summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--firefox.spec25
-rw-r--r--rhbz-1400293-fix-mozilla-1324096.patch72
-rw-r--r--rhbz-1400293-workaround.patch (renamed from rhbz-1414535.patch)0
3 files changed, 94 insertions, 3 deletions
diff --git a/firefox.spec b/firefox.spec
index 9bd8f35..e503593 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -97,7 +97,7 @@
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 51.0.1
-Release: 10%{?pre_tag}%{?dist}
+Release: 11%{?pre_tag}%{?dist}
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Group: Applications/Internet
@@ -135,7 +135,13 @@ Patch224: mozilla-1170092.patch
Patch225: mozilla-1005640-accept-lang.patch
#ARM run-time patch
Patch226: rhbz-1354671.patch
-Patch227: rhbz-1414535.patch
+
+%if 0%{?fedora} > 25
+# Fix depends on p11-kit-trust 0.23.4 and enhanced ca-certificates.rpm
+Patch227: rhbz-1400293-fix-mozilla-1324096.patch
+%else
+Patch227: rhbz-1400293-workaround.patch
+%endif
# Upstream patches
Patch304: mozilla-1253216.patch
@@ -195,6 +201,14 @@ Requires: nspr >= %{nspr_build_version}
Requires: nss >= %{nss_build_version}
%endif
+%if 0%{?fedora} > 25
+# For early testing of rhbz#1400293 mozbz#1324096 on F26 and Rawhide,
+# temporarily require the specific NSS build with the backports.
+# Can be removed after firefox is changed to require NSS 3.30.
+BuildRequires: nss-devel >= 3.29.1-2.1
+Requires: nss >= 3.29.1-2.1
+%endif
+
BuildRequires: desktop-file-utils
BuildRequires: system-bookmarks
%if %{?system_sqlite}
@@ -287,7 +301,7 @@ cd %{tarballdir}
%ifarch aarch64
%patch226 -p1 -b .1354671
%endif
-%patch227 -p1 -b .rh1414535
+%patch227 -p1 -b .rh1400293
%patch304 -p1 -b .1253216
%patch402 -p1 -b .1196777
@@ -801,6 +815,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#---------------------------------------------------------------------
%changelog
+* Thu Mar 02 2017 Kai Engert <kaie@redhat.com> - 51.0.1-11
+- Enable upstream fix for rhbz#1400293 mozbz#1324096 on F26 and Rawhide.
+ Keep the old workaround on F24/F25, required base packages aren't
+ available yet.
+
* Thu Mar 2 2017 Martin Stransky <stransky@redhat.com> - 51.0.1-10
- Test another ARMv7 build setup (rhbz#1426850)
diff --git a/rhbz-1400293-fix-mozilla-1324096.patch b/rhbz-1400293-fix-mozilla-1324096.patch
new file mode 100644
index 0000000..4a2691e
--- /dev/null
+++ b/rhbz-1400293-fix-mozilla-1324096.patch
@@ -0,0 +1,72 @@
+diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
+--- a/security/certverifier/CertVerifier.cpp
++++ b/security/certverifier/CertVerifier.cpp
+@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC
+ }
+ CERTCertificate* root = rootNode->cert;
+ if (!root) {
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+ }
+ return IsCertBuiltInRoot(root, result);
+ }
+
++// The term "builtin root" traditionally refers to a root CA certificate that
++// has been added to the NSS trust store, because it has been approved
++// for inclusion according to the Mozilla CA policy, and might be accepted
++// by Mozilla applications as an issuer for certificates seen on the public web.
+ Result
+ IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
+ {
+ result = false;
+ #ifdef DEBUG
+ nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
+ if (!component) {
+ return Result::FATAL_ERROR_LIBRARY_FAILURE;
+@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert,
+ return Success;
+ }
+ #endif // DEBUG
+ AutoSECMODListReadLock lock;
+ for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
+ list = list->next) {
+ for (int i = 0; i < list->module->slotCount; i++) {
+ PK11SlotInfo* slot = list->module->slots[i];
+- // PK11_HasRootCerts should return true if and only if the given slot has
+- // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which
+- // should be true only of the builtin root list.
+- // If we can find a copy of the given certificate on the slot with the
+- // builtin root list, that certificate must be a builtin.
+- if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) &&
+- PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) {
+- result = true;
+- return Success;
++ // We're searching for the "builtin root module", which is a module that
++ // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST.
++ // We use PK11_HasRootCerts() to identify a module with that property.
++ // In the past, we exclusively used the PKCS#11 module named nssckbi,
++ // which is provided by the NSS library.
++ // Nowadays, some distributions use a replacement module, which contains
++ // the builtin roots, but which also contains additional CA certificates,
++ // such as CAs trusted in a local deployment.
++ // We want to be able to distinguish between these two categories,
++ // because a CA, which may issue certificates for the public web,
++ // is expected to comply with additional requirements.
++ // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true,
++ // then we treat it as a "builtin root".
++ if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
++ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr);
++ if (handle != CK_INVALID_HANDLE &&
++ PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
++ false)) {
++ // Attribute was found, and is set to true
++ result = true;
++ break;
++ }
+ }
+ }
+ }
+ return Success;
+ }
+
+ static Result
+ BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,
diff --git a/rhbz-1414535.patch b/rhbz-1400293-workaround.patch
index f9cc7c2..f9cc7c2 100644
--- a/rhbz-1414535.patch
+++ b/rhbz-1400293-workaround.patch
bgstack15