6.2 stable (#539)

* Revert a patch in NSS that causes crashes when system is started in FIPS kernel mode. Also update SQLITE3. Use system libraries to prevent the crashes. * Fix a known exploit in SAMBA * Make sure Firefox always uses the created profile. This comes into play when other applications use the user's Firefox profile * When populating the user's home, respect the umask set above
Thinstation · Feb 20, 2020 · 2bc693b · 2bc693b
1 parent 408ec62
commit 2bc693b
Show file tree

Hide file tree

Showing 15 changed files with 102 additions and 8 deletions.
diff --git a/ts/build/build.urls b/ts/build/build.urls
@@ -1,4 +1,4 @@
-param firefoxurl	https://download-installer.cdn.mozilla.net/pub/firefox/releases/68.3.0esr/linux-x86_64/en-US/firefox-68.3.0esr.tar.bz2
+param firefoxurl	https://download-installer.cdn.mozilla.net/pub/firefox/releases/68.5.0esr/linux-x86_64/en-US/firefox-68.5.0esr.tar.bz2
 param flashurl		https://fpdownload.adobe.com/pub/flashplayer/pdc/32.0.0.303/flash_player_npapi_linux.x86_64.tar.gz
 param thinlincurl       https://www.cendio.com/downloads/clients/tl-4.11.0-6323-client-linux-dynamic-x86_64.tar.gz
 param nxurl             https://download.nomachine.com/download/6.8/Linux/nomachine_6.8.1_1_x86_64.tar.gz

diff --git a/ts/build/packages/base/sbin/session b/ts/build/packages/base/sbin/session
@@ -25,7 +25,7 @@ if [ "$1" == "open" ]; then
 	mkdir -p $HOME
 	for file in `ls -A /etc/skel`; do
 		if ! [ -e $HOME/$file ]; then
-			cp -a /etc/skel/$file $HOME/. 2>/dev/null
+			cp -dR /etc/skel/$file $HOME/. 2>/dev/null
 		fi
 	done
 	chown -R "$TSUSER.`id -gn $TSUSER`" $HOME

diff --git a/ts/build/packages/firefox/build/finalize b/ts/build/packages/firefox/build/finalize
@@ -38,3 +38,11 @@ if [ ! -e /lib/firefox/distribution ]; then
 }
 EOF
 fi
+
+for i in /lib/firefox/*.so /lib/firefox/*.chk; do
+	file=`basename $i`
+	if [ -e /lib/$file ]; then
+		rm $i
+		ln /lib/$file $i
+	fi
+done
diff --git a/ts/build/packages/firefox/etc/cmd/firefox.options b/ts/build/packages/firefox/etc/cmd/firefox.options
@@ -9,5 +9,5 @@ if [ ! -e ~/.mozilla/firefox/profiles.ini ]; then
 		done
 		cat ~/.mozilla/firefox/$Path/e.tail.tpl >> ~/.mozilla/firefox/$Path/extensions.json
 	fi
-	MISC_OPTIONS="-P default-esr "
 fi
+MISC_OPTIONS="-P default-esr "
diff --git a/ts/ports/opt/nss/.md5sum b/ts/ports/opt/nss/.md5sum
@@ -1,3 +1,4 @@
 e0fe0d828091919746eabba57ca5f155  nss-3.46.1.tar.gz
 17226659298a9d9bb3f323186d220f6f  nss-config.in
 a796e6ab6c87573ffb649ce8769bc07a  nss.pc.in
+25afb9d5764efabdc356ed9a34d9504b  revert-proc-fips.patch
diff --git a/ts/ports/opt/nss/Pkgfile b/ts/ports/opt/nss/Pkgfile
@@ -8,10 +8,12 @@ version=3.46.1
 release=1
 _version=$(echo $version |sed 's/\./_/g')
 source=(http://ftp.mozilla.org/pub/security/nss/releases/NSS_${_version}_RTM/src/$name-$version.tar.gz \
+	revert-proc-fips.patch
         nss-config.in nss.pc.in)
 
 build() {
 	cd $name-$version/nss
+	patch -Np2 < ../../revert-proc-fips.patch
 
 	./build.sh -v --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests --enable-fips
 

diff --git a/ts/ports/opt/nss/nss#3.46.1-1.pkg.tar.xz b/ts/ports/opt/nss/nss#3.46.1-1.pkg.tar.xz
diff --git a/ts/ports/opt/nss/revert-proc-fips.patch b/ts/ports/opt/nss/revert-proc-fips.patch
@@ -0,0 +1,81 @@
+--- nss-3.43/nss/lib/pk11wrap/pk11util.c	2019-03-15 20:25:08.000000000 -0400
++++ nss-3.42.1/nss/lib/pk11wrap/pk11util.c	2019-01-31 12:41:49.000000000 -0500
+@@ -95,31 +95,6 @@
+     return SECSuccess;
+ }
+
+-int
+-secmod_GetSystemFIPSEnabled(void)
+-{
+-#ifdef LINUX
+-    FILE *f;
+-    char d;
+-    size_t size;
+-
+-    f = fopen("/proc/sys/crypto/fips_enabled", "r");
+-    if (!f) {
+-        return 0;
+-    }
+-
+-    size = fread(&d, 1, sizeof(d), f);
+-    fclose(f);
+-    if (size != sizeof(d)) {
+-        return 0;
+-    }
+-    if (d == '1') {
+-        return 1;
+-    }
+-#endif
+-    return 0;
+-}
+-
+ /*
+  * retrieve the internal module
+  */
+@@ -453,7 +428,7 @@
+     SECMODModuleList **mlpp;
+     SECStatus rv = SECFailure;
+
+-    if (secmod_GetSystemFIPSEnabled() || pendingModule) {
++    if (pendingModule) {
+         PORT_SetError(SEC_ERROR_MODULE_STUCK);
+         return rv;
+     }
+@@ -988,7 +963,7 @@
+ #ifdef NSS_FIPS_DISABLED
+     return PR_FALSE;
+ #else
+-    return (PRBool)((pendingModule == NULL) && !secmod_GetSystemFIPSEnabled());
++    return (PRBool)(pendingModule == NULL);
+ #endif
+ }
+
+--- nss-3.43/nss/lib/pk11wrap/secmodi.h	2019-03-15 20:25:08.000000000 -0400
++++ nss-3.42.1/nss/lib/pk11wrap/secmodi.h	2019-01-31 12:41:49.000000000 -0500
+@@ -115,13 +115,6 @@
+ CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
+                                              SECItem **param, SECItem *pwd, PRBool faulty3DES);
+
+-/* Get the state of the system FIPS mode */
+-/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+- * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+- * from FIPS mode will automatically be told that they can't swith out of FIPS
+- * mode */
+-int secmod_GetSystemFIPSEnabled();
+-
+ extern void pk11sdr_Init(void);
+ extern void pk11sdr_Shutdown(void);
+
+--- nss-3.43/nss/lib/pk11wrap/pk11pars.c	2019-03-15 20:25:08.000000000 -0400
++++ nss-3.42.1/nss/lib/pk11wrap/pk11pars.c	2019-01-31 12:41:49.000000000 -0500
+@@ -815,10 +807,6 @@
+
+     mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
+     mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+-    /* if the system FIPS mode is enabled, force FIPS to be on */
+-    if (secmod_GetSystemFIPSEnabled()) {
+-        mod->isFIPS = PR_TRUE;
+-    }
+     mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
+     slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
+     mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
diff --git a/ts/ports/opt/samba/.md5sum b/ts/ports/opt/samba/.md5sum
@@ -1,2 +1,2 @@
 448caca4745aef1a842f4fdb1aa62e1e  samba
-96fb3a5db15b5604130649445335f326  samba-4.11.4.tar.gz
+ee41eadd86735ff72964857ba5e1f897  samba-4.11.5.tar.gz
diff --git a/ts/ports/opt/samba/Pkgfile b/ts/ports/opt/samba/Pkgfile
@@ -4,7 +4,7 @@
 # Depends on:  linux-pam libarchive libcap popt tdb tevent ldb python3
 
 name=samba
-version=4.11.4
+version=4.11.5
 release=1
 source=(https://www.samba.org/samba/ftp/stable/$name-$version.tar.gz \
         samba)

diff --git a/ts/ports/opt/samba/samba#4.11.4-1.pkg.tar.xz → ts/ports/opt/samba/samba#4.11.5-1.pkg.tar.xz b/ts/ports/opt/samba/samba#4.11.4-1.pkg.tar.xz → ts/ports/opt/samba/samba#4.11.5-1.pkg.tar.xz
diff --git a/ts/ports/opt/sqlite3/.md5sum b/ts/ports/opt/sqlite3/.md5sum
@@ -1 +1 @@
-74931054399a2d7acf35637efe8d6f45  sqlite-autoconf-3090100.tar.gz
+8f3dfe83387e62ecb91c7c5c09c688dc  sqlite-autoconf-3290000.tar.gz
diff --git a/ts/ports/opt/sqlite3/Pkgfile b/ts/ports/opt/sqlite3/Pkgfile
@@ -4,17 +4,19 @@
 # Depends on:  ncurses, readline
 
 name=sqlite3
-version=3.9.1
+version=3.29.0
 release=1
 _version=$(printf "%i%.2i%.2i%.2i" ${version//./ })
 
-source=(http://www.sqlite.org/2015/sqlite-autoconf-${_version}.tar.gz)
+source=(http://www.sqlite.org/2019/sqlite-autoconf-${_version}.tar.gz)
 
 build () {
     cd sqlite-autoconf-${_version}
 
     CFLAGS="-DSQLITE_SECURE_DELETE=1 -DSQLITE_ENABLE_COLUMN_METADATA=1 \
             -DSQLITE_ENABLE_UNLOCK_NOTIFY=1 -DSQLITE_ENABLE_DBSTAT_VTAB=1 \
+            -DSQLITE_ENABLE_FTS3=1 -DSQLITE_ENABLE_FTS4=1 \
+            -DSQLITE_ENABLE_FTS3_TOKENIZER=1 \
              $CFLAGS" \
     ./configure --prefix=/usr --mandir=/usr/man --disable-static
 

diff --git a/ts/ports/opt/sqlite3/sqlite3#3.29.0-1.pkg.tar.xz b/ts/ports/opt/sqlite3/sqlite3#3.29.0-1.pkg.tar.xz
diff --git a/ts/ports/opt/sqlite3/sqlite3#3.9.1-1.pkg.tar.xz b/ts/ports/opt/sqlite3/sqlite3#3.9.1-1.pkg.tar.xz
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		74931054399a2d7acf35637efe8d6f45 sqlite-autoconf-3090100.tar.gz
		8f3dfe83387e62ecb91c7c5c09c688dc sqlite-autoconf-3290000.tar.gz