- upstream patches to avoid calling netstat for random data

2007-12-03 21:19:26 +00:00 · 2007-12-03 21:19:26 +00:00 · eded0595cb
commit eded0595cb
parent 4746ec66a3
2 changed files with 70 additions and 1 deletions
--- a/nss-unix_rand.patch
+++ b/nss-unix_rand.patch
@ -0,0 +1,64 @@
+Index: mozilla/security/nss/lib/freebl/unix_rand.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/freebl/unix_rand.c,v
+retrieving revision 1.25
+retrieving revision 1.28
+diff -u -r1.25 -r1.28
+--- mozilla/security/nss/lib/freebl/unix_rand.c	25 Jul 2007 22:54:35 -0000	1.25
+++ mozilla/security/nss/lib/freebl/unix_rand.c	3 Dec 2007 21:07:01 -0000	1.28
+@@ -866,7 +866,8 @@
+     /* if the child hasn't exited, kill it -- we're done with its output */
+     while ((rv = waitpid(pid, &status, WNOHANG)) == -1 && errno == EINTR)
+ 	;
+-    if (rv == 0 && kill(pid, SIGKILL) == 0) {
+    if (rv == 0) {
+	kill(pid, SIGKILL);
+ 	while ((rv = waitpid(pid, &status, 0)) == -1 && errno == EINTR)
+ 	    ;
+     }
+@@ -921,15 +922,6 @@
+     };
+ #endif
+ 
+-#ifdef DO_PS
+-For now it is considered that it is too expensive to run the ps command
+-for the small amount of entropy it provides.
+-#if defined(__sun) && (!defined(__svr4) && !defined(SVR4)) || defined(bsdi) || defined(LINUX)
+-    static char ps_cmd[] = "ps aux";
+-#else
+-    static char ps_cmd[] = "ps -el";
+-#endif
+-#endif /* DO_PS */
+ #if defined(BSDI)
+     static char netstat_ni_cmd[] = "netstat -nis";
+ #else
+@@ -980,9 +972,12 @@
+  * in a pthreads environment.  Therefore, we call safe_popen last and on
+  * BSD/OS we do not call safe_popen when we succeeded in getting data
+  * from /dev/urandom.
+ *
+ * Bug 174993: LINUX provides /dev/urandom, don't fork netstat
+ * if data has been gathered successfully
+  */
+ 
+-#ifdef BSDI
+#if defined(BSDI) || defined(LINUX)
+     if (bytes)
+         return;
+ #endif
+@@ -1010,15 +1005,6 @@
+     }
+ #endif
+ 
+-#ifdef DO_PS
+-    fp = safe_popen(ps_cmd);
+-    if (fp != NULL) {
+-	while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0)
+-	    RNG_RandomUpdate(buf, bytes);
+-	safe_pclose(fp);
+-    }
+-#endif
+-
+ #ifdef DO_NETSTAT
+     fp = safe_popen(netstat_ni_cmd);
+     if (fp != NULL) {
--- a/nss.spec
+++ b/nss.spec
@ -4,7 +4,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.11.99.2
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -30,6 +30,7 @@ Source12:         %{name}-pem.tar.gz

 Patch1:           nss-no-rpath.patch
 Patch2:           nss-nolocalsql.patch
+Patch3:           nss-unix_rand.patch
 Patch6:           nss-enable-pem.patch
 Patch7:           nss-create-obj.patch

@ -86,6 +87,7 @@ low level services.

 %patch1 -p0
 %patch2 -p0
+%patch3 -p0
 %patch6 -p0 -b .libpem
 %patch7 -p0 -b .create-obj

@ -386,6 +388,9 @@ done


 %changelog
+* Mon Dec 03 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-2
+- upstream patches to avoid calling netstat for random data
+
 * Wed Nov 07 2007 Kai Engert <kengert@redhat.com> - 3.11.99.2-1
 - NSS 3.12 alpha 2