Closed Bug 448792 Opened 16 years ago Closed 15 years ago

Debian patches for NSS 3.12

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE
Milestone:
3.12.1

People

(Reporter: wtc, Assigned: wtc)

References

(
URL
)

Details

Attachments

(26 files)

nss-3.12.0/debian/compat
2 bytes, text/plain
Details
nss-3.12.0/debian/control
2.97 KB, text/plain
Details
nss-3.12.0/debian/libnss3-tools.dirs
8 bytes, text/plain
Details
nss-3.12.0/debian/libnss3-1d.links
176 bytes, text/plain
Details
nss-3.12.0/debian/rules
3.31 KB, text/plain
Details
nss-3.12.0/debian/copyright
34.95 KB, text/plain
Details
nss-3.12.0/debian/libnss3-dev.links
60 bytes, text/plain
Details
nss-3.12.0/debian/nss.pc.in
261 bytes, text/plain
Details
nss-3.12.0/debian/watch
118 bytes, text/plain
Details
nss-3.12.0/debian/nss-config.in
2.34 KB, text/plain
Details
nss-3.12.0/debian/libnss3-1d.dirs
12 bytes, text/plain
Details
nss-3.12.0/debian/libnss3-1d.symbols
54.93 KB, text/plain
Details
nss-3.12.0/debian/libnss3-dev.dirs
42 bytes, text/plain
Details
nss-3.12.0/debian/changelog
9.41 KB, text/plain
Details
nss-3.12.0/debian/patches/00list
165 bytes, text/plain
Details
nss-3.12.0/debian/patches/38_mips64_build.dpatch
637 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/80_security_build.dpatch
538 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/81_sonames.dpatch
9.70 KB, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/90_realpath.dpatch
1000 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/38_hurd.dpatch
1.10 KB, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/80_security_tools.dpatch
901 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/91_build_pwdecrypt.dpatch
662 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/95_add_spi+cacert_ca_certs.dpatch
67.83 KB, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/85_security_load.dpatch
2.27 KB, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/25_entropy.dpatch
687 bytes, patch
Details | Diff | Splinter Review
nss-3.12.0/debian/patches/38_kbsd.dpatch
6.04 KB, patch
Details | Diff | Splinter Review 
The attached files were downloaded from
http://ftp.debian.org/debian/pool/main/n/nss/nss_3.12.0-4.diff.gz
and unpacked for your convenience.  There may be a web
interface to browse these files, but I didn't look for
it.

The actual patches are in the 'nss-3.12.0/debian/patches' directory.

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  
Comment on attachment 331957 [details] [diff] [review]
nss-3.12.0/debian/patches/95_add_spi+cacert_ca_certs.dpatch

Not going to bypass Mozilla's root cert policy. sr-

        Attachment #331957 -
        Flags: superreview-

    
    

    
  
Can somebody tell me what's this all about? Why is WT submitting patches on behalf of Debian? And what's this 95_add_spi+cacert_ca_certs.dpatch ????

    
    

    
  
This bug is for informational purposes only.  I'd like to
make it easy for the NSS team to understand how NSS 3.12
has been modified in Debian and Ubuntu, and help the Debian
nss package maintainer reduce the patches he has to apply.
Some of the patches are clearly Debian-specific and we
won't check them in.

We're especially interested in understanding the patch
nss-3.12.0/debian/patches/81_sonames.dpatch (attachment 331952 [details] [diff] [review]),
which makes NSS-based applications built on Debian or
Ubuntu unusable on other Linux distributions because
libnss3.so.1d, libssl3.so.1d, etc. cannot be found.  See
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/6eec8be954d49451/619ddbdd266be877?lnk=raot
https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/238500


    
    

    
  
Thanks Wan-Teh! I saw the thread you mentioned obviously. Are any of those patches being applied eventually?

    
    

    
  
Comment on attachment 331957 [details] [diff] [review]
nss-3.12.0/debian/patches/95_add_spi+cacert_ca_certs.dpatch

This file is not a proposed patch, so we don't need to
set the review or superreview flag.

If I propose any patches based on the Debian patches,
I will name the attachments clearly as proposed patches.

        Attachment #331957 -
        Flags: superreview-

    
  
Assignee: nobody → wtc

    
  
Depends on: 330628

    
  
Depends on: 302670

    
    

    
  
This bug is for informational purposes only.  I'm closing
it because it has served the intended purpose.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE

    
    

    
  
Comment on attachment 331958 [details] [diff] [review]
nss-3.12.0/debian/patches/85_security_load.dpatch

Mike, Alexander,

The last change in this patch (to pk11load.c) is
causing the problem I described in bug 495384.  It
causes NSS_InitReadWrite to load a nonexistent
"<configdir>/libnssckbi.so" successfully and write
that nonexistent pathname to NSS's secmod.db
(or pkcs11.txt) file.

Can you remove that change from Debian/Ubuntu's NSS
package?  Thanks.

    
    

    
  
(In reply to comment #33)
> It causes NSS_InitReadWrite to load a nonexistent
> "<configdir>/libnssckbi.so" successfully and write
> that nonexistent pathname to NSS's secmod.db
> (or pkcs11.txt) file.

Why does it?
 
> Can you remove that change from Debian/Ubuntu's NSS
> package?  Thanks.

The change is necessary to avoid a non-library to be in /usr/lib, as per debian policy.

    
    

    
  
Mike,
NSS tries to load a shared library from a user-supplied string, and if the
load succeeds, it remembers the string.  The patch in question causes a 
library other than the one named in that string to be loaded successfully,
without changing the string to match the successfully loaded library string.
Consequently, the string that is remembered is incorrect.

    
    

    
  
Comment on attachment 331958 [details] [diff] [review]
nss-3.12.0/debian/patches/85_security_load.dpatch

Mike,

This patch changes two files: genload.c and pk11load.c.

I understand the change to genload.c is required by
Debian policy.  I'm also asking you to remove the change
to pk11load.c from this patch.  Specifically, it's this
change:

--- nss/mozilla/security/nss/lib/pk11wrap/pk11load.c
+++ nss/mozilla/security/nss/lib/pk11wrap/pk11load.c
@@ -331,6 +331,14 @@
 #endif
 
 	if (library == NULL) {
+	    full_name = rindex(mod->dllName, PR_GetDirectorySeparator());
+	    if (full_name)
+	        full_name++;
+	    else
+	        full_name = mod->dllName;
+	    library = loader_LoadLibrary(full_name);
+	}
+	if (library == NULL) {
 	    return SECFailure;
 	}

When the user tells NSS to load a module with an absolute
pathname "/foo/bar/libmodule.so", he only wants that particular
file.  But this change causes NSS to also load "libmodule.so"
from some other directories (on the shared library search path
or /usr/lib and /usr/lib/nss), which is wrong.

    
    

    
  
Comment on attachment 331958 [details] [diff] [review]
nss-3.12.0/debian/patches/85_security_load.dpatch

My previous comment has a typo.

The sentence
  I'm also asking you to remove the change
  to pk11load.c from this patch.
should read
  I'm asking you to remove only the change
  to pk11load.c from this patch.

    
    

    
  
IIRC, Firefox won't load libnssckbi.so without that. Moreover, if /usr/lib/nss/libnsckbi.so doesn't exist, it should "gracefully" fail. I still don't understand what the problem is, but maybe that is because I'm tired. I'm not sure I want to pollute bugzilla (and everyone CCed to this bug) with my ununderstanding of the issue. Maybe going to mail would be a good idea. Or IRC, when I'll have some time, which is probably not very soon :(

    
    

    
  
Firefox will try to load libnssckbi.so using three pathnames.
The last pathname it tries is the simple filename "libnssckbi.so":
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSComponent.cpp&rev=1.168&mark=811,814-816#811

So you only need to make sure that NSS searches in the
/usr/lib/nss directory.  Two possible solutions are:

1. Link libnss3.so with the -Wl,-rpath,/usr/lib/nss or
-Wl,-rpath,'$$ORIGIN/nss' linker flag, if Debian's policy
allows shared libraries to be linked with -rpath.

This will allow the PR_LoadLibrary call in SECMOD_LoadPKCS11Module
(pk11load.c) to succeed when Firefox tries to load
"libnssckbi.so".

This is my preferred solution because it may make some of
your changes to loader_LoadLibrary in genload.c unnecessary.

2. Change SECMOD_LoadPKCS11Module in pk11load.c to just call
loader_LoadLibrary instead of PR_LoadLibrary.  This requires
your changes to loader_LoadLibrary in genload.c.

Basically, the problematic change is this part:

+	    full_name = rindex(mod->dllName, PR_GetDirectorySeparator());
+	    if (full_name)
+	        full_name++;
+	    else

    
    

    
  
Unfortunately, rpath applies to the library that calls dlload(), and since nss uses PR_LoadLibrary to do so, it's nspr's rpath that counts. I would have gone the rpath way if that were possible :(

    
    

    
  
Mike, 
Do NSS's shared libraries and NSPR's shared libraries reside in different 
directories in Debian?  If so, please give their respective path names.

    
    

    
  
Here are the path names of NSPR and NSS's shared libraries on Ubuntu:

/usr/lib/libnspr4.so
/usr/lib/libplc4.so
/usr/lib/libplds4.so

/usr/lib/nss/libfreebl3.so
/usr/lib/nss/libsoftokn3.so
/usr/lib/nss/libnssdbm3.so
/usr/lib/nss/libnssckbi.so
/usr/lib/nss/libsoftokn3.chk
/usr/lib/nss/libfreebl3.chk
/usr/lib/libssl3.so
/usr/lib/libsmime3.so
/usr/lib/libnssutil3.so
/usr/lib/libnss3.so

The shared libraries in /usr/lib/nss are only loaded with
dlopen().  Only the shared libraries in /usr/lib can be
linked with -lfoo.

    
    

    
  
(In reply to comment #39)
> 2. Change SECMOD_LoadPKCS11Module in pk11load.c to just call
> loader_LoadLibrary instead of PR_LoadLibrary.  This requires
> your changes to loader_LoadLibrary in genload.c.
> 
> Basically, the problematic change is this part:
> 
> +        full_name = rindex(mod->dllName, PR_GetDirectorySeparator());
> +        if (full_name)
> +            full_name++;
> +        else

The changes in 3.12.5 have been a good occasion to change the code above to the following:
+	if ((library == NULL) &&
+	    !rindex(full_name, PR_GetDirectorySeparator())) {
+            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
+                                      (PRFuncPtr) &softoken_LoadDSO,
+                                      full_name);
+	}

(PORT_LoadLibraryFromOrigin inheriting our previous changes to genload.c)

i.e. if the file name given to SECMOD_LoadPKCS11Module doesn't contain a directory separator, load the module from origin if PR_LoadLibrary failed.

From my testing, this solves the issue you raised.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: