From eded0595cb81907c94bfb3e5c397bdfb8b62596f Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Mon, 3 Dec 2007 21:19:26 +0000 Subject: [PATCH] - upstream patches to avoid calling netstat for random data --- nss-unix_rand.patch | 64 +++++++++++++++++++++++++++++++++++++++++++++ nss.spec | 7 ++++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 nss-unix_rand.patch diff --git a/nss-unix_rand.patch b/nss-unix_rand.patch new file mode 100644 index 0000000..d215d09 --- /dev/null +++ b/nss-unix_rand.patch @@ -0,0 +1,64 @@ +Index: mozilla/security/nss/lib/freebl/unix_rand.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/freebl/unix_rand.c,v +retrieving revision 1.25 +retrieving revision 1.28 +diff -u -r1.25 -r1.28 +--- mozilla/security/nss/lib/freebl/unix_rand.c 25 Jul 2007 22:54:35 -0000 1.25 ++++ mozilla/security/nss/lib/freebl/unix_rand.c 3 Dec 2007 21:07:01 -0000 1.28 +@@ -866,7 +866,8 @@ + /* if the child hasn't exited, kill it -- we're done with its output */ + while ((rv = waitpid(pid, &status, WNOHANG)) == -1 && errno == EINTR) + ; +- if (rv == 0 && kill(pid, SIGKILL) == 0) { ++ if (rv == 0) { ++ kill(pid, SIGKILL); + while ((rv = waitpid(pid, &status, 0)) == -1 && errno == EINTR) + ; + } +@@ -921,15 +922,6 @@ + }; + #endif + +-#ifdef DO_PS +-For now it is considered that it is too expensive to run the ps command +-for the small amount of entropy it provides. +-#if defined(__sun) && (!defined(__svr4) && !defined(SVR4)) || defined(bsdi) || defined(LINUX) +- static char ps_cmd[] = "ps aux"; +-#else +- static char ps_cmd[] = "ps -el"; +-#endif +-#endif /* DO_PS */ + #if defined(BSDI) + static char netstat_ni_cmd[] = "netstat -nis"; + #else +@@ -980,9 +972,12 @@ + * in a pthreads environment. Therefore, we call safe_popen last and on + * BSD/OS we do not call safe_popen when we succeeded in getting data + * from /dev/urandom. ++ * ++ * Bug 174993: LINUX provides /dev/urandom, don't fork netstat ++ * if data has been gathered successfully + */ + +-#ifdef BSDI ++#if defined(BSDI) || defined(LINUX) + if (bytes) + return; + #endif +@@ -1010,15 +1005,6 @@ + } + #endif + +-#ifdef DO_PS +- fp = safe_popen(ps_cmd); +- if (fp != NULL) { +- while ((bytes = fread(buf, 1, sizeof(buf), fp)) > 0) +- RNG_RandomUpdate(buf, bytes); +- safe_pclose(fp); +- } +-#endif +- + #ifdef DO_NETSTAT + fp = safe_popen(netstat_ni_cmd); + if (fp != NULL) { diff --git a/nss.spec b/nss.spec index 6e103fc..3492d66 100644 --- a/nss.spec +++ b/nss.spec @@ -4,7 +4,7 @@ Summary: Network Security Services Name: nss Version: 3.11.99.2 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -30,6 +30,7 @@ Source12: %{name}-pem.tar.gz Patch1: nss-no-rpath.patch Patch2: nss-nolocalsql.patch +Patch3: nss-unix_rand.patch Patch6: nss-enable-pem.patch Patch7: nss-create-obj.patch @@ -86,6 +87,7 @@ low level services. %patch1 -p0 %patch2 -p0 +%patch3 -p0 %patch6 -p0 -b .libpem %patch7 -p0 -b .create-obj @@ -386,6 +388,9 @@ done %changelog +* Mon Dec 03 2007 Kai Engert - 3.11.99.2-2 +- upstream patches to avoid calling netstat for random data + * Wed Nov 07 2007 Kai Engert - 3.11.99.2-1 - NSS 3.12 alpha 2