summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2021-12-07 17:15:56 -0500
committerMark H Weaver <mhw@netris.org>2021-12-07 19:09:24 -0500
commit906dd9ff6322fd7aaf3ceace95ec8c443d35c1e5 (patch)
tree49422c8ad3277856ba2f793b0d336937e6dc30d8
parent9e67f2ad418e9a5a7a83dc2349624572e9dbfc8b (diff)
downloadguix-906dd9ff6322fd7aaf3ceace95ec8c443d35c1e5.tar.gz
gnu: icecat: Update to 91.4.0-guix0-preview1 [security fixes].
Includes fixes for CVE-2021-43536, CVE-2021-43537, CVE-2021-43538,
CVE-2021-43539, CVE-2021-43541, CVE-2021-43542, CVE-2021-43543,
CVE-2021-43545, CVE-2021-43546, and MOZ-2021-0009.

* gnu/packages/gnuzilla.scm (%icecat-version, %icecat-build-id): Update.
(icecat-source): Remove icecat-CVE-2021-43527.patch, which is now included
in upstream icecat.  Update the gnuzilla commit, base version, and hashes.
* gnu/packages/patches/icecat-CVE-2021-43527.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): Remove it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/gnuzilla.scm13
-rw-r--r--gnu/packages/patches/icecat-CVE-2021-43527.patch354
3 files changed, 6 insertions, 362 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index b91d6eaa62..d8b9a78949 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1263,7 +1263,6 @@ dist_patch_DATA =						\
   %D%/packages/patches/hydra-disable-darcs-test.patch		\
   %D%/packages/patches/icecat-makeicecat.patch			\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
-  %D%/packages/patches/icecat-CVE-2021-43527.patch		\
   %D%/packages/patches/icecat-use-older-reveal-hidden-html.patch	\
   %D%/packages/patches/icecat-use-system-graphite2+harfbuzz.patch	\
   %D%/packages/patches/icecat-use-system-media-libs.patch	\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 36b8a35efe..bc4ef2ce45 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -697,8 +697,8 @@ in C/C++.")
 ;; XXXX: Workaround 'snippet' limitations.
 (define computed-origin-method (@@ (guix packages) computed-origin-method))
 
-(define %icecat-version "91.3.0-guix0-preview1")
-(define %icecat-build-id "20211102000000") ;must be of the form YYYYMMDDhhmmss
+(define %icecat-version "91.4.0-guix0-preview1")
+(define %icecat-build-id "20211207000000") ;must be of the form YYYYMMDDhhmmss
 
 ;; 'icecat-source' is a "computed" origin that generates an IceCat tarball
 ;; from the corresponding upstream Firefox ESR tarball, using the 'makeicecat'
@@ -720,11 +720,11 @@ in C/C++.")
                   "firefox-" upstream-firefox-version ".source.tar.xz"))
             (sha256
              (base32
-              "0v79c435vfbhsx7pqyq4jm5rv8iysig69wwqhvys1n0jy54m72qj"))))
+              "09xkzk27krzyj1qx8cjjn2zpnws1cncka75828kk7ychnjfq48p7"))))
 
-         (upstream-icecat-base-version "91.3.0") ; maybe older than base-version
+         (upstream-icecat-base-version "91.4.0") ; maybe older than base-version
          ;;(gnuzilla-commit (string-append "v" upstream-icecat-base-version))
-         (gnuzilla-commit "32631cac00953abbac61dc7ab1a0eafbdd59b53a")
+         (gnuzilla-commit "dd79d69e5dc6e6e751195001f322b30746be6903")
          (gnuzilla-source
           (origin
             (method git-fetch)
@@ -736,7 +736,7 @@ in C/C++.")
                                       (string-take gnuzilla-commit 8)))
             (sha256
              (base32
-              "13ckga49h5azf0c6q3c6b6wcmahzyywryxgwmwr1dahsjgy0wwrw"))))
+              "1vv97wmgdmkwddh8n30dak5l8akzbw49ca0w6krhq9dnj7n74cxh"))))
 
          ;; 'search-patch' returns either a valid file name or #f, so wrap it
          ;; in 'assume-valid-file-name' to avoid 'local-file' warnings.
@@ -750,7 +750,6 @@ in C/C++.")
     (origin
       (method computed-origin-method)
       (file-name (string-append "icecat-" %icecat-version ".tar.xz"))
-      (patches (search-patches "icecat-CVE-2021-43527.patch"))
       (sha256 #f)
       (uri
        (delay
diff --git a/gnu/packages/patches/icecat-CVE-2021-43527.patch b/gnu/packages/patches/icecat-CVE-2021-43527.patch
deleted file mode 100644
index 66706ea5e0..0000000000
--- a/gnu/packages/patches/icecat-CVE-2021-43527.patch
+++ /dev/null
@@ -1,354 +0,0 @@
-Fixes CVE-2021-43527.
-Copied from <https://hg.mozilla.org/projects/nss/rev/dea71cbef9e03636f37c6cb120f8deccce6e17dd>,
-but with the file names adjusted to allow easy use within GNU Guix.
-
-# HG changeset patch
-# User Dennis Jackson <djackson@mozilla.com>
-# Date 1637577642 0
-# Node ID dea71cbef9e03636f37c6cb120f8deccce6e17dd
-# Parent  da3d22d708c9cc0a32cff339658aeb627575e371
-Bug 1737470 - Ensure DER encoded signatures are within size limits. r=jschanck,mt,bbeurdouche,rrelyea
-
-Differential Revision: https://phabricator.services.mozilla.com/D129514
-
---- a/security/nss/lib/cryptohi/secvfy.c
-+++ b/security/nss/lib/cryptohi/secvfy.c
-@@ -159,58 +159,89 @@ verifyPKCS1DigestInfo(const VFYContext *
-     SECItem pkcs1DigestInfo;
-     pkcs1DigestInfo.data = cx->pkcs1RSADigestInfo;
-     pkcs1DigestInfo.len = cx->pkcs1RSADigestInfoLen;
-     return _SGN_VerifyPKCS1DigestInfo(
-         cx->hashAlg, digest, &pkcs1DigestInfo,
-         PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
- }
- 
-+static unsigned int
-+checkedSignatureLen(const SECKEYPublicKey *pubk)
-+{
-+    unsigned int sigLen = SECKEY_SignatureLen(pubk);
-+    if (sigLen == 0) {
-+        /* Error set by SECKEY_SignatureLen */
-+        return sigLen;
-+    }
-+    unsigned int maxSigLen;
-+    switch (pubk->keyType) {
-+        case rsaKey:
-+        case rsaPssKey:
-+            maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
-+            break;
-+        case dsaKey:
-+            maxSigLen = DSA_MAX_SIGNATURE_LEN;
-+            break;
-+        case ecKey:
-+            maxSigLen = 2 * MAX_ECKEY_LEN;
-+            break;
-+        default:
-+            PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-+            return 0;
-+    }
-+    if (sigLen > maxSigLen) {
-+        PORT_SetError(SEC_ERROR_INVALID_KEY);
-+        return 0;
-+    }
-+    return sigLen;
-+}
-+
- /*
-  * decode the ECDSA or DSA signature from it's DER wrapping.
-  * The unwrapped/raw signature is placed in the buffer pointed
-  * to by dsig and has enough room for len bytes.
-  */
- static SECStatus
- decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
-                        unsigned int len)
- {
-     SECItem *dsasig = NULL; /* also used for ECDSA */
--    SECStatus rv = SECSuccess;
- 
--    if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
--        (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
--        if (sig->len != len) {
--            PORT_SetError(SEC_ERROR_BAD_DER);
--            return SECFailure;
-+    /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
-+    if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
-+        if (len > DSA_MAX_SIGNATURE_LEN) {
-+            goto loser;
-         }
--
--        PORT_Memcpy(dsig, sig->data, sig->len);
--        return SECSuccess;
-+    } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
-+        if (len > MAX_ECKEY_LEN * 2) {
-+            goto loser;
-+        }
-+    } else {
-+        goto loser;
-     }
- 
--    if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
--        if (len > MAX_ECKEY_LEN * 2) {
--            PORT_SetError(SEC_ERROR_BAD_DER);
--            return SECFailure;
--        }
-+    /* Decode and pad to length */
-+    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-+    if (dsasig == NULL) {
-+        goto loser;
-     }
--    dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
--
--    if ((dsasig == NULL) || (dsasig->len != len)) {
--        rv = SECFailure;
--    } else {
--        PORT_Memcpy(dsig, dsasig->data, dsasig->len);
-+    if (dsasig->len != len) {
-+        SECITEM_FreeItem(dsasig, PR_TRUE);
-+        goto loser;
-     }
- 
--    if (dsasig != NULL)
--        SECITEM_FreeItem(dsasig, PR_TRUE);
--    if (rv == SECFailure)
--        PORT_SetError(SEC_ERROR_BAD_DER);
--    return rv;
-+    PORT_Memcpy(dsig, dsasig->data, len);
-+    SECITEM_FreeItem(dsasig, PR_TRUE);
-+
-+    return SECSuccess;
-+
-+loser:
-+    PORT_SetError(SEC_ERROR_BAD_DER);
-+    return SECFailure;
- }
- 
- const SEC_ASN1Template hashParameterTemplate[] =
-     {
-       { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECItem) },
-       { SEC_ASN1_OBJECT_ID, 0 },
-       { SEC_ASN1_SKIP_REST },
-       { 0 }
-@@ -276,17 +307,17 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg
-  *
-  * Returns: SECSuccess if the algorithm was acceptable, SECFailure if the
-  *	algorithm was not found or was not a signing algorithm.
-  */
- SECStatus
- sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
-                  const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
- {
--    int len;
-+    unsigned int len;
-     PLArenaPool *arena;
-     SECStatus rv;
-     SECItem oid;
-     SECOidTag encalg;
- 
-     PR_ASSERT(hashalg != NULL);
-     PR_ASSERT(encalgp != NULL);
- 
-@@ -461,58 +492,62 @@ vfy_CreateContext(const SECKEYPublicKey 
-     cx->wincx = wincx;
-     cx->hasSignature = (sig != NULL);
-     cx->encAlg = encAlg;
-     cx->hashAlg = hashAlg;
-     cx->key = SECKEY_CopyPublicKey(key);
-     cx->pkcs1RSADigestInfo = NULL;
-     rv = SECSuccess;
-     if (sig) {
--        switch (type) {
--            case rsaKey:
--                rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
--                                            &cx->pkcs1RSADigestInfo,
--                                            &cx->pkcs1RSADigestInfoLen,
--                                            cx->key,
--                                            sig, wincx);
--                break;
--            case rsaPssKey:
--                sigLen = SECKEY_SignatureLen(key);
--                if (sigLen == 0) {
--                    /* error set by SECKEY_SignatureLen */
--                    rv = SECFailure;
-+        rv = SECFailure;
-+        if (type == rsaKey) {
-+            rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
-+                                        &cx->pkcs1RSADigestInfo,
-+                                        &cx->pkcs1RSADigestInfoLen,
-+                                        cx->key,
-+                                        sig, wincx);
-+        } else {
-+            sigLen = checkedSignatureLen(key);
-+            /* Check signature length is within limits */
-+            if (sigLen == 0) {
-+                /* error set by checkedSignatureLen */
-+                rv = SECFailure;
-+                goto loser;
-+            }
-+            if (sigLen > sizeof(cx->u)) {
-+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                rv = SECFailure;
-+                goto loser;
-+            }
-+            switch (type) {
-+                case rsaPssKey:
-+                    if (sig->len != sigLen) {
-+                        PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                        rv = SECFailure;
-+                        goto loser;
-+                    }
-+                    PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
-+                    rv = SECSuccess;
-                     break;
--                }
--                if (sig->len != sigLen) {
--                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                case ecKey:
-+                case dsaKey:
-+                    /* decodeECorDSASignature will check sigLen == sig->len after padding */
-+                    rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
-+                    break;
-+                default:
-+                    /* Unreachable */
-                     rv = SECFailure;
--                    break;
--                }
--                PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
--                break;
--            case dsaKey:
--            case ecKey:
--                sigLen = SECKEY_SignatureLen(key);
--                if (sigLen == 0) {
--                    /* error set by SECKEY_SignatureLen */
--                    rv = SECFailure;
--                    break;
--                }
--                rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
--                break;
--            default:
--                rv = SECFailure;
--                PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
--                break;
-+                    goto loser;
-+            }
-+        }
-+        if (rv != SECSuccess) {
-+            goto loser;
-         }
-     }
- 
--    if (rv)
--        goto loser;
--
-     /* check hash alg again, RSA may have changed it.*/
-     if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
-         /* error set by HASH_GetHashTypeByOidTag */
-         goto loser;
-     }
-     /* check the policy on the hash algorithm. Do this after
-      * the rsa decode because some uses of this function get hash implicitly
-      * from the RSA signature itself. */
-@@ -645,21 +680,26 @@ VFY_EndWithSignature(VFYContext *cx, SEC
-     if (cx->hashcx == NULL) {
-         PORT_SetError(SEC_ERROR_INVALID_ARGS);
-         return SECFailure;
-     }
-     (*cx->hashobj->end)(cx->hashcx, final, &part, sizeof(final));
-     switch (cx->key->keyType) {
-         case ecKey:
-         case dsaKey:
--            dsasig.data = cx->u.buffer;
--            dsasig.len = SECKEY_SignatureLen(cx->key);
-+            dsasig.len = checkedSignatureLen(cx->key);
-             if (dsasig.len == 0) {
-                 return SECFailure;
-             }
-+            if (dsasig.len > sizeof(cx->u)) {
-+                PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-+                return SECFailure;
-+            }
-+            dsasig.data = cx->u.buffer;
-+
-             if (sig) {
-                 rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
-                                             dsasig.len);
-                 if (rv != SECSuccess) {
-                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                     return SECFailure;
-                 }
-             }
-@@ -681,18 +721,23 @@ VFY_EndWithSignature(VFYContext *cx, SEC
-                                                        cx->params,
-                                                        &mech);
-                 PORT_DestroyCheapArena(&tmpArena);
-                 if (rv != SECSuccess) {
-                     return SECFailure;
-                 }
- 
-                 rsasig.data = cx->u.buffer;
--                rsasig.len = SECKEY_SignatureLen(cx->key);
-+                rsasig.len = checkedSignatureLen(cx->key);
-                 if (rsasig.len == 0) {
-+                    /* Error set by checkedSignatureLen */
-+                    return SECFailure;
-+                }
-+                if (rsasig.len > sizeof(cx->u)) {
-+                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                     return SECFailure;
-                 }
-                 if (sig) {
-                     if (sig->len != rsasig.len) {
-                         PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                         return SECFailure;
-                     }
-                     PORT_Memcpy(rsasig.data, sig->data, rsasig.len);
-@@ -744,37 +789,42 @@ VFY_End(VFYContext *cx)
- static SECStatus
- vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
-                  const SECItem *sig, SECOidTag encAlg, SECOidTag hashAlg,
-                  void *wincx)
- {
-     SECStatus rv;
-     VFYContext *cx;
-     SECItem dsasig; /* also used for ECDSA */
--
-     rv = SECFailure;
- 
-     cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
-     if (cx != NULL) {
-         switch (key->keyType) {
-             case rsaKey:
-                 rv = verifyPKCS1DigestInfo(cx, digest);
-+                /* Error (if any) set by verifyPKCS1DigestInfo */
-                 break;
--            case dsaKey:
-             case ecKey:
-+            case dsaKey:
-                 dsasig.data = cx->u.buffer;
--                dsasig.len = SECKEY_SignatureLen(cx->key);
-+                dsasig.len = checkedSignatureLen(cx->key);
-                 if (dsasig.len == 0) {
-+                    /* Error set by checkedSignatureLen */
-+                    rv = SECFailure;
-                     break;
-                 }
--                if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
--                    SECSuccess) {
-+                if (dsasig.len > sizeof(cx->u)) {
-                     PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
--                } else {
--                    rv = SECSuccess;
-+                    rv = SECFailure;
-+                    break;
-+                }
-+                rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
-+                if (rv != SECSuccess) {
-+                    PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
-                 }
-                 break;
-             default:
-                 break;
-         }
-         VFY_DestroyContext(cx, PR_TRUE);
-     }
-     return rv;
-