diff --git a/firefox.spec b/firefox.spec index 9bd8f35..e503593 100644 --- a/firefox.spec +++ b/firefox.spec @@ -97,7 +97,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 51.0.1 -Release: 10%{?pre_tag}%{?dist} +Release: 11%{?pre_tag}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Group: Applications/Internet @@ -135,7 +135,13 @@ Patch224: mozilla-1170092.patch Patch225: mozilla-1005640-accept-lang.patch #ARM run-time patch Patch226: rhbz-1354671.patch -Patch227: rhbz-1414535.patch + +%if 0%{?fedora} > 25 +# Fix depends on p11-kit-trust 0.23.4 and enhanced ca-certificates.rpm +Patch227: rhbz-1400293-fix-mozilla-1324096.patch +%else +Patch227: rhbz-1400293-workaround.patch +%endif # Upstream patches Patch304: mozilla-1253216.patch @@ -195,6 +201,14 @@ Requires: nspr >= %{nspr_build_version} Requires: nss >= %{nss_build_version} %endif +%if 0%{?fedora} > 25 +# For early testing of rhbz#1400293 mozbz#1324096 on F26 and Rawhide, +# temporarily require the specific NSS build with the backports. +# Can be removed after firefox is changed to require NSS 3.30. +BuildRequires: nss-devel >= 3.29.1-2.1 +Requires: nss >= 3.29.1-2.1 +%endif + BuildRequires: desktop-file-utils BuildRequires: system-bookmarks %if %{?system_sqlite} @@ -287,7 +301,7 @@ cd %{tarballdir} %ifarch aarch64 %patch226 -p1 -b .1354671 %endif -%patch227 -p1 -b .rh1414535 +%patch227 -p1 -b .rh1400293 %patch304 -p1 -b .1253216 %patch402 -p1 -b .1196777 @@ -801,6 +815,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Thu Mar 02 2017 Kai Engert - 51.0.1-11 +- Enable upstream fix for rhbz#1400293 mozbz#1324096 on F26 and Rawhide. + Keep the old workaround on F24/F25, required base packages aren't + available yet. + * Thu Mar 2 2017 Martin Stransky - 51.0.1-10 - Test another ARMv7 build setup (rhbz#1426850) diff --git a/rhbz-1400293-fix-mozilla-1324096.patch b/rhbz-1400293-fix-mozilla-1324096.patch new file mode 100644 index 0000000..4a2691e --- /dev/null +++ b/rhbz-1400293-fix-mozilla-1324096.patch @@ -0,0 +1,72 @@ +diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp +--- a/security/certverifier/CertVerifier.cpp ++++ b/security/certverifier/CertVerifier.cpp +@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC + } + CERTCertificate* root = rootNode->cert; + if (!root) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + return IsCertBuiltInRoot(root, result); + } + ++// The term "builtin root" traditionally refers to a root CA certificate that ++// has been added to the NSS trust store, because it has been approved ++// for inclusion according to the Mozilla CA policy, and might be accepted ++// by Mozilla applications as an issuer for certificates seen on the public web. + Result + IsCertBuiltInRoot(CERTCertificate* cert, bool& result) + { + result = false; + #ifdef DEBUG + nsCOMPtr component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; +@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert, + return Success; + } + #endif // DEBUG + AutoSECMODListReadLock lock; + for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list; + list = list->next) { + for (int i = 0; i < list->module->slotCount; i++) { + PK11SlotInfo* slot = list->module->slots[i]; +- // PK11_HasRootCerts should return true if and only if the given slot has +- // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which +- // should be true only of the builtin root list. +- // If we can find a copy of the given certificate on the slot with the +- // builtin root list, that certificate must be a builtin. +- if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) && +- PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) { +- result = true; +- return Success; ++ // We're searching for the "builtin root module", which is a module that ++ // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST. ++ // We use PK11_HasRootCerts() to identify a module with that property. ++ // In the past, we exclusively used the PKCS#11 module named nssckbi, ++ // which is provided by the NSS library. ++ // Nowadays, some distributions use a replacement module, which contains ++ // the builtin roots, but which also contains additional CA certificates, ++ // such as CAs trusted in a local deployment. ++ // We want to be able to distinguish between these two categories, ++ // because a CA, which may issue certificates for the public web, ++ // is expected to comply with additional requirements. ++ // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true, ++ // then we treat it as a "builtin root". ++ if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) { ++ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr); ++ if (handle != CK_INVALID_HANDLE && ++ PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY, ++ false)) { ++ // Attribute was found, and is set to true ++ result = true; ++ break; ++ } + } + } + } + return Success; + } + + static Result + BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER, diff --git a/rhbz-1414535.patch b/rhbz-1400293-workaround.patch similarity index 100% rename from rhbz-1414535.patch rename to rhbz-1400293-workaround.patch