aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMaxim Cournoyer <maxim.cournoyer@gmail.com>2024-04-24 11:22:30 -0400
committerMaxim Cournoyer <maxim.cournoyer@gmail.com>2024-04-26 07:05:50 -0400
commite584ff08b162c46ef587daca438e97d56bc20b32 (patch)
tree04ee3fcf693ed8561443bb4450dda9bfacfd6c34
parenteb239e4793fb7b93c14ef52fedca01d2b01de0a0 (diff)
downloadguix-e584ff08b162c46ef587daca438e97d56bc20b32.tar.gz
guix-e584ff08b162c46ef587daca438e97d56bc20b32.zip
gnu: nss: Graft with version 3.98 [security fixes].
This fixes CVE-2023-5388, CVE-2023-6135 and CVE-2024-0743. * gnu/packages/nss.scm (nss) [replacement]: New field. (nss-3.98): Rename variable to... (nss/fixed): ... this. Make it a hidden package. * gnu/packages/librewolf.scm (librewolf) [inputs]: Replace nss-3.98 with nss/fixed. Change-Id: I8cc667c53a270dfe00738bf731923f1342036624
-rw-r--r--gnu/packages/librewolf.scm2
-rw-r--r--gnu/packages/nss.scm71
2 files changed, 38 insertions, 35 deletions
diff --git a/gnu/packages/librewolf.scm b/gnu/packages/librewolf.scm
index 87b76c661f..1717bad0b5 100644
--- a/gnu/packages/librewolf.scm
+++ b/gnu/packages/librewolf.scm
@@ -581,7 +581,7 @@ StartupWMClass=Navigator"))
mesa
mit-krb5
nspr
- nss-3.98
+ nss/fixed
pango
pciutils
pipewire
diff --git a/gnu/packages/nss.scm b/gnu/packages/nss.scm
index a2843be17a..8f6ed06e63 100644
--- a/gnu/packages/nss.scm
+++ b/gnu/packages/nss.scm
@@ -110,6 +110,7 @@ in the Mozilla clients.")
;; version and source to avoid a top-level variable reference & module
;; cycle.
(version "3.88.1")
+ (replacement nss/fixed)
(source (origin
(method url-fetch)
(uri (let ((version-with-underscores
@@ -248,38 +249,40 @@ PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
security standards.")
(license license:mpl2.0)))
-(define-public nss-3.98
- (package
- (inherit nss)
- (version "3.98")
- (source (origin
- (inherit (package-source nss))
- (uri (let ((version-with-underscores
- (string-join (string-split version #\.) "_")))
- (string-append
- "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
- "releases/NSS_" version-with-underscores "_RTM/src/"
- "nss-" version ".tar.gz")))
- (sha256
- (base32
- "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
- (arguments
- (substitute-keyword-arguments (package-arguments nss)
- ((#:phases phases)
- #~(modify-phases #$phases
- (replace 'check
- (lambda* (#:key tests? #:allow-other-keys)
- (if tests?
- (begin
- ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
- ;; testing. The latter requires a working DNS or /etc/hosts.
- (setenv "DOMSUF" "localdomain")
- (setenv "USE_IP" "TRUE")
- (setenv "IP_ADDRESS" "127.0.0.1")
+(define-public nss/fixed
+ (let ((actual-version "3.98"))
+ (hidden-package
+ (package
+ (inherit nss)
+ (version (string-append actual-version ".0")) ;for grafts requirements
+ (source (origin
+ (inherit (package-source nss))
+ (uri (let ((version-with-underscores
+ (string-join (string-split actual-version #\.) "_")))
+ (string-append
+ "https://ftp.mozilla.org/pub/mozilla.org/security/nss/"
+ "releases/NSS_" version-with-underscores "_RTM/src/"
+ "nss-" actual-version ".tar.gz")))
+ (sha256
+ (base32
+ "1kh98amfklrq6915n4mlbrcqghc3srm7rkzs9dkh21jwscrwqjgm"))))
+ (arguments
+ (substitute-keyword-arguments (package-arguments nss)
+ ((#:phases phases)
+ #~(modify-phases #$phases
+ (replace 'check
+ (lambda* (#:key tests? #:allow-other-keys)
+ (if tests?
+ (begin
+ ;; Use 127.0.0.1 instead of $HOST.$DOMSUF as HOSTADDR for
+ ;; testing. The latter requires a working DNS or /etc/hosts.
+ (setenv "DOMSUF" "localdomain")
+ (setenv "USE_IP" "TRUE")
+ (setenv "IP_ADDRESS" "127.0.0.1")
- ;; The "PayPalEE.cert" certificate expires every six months,
- ;; leading to test failures:
- ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
- ;; work around that, set the time to roughly the release date.
- (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
- (format #t "test suite not run~%"))))))))))
+ ;; The "PayPalEE.cert" certificate expires every six months,
+ ;; leading to test failures:
+ ;; <https://bugzilla.mozilla.org/show_bug.cgi?id=609734>. To
+ ;; work around that, set the time to roughly the release date.
+ (invoke "faketime" "2024-01-23" "./nss/tests/all.sh"))
+ (format #t "test suite not run~%"))))))))))))