1a9b272c09
Fixes CVE-2016-1950. See: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.23_release_notes
86 lines
3.6 KiB
Diff
86 lines
3.6 KiB
Diff
diff --git a/nss/cmd/shlibsign/shlibsign.c b/nss/cmd/shlibsign/shlibsign.c
|
|
index 63a4836..a128c1d 100644
|
|
--- a/nss/cmd/shlibsign/shlibsign.c
|
|
+++ b/nss/cmd/shlibsign/shlibsign.c
|
|
@@ -862,6 +862,8 @@ int main(int argc, char **argv)
|
|
libname = PR_GetLibraryName(NULL, "softokn3");
|
|
assert(libname != NULL);
|
|
lib = PR_LoadLibrary(libname);
|
|
+ if (!lib)
|
|
+ lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
|
|
assert(lib != NULL);
|
|
PR_FreeLibraryName(libname);
|
|
|
|
diff --git a/nss/coreconf/config.mk b/nss/coreconf/config.mk
|
|
index 61d757b..b58a98b 100644
|
|
--- a/nss/coreconf/config.mk
|
|
+++ b/nss/coreconf/config.mk
|
|
@@ -205,3 +205,6 @@ $(error Setting NSS_ENABLE_TLS_1_3 and NSS_DISABLE_ECC isn't a good idea.)
|
|
endif
|
|
DEFINES += -DNSS_ENABLE_TLS_1_3
|
|
endif
|
|
+
|
|
+# Nix specific stuff.
|
|
+DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"
|
|
diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c
|
|
index 5c5d2ca..026e528 100644
|
|
--- a/nss/lib/pk11wrap/pk11load.c
|
|
+++ b/nss/lib/pk11wrap/pk11load.c
|
|
@@ -429,6 +429,13 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
|
|
* unload the library if anything goes wrong from here on out...
|
|
*/
|
|
library = PR_LoadLibrary(mod->dllName);
|
|
+ if ((library == NULL) &&
|
|
+ !rindex(mod->dllName, PR_GetDirectorySeparator())) {
|
|
+ library = PORT_LoadLibraryFromOrigin(my_shlib_name,
|
|
+ (PRFuncPtr) &softoken_LoadDSO,
|
|
+ mod->dllName);
|
|
+ }
|
|
+
|
|
mod->library = (void *)library;
|
|
|
|
if (library == NULL) {
|
|
diff --git a/nss/lib/util/secload.c b/nss/lib/util/secload.c
|
|
index eb8a9ec..f94f67d 100644
|
|
--- a/nss/lib/util/secload.c
|
|
+++ b/nss/lib/util/secload.c
|
|
@@ -69,9 +69,14 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
|
|
|
|
/* Remove the trailing filename from referencePath and add the new one */
|
|
c = strrchr(referencePath, PR_GetDirectorySeparator());
|
|
+ if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
|
|
+ * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
|
|
+ referencePath = NIX_NSS_LIBDIR;
|
|
+ c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
|
|
+ }
|
|
if (c) {
|
|
size_t referencePathSize = 1 + c - referencePath;
|
|
- fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 1);
|
|
+ fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
|
|
if (fullName) {
|
|
memcpy(fullName, referencePath, referencePathSize);
|
|
strcpy(fullName + referencePathSize, name);
|
|
@@ -81,6 +86,11 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
|
|
#endif
|
|
libSpec.type = PR_LibSpec_Pathname;
|
|
libSpec.value.pathname = fullName;
|
|
+ if ((referencePathSize >= 4) &&
|
|
+ (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
|
|
+ memcpy(fullName + referencePathSize -4, "lib", 3);
|
|
+ }
|
|
+ strcpy(fullName + referencePathSize, name);
|
|
dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
|
|
#ifdef PR_LD_ALT_SEARCH_PATH
|
|
/* allow library's dependencies to be found in the same directory
|
|
@@ -88,6 +98,10 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
|
|
| PR_LD_ALT_SEARCH_PATH
|
|
#endif
|
|
);
|
|
+ if (! dlh) {
|
|
+ strcpy(fullName + referencePathSize, name);
|
|
+ dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
|
|
+ }
|
|
PORT_Free(fullName);
|
|
}
|
|
}
|