From 88a947fc0b44ef8b91de7e8e404a468dfb6c4569 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Fri, 16 Apr 2021 14:12:00 -0700 Subject: [PATCH] Resolves: rhbz#1926367 Restore RHEL-8 patch to prevent MD5 and MD4 hash operations --- nss-disable-md5.patch | 41 +++++++++++++++++++++++++++++++++++++++++ nss-dso-ldflags.patch | 13 +++++++++++++ nss.spec | 21 +++++++++++++++------ 3 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 nss-disable-md5.patch create mode 100644 nss-dso-ldflags.patch diff --git a/nss-disable-md5.patch b/nss-disable-md5.patch new file mode 100644 index 0000000..3e05210 --- /dev/null +++ b/nss-disable-md5.patch @@ -0,0 +1,41 @@ +diff -r 699541a7793b lib/pk11wrap/pk11pars.c +--- a/lib/pk11wrap/pk11pars.c Tue Jun 16 23:03:22 2020 +0000 ++++ b/lib/pk11wrap/pk11pars.c Thu Jun 25 14:33:09 2020 +0200 +@@ -323,11 +323,11 @@ + static const oidValDef hashOptList[] = { + /* Hashes */ + { CIPHER_NAME("MD2"), SEC_OID_MD2, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("MD4"), SEC_OID_MD4, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("MD5"), SEC_OID_MD5, +- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, ++ 0 }, + { CIPHER_NAME("SHA1"), SEC_OID_SHA1, + NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE }, + { CIPHER_NAME("SHA224"), SEC_OID_SHA224, +diff -r 699541a7793b lib/util/secoid.c +--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000 ++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200 +@@ -2042,6 +2042,19 @@ + int i; + + for (i = 1; i < SEC_OID_TOTAL; i++) { ++ switch (i) { ++ case SEC_OID_MD2: ++ case SEC_OID_MD4: ++ case SEC_OID_MD5: ++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: ++ continue; ++ default: ++ break; ++ } + if (oids[i].desc && strstr(arg, oids[i].desc)) { + xOids[i].notPolicyFlags = notEnable | + (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); diff --git a/nss-dso-ldflags.patch b/nss-dso-ldflags.patch new file mode 100644 index 0000000..d5485ae --- /dev/null +++ b/nss-dso-ldflags.patch @@ -0,0 +1,13 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -144,7 +144,7 @@ ifdef USE_PTHREADS + endif + + DSO_CFLAGS = -fPIC +-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections ++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS) + # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) + # incorrectly reports undefined references in the libraries we link with, so + # we don't use -z defs there. diff --git a/nss.spec b/nss.spec index f44ba1d..1180604 100644 --- a/nss.spec +++ b/nss.spec @@ -2,7 +2,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global nspr_release 1 +%global nspr_release 2 %global nss_version 3.63.0 # only need to update this as we added new # algorithms under nss policy control @@ -56,7 +56,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -129,6 +129,10 @@ Patch20: nss-gcm-param-default-pkcs11v2.patch %endif # can drop this patch when the underlying btrfs/sqlite issue is solved Patch30: nss-fedora-btrf-sql-hack.patch +# connect our shared library to the build root loader flags (needed for -relro) +Patch31: nss-dso-ldflags.patch +# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set +Patch32: nss-disable-md5.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -259,7 +263,7 @@ Header and library files for doing development with Network Security Services. %package -n nspr Summary: Netscape Portable Runtime Version: %{nspr_version} -Release: %{nspr_release}%{?dist}.1 +Release: %{nspr_release}%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/nspr/ Conflicts: filesystem < 3 @@ -274,7 +278,7 @@ memory management (malloc and free) and shared library linking. %package -n nspr-devel Summary: Development libraries for the Netscape Portable Runtime Version: %{nspr_version} -Release: %{nspr_release}%{?dist}.1 +Release: %{nspr_release}%{?dist} Requires: nspr%{?_isa} = %{nspr_version}-%{nspr_release}%{?dist} Requires: pkgconfig BuildRequires: xmlto @@ -1052,8 +1056,13 @@ update-crypto-policies &> /dev/null || : %changelog -* Fri Apr 16 2021 Mohan Boddu -- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 +* Fri Apr 16 2021 Bob Relyea - 3.63.0-3 + - prevent MD5 from being enabled even with the environment variables + and policy. This mirrors the rhel8 semantics. + - add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries + +* Fri Apr 16 2021 Mohan Boddu - 3.63.0-2 + - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Wed Mar 24 2021 Bob Relyea - 3.63.0-1 - Update NSS to 3.62