipe types
We are seeing warnigs with gcc-10 even on target builds e.g.

| In file included from nsinstall.c:20:
| /usr/include/unistd.h:520:14: note: in a call to function ‘getcwd’ declared with attribute ‘write_only (1, 2)’
|   520 | extern char *getcwd (char *__buf, size_t __size) __THROW __wur
|       |              ^~~~~~
| nsinstall.c:70:16: error: argument 1 is null but the corresponding size argument 2 value is 4096 [-Werror=nonnull]
|    70 | #define GETCWD getcwd
|       |                ^
| nsinstall.c:246:13: note: in expansion of macro ‘GETCWD’
|   246 |     todir = GETCWD(0, PATH_MAX);
|       |             ^~~~~~

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-27 16:29:23 -07:00
Khem Raj 6e11e41264 nss: Avoid converting enum to void*
Found with clang-11

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-26 19:20:40 -07:00
Mikko Rapeli 31552510b1 nss: fix postinst script for nativesdk build
It's better to refer to binaries in postinst script with
full path which also works on SDK when
/opt/nativesysroot/usr/bin is not in PATH.

Fixes install of nativesdk-nss:

Configuring nativesdk-nss.
/var/lib/opkg/info/nativesdk-nss.postinst: line 14: signlibs.sh: not found

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-08-26 14:27:09 -07:00
Ovidiu Panait 35364c0ce9 nss: upgrade 3.51.1 -> 3.54
Upgrade nss 3.51.1 -> 3.54:
* Refresh patches
* Drop riscv.patch and 0001-Enable-uint128-on-mips64.patch patches as upstream
  commit [1] should implement that logic
* Use "autobuild" as do_compile make target (Makefile logic has changed
  significantly, so the default target is no longer enough)

[1] https://hg.mozilla.org/projects/nss/rev/60aa7df14f119d2a21750668c5ce36fa38ef2c6c

Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-07-13 09:01:58 -07:00
Khem Raj e421f6c71c nss: Remove mcpu to avoid march conflicts
Some files are compiled with armv8-a+crypto and when using cortex-a55
the deduced march is armv8.2-a which then conflicts

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-05-08 19:56:06 -07:00
Mingli Yu 2ca4f084f1 nss: enable uint128 support on mips64
Fix below build error:
| verified/kremlin/kremlib/dist/minimal/FStar_UInt128.h:22:1: error: 'FStar_UInt128___proj__Mkuint128__item__low' declared 'static' but never defined [-Werror=unused-function]
|   22 | FStar_UInt128___proj__Mkuint128__item__low(FStar_UInt128_uint128 projectee);

Signed-off-by: Mingli Yu <mingli.yu@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-05-03 14:29:17 -07:00
Khem Raj 0b5662a1ed nss: Fix build on riscv64
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-04-25 08:32:41 -07:00
Pierre-Jean Texier 5297e3f7e1 nss: upgrade 3.51 -> 3.51.1
See full release notes:

 - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.51.1_release_notes

Signed-off-by: Pierre-Jean Texier <pjtexier@koncepto.io>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-04-13 11:19:29 -07:00
Wang Mingyu 2ede6ac448 nss: upgrade 3.50 -> 3.51
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-03-18 19:29:01 -07:00
Khem Raj d62b225023 nss,nspr: Add recipes
oe-core has punted them, but they are still needed by many packages e.g.
mozjs

Signed-off-by: Khem Raj <raj.khem@gmail.com>
2020-03-08 08:15:34 -07:00