From ae71cd8ac93245360ffe73d6ab260975ec0d742f Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Sat, 22 Sep 2018 04:47:54 -0400
Subject: [PATCH] gnu: icecat: Add fixes from upstream mozilla-esr60 [security
 fixes].

Includes fixes for CVE-2018-12383 and CVE-2018-12385.

* gnu/packages/patches/icecat-CVE-2018-12383.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/patches/icecat-avoid-bundled-libraries.patch: Adapt to apply
cleanly to IceCat 60.
* gnu/packages/gnuzilla.scm (mozilla-patch): Update to fetch from
mozilla-esr60.
(icecat): Add selected changesets from upstream mozilla-esr60.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/gnuzilla.scm                     |   8 +-
 .../patches/icecat-CVE-2018-12383.patch       | 103 ++++++++++++++++++
 .../icecat-avoid-bundled-libraries.patch      |  20 ++--
 4 files changed, 119 insertions(+), 13 deletions(-)
 create mode 100644 gnu/packages/patches/icecat-CVE-2018-12383.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index daf96ea4b6..fe2b573dd5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -810,6 +810,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch        \
   %D%/packages/patches/hydra-disable-darcs-test.patch		\
   %D%/packages/patches/icecat-avoid-bundled-libraries.patch	\
+  %D%/packages/patches/icecat-CVE-2018-12383.patch		\
   %D%/packages/patches/icecat-use-system-graphite2.patch	\
   %D%/packages/patches/icecat-use-system-harfbuzz.patch		\
   %D%/packages/patches/icedtea-6-hotspot-gcc-segfault-workaround.patch  \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index db8f85cfb1..653cee93d5 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -469,10 +469,10 @@ security standards.")
     (license license:mpl2.0)))
 
 (define (mozilla-patch file-name changeset hash)
-  "Return an origin for CHANGESET from the mozilla-esr52 repository."
+  "Return an origin for CHANGESET from the mozilla-esr60 repository."
   (origin
     (method url-fetch)
-    (uri (string-append "https://hg.mozilla.org/releases/mozilla-esr52/raw-rev/"
+    (uri (string-append "https://hg.mozilla.org/releases/mozilla-esr60/raw-rev/"
                         changeset))
     (sha256 (base32 hash))
     (file-name file-name)))
@@ -498,7 +498,9 @@ security standards.")
         (search-patch "icecat-avoid-bundled-libraries.patch")
         ;; FIXME (search-patch "icecat-use-system-harfbuzz.patch")
         ;; FIXME (search-patch "icecat-use-system-graphite2.patch")
-        ))
+        (mozilla-patch "icecat-CVE-2018-12385.patch"      "80a4a7ef2813" "1vgcbimpnfjqj934v0cryq1g13xac3wfmd4jyhcb5s60x8xyssf5")
+        (search-patch  "icecat-CVE-2018-12383.patch")
+        (mozilla-patch "icecat-bug-1489744.patch"         "6546ee839d30" "11mhvj77r789b428bfxqq5wdx8yr7lbrdjzr8qjj6fw197pldn51")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/patches/icecat-CVE-2018-12383.patch b/gnu/packages/patches/icecat-CVE-2018-12383.patch
new file mode 100644
index 0000000000..17ca0f3773
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2018-12383.patch
@@ -0,0 +1,103 @@
+Based on upstream changeset:
+  https://hg.mozilla.org/releases/mozilla-esr60/rev/300efdbc9fe1
+but with the git binary patch and related test changes omitted,
+and adapted to apply cleanly to GNU IceCat.
+
+# HG changeset patch
+# User David Keeler <dkeeler@mozilla.com>
+# Date 1531860660 25200
+# Node ID 300efdbc9fe1f9165428c7934861033935b5abfa
+# Parent  80a4a7ef281374dbb2afda8edac54665b14b9ef8
+Bug 1475775 - Clean up old NSS DB file after upgrade if necessary. r=franziskus, r=mattn, a=RyanVM
+
+Reviewers: franziskus, mattn
+
+Bug #: 1475775
+
+Differential Revision: https://phabricator.services.mozilla.com/D2202
+
+diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
+--- a/security/manager/ssl/nsNSSComponent.cpp
++++ b/security/manager/ssl/nsNSSComponent.cpp
+@@ -1935,16 +1935,61 @@ AttemptToRenameBothPKCS11ModuleDBVersion
+   NS_NAMED_LITERAL_CSTRING(sqlModuleDBFilename, "pkcs11.txt");
+   nsresult rv = AttemptToRenamePKCS11ModuleDB(profilePath,
+                                               legacyModuleDBFilename);
+   if (NS_FAILED(rv)) {
+     return rv;
+   }
+   return AttemptToRenamePKCS11ModuleDB(profilePath, sqlModuleDBFilename);
+ }
++
++// When we changed from the old dbm database format to the newer sqlite
++// implementation, the upgrade process left behind the existing files. Suppose a
++// user had not set a password for the old key3.db (which is about 99% of
++// users). After upgrading, both the old database and the new database are
++// unprotected. If the user then sets a password for the new database, the old
++// one will not be protected. In this scenario, we should probably just remove
++// the old database (it would only be relevant if the user downgraded to a
++// version of IceCat before 58, but we have to trade this off against the
++// user's old private keys being unexpectedly unprotected after setting a
++// password).
++// This was never an issue on Android because we always used the new
++// implementation.
++static void
++MaybeCleanUpOldNSSFiles(const nsACString& profilePath)
++{
++  UniquePK11SlotInfo slot(PK11_GetInternalKeySlot());
++  if (!slot) {
++    return;
++  }
++  // Unfortunately we can't now tell the difference between "there already was a
++  // password when the upgrade happened" and "there was not a password but then
++  // the user added one after upgrading".
++  bool hasPassword = PK11_NeedLogin(slot.get()) &&
++                     !PK11_NeedUserInit(slot.get());
++  if (!hasPassword) {
++    return;
++  }
++  nsCOMPtr<nsIFile> dbFile = do_CreateInstance("@mozilla.org/file/local;1");
++  if (!dbFile) {
++    return;
++  }
++  nsresult rv = dbFile->InitWithNativePath(profilePath);
++  if (NS_FAILED(rv)) {
++    return;
++  }
++  NS_NAMED_LITERAL_CSTRING(keyDBFilename, "key3.db");
++  rv = dbFile->AppendNative(keyDBFilename);
++  if (NS_FAILED(rv)) {
++    return;
++  }
++  // Since this isn't a directory, the `recursive` argument to `Remove` is
++  // irrelevant.
++  Unused << dbFile->Remove(false);
++}
+ #endif // ifndef ANDROID
+ 
+ // Given a profile directory, attempt to initialize NSS. If nocertdb is true,
+ // (or if we don't have a profile directory) simply initialize NSS in no DB mode
+ // and return. Otherwise, first attempt to initialize in read/write mode, and
+ // then read-only mode if that fails. If both attempts fail, we may be failing
+ // to initialize an NSS DB collection that has FIPS mode enabled. Attempt to
+ // ascertain if this is the case, and if so, rename the offending PKCS#11 module
+@@ -1966,16 +2011,19 @@ InitializeNSSWithFallbacks(const nsACStr
+ 
+   // Try read/write mode. If we're in safeMode, we won't load PKCS#11 modules.
+ #ifndef ANDROID
+   PRErrorCode savedPRErrorCode1;
+ #endif // ifndef ANDROID
+   SECStatus srv = ::mozilla::psm::InitializeNSS(profilePath, false, !safeMode);
+   if (srv == SECSuccess) {
+     MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("initialized NSS in r/w mode"));
++#ifndef ANDROID
++    MaybeCleanUpOldNSSFiles(profilePath);
++#endif // ifndef ANDROID
+     return NS_OK;
+   }
+ #ifndef ANDROID
+   savedPRErrorCode1 = PR_GetError();
+   PRErrorCode savedPRErrorCode2;
+ #endif // ifndef ANDROID
+   // That failed. Try read-only mode.
+   srv = ::mozilla::psm::InitializeNSS(profilePath, true, !safeMode);
diff --git a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch
index 114631517a..b5e9fb887e 100644
--- a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch
+++ b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch
@@ -1,8 +1,8 @@
 Fixes needed when avoiding bundled libraries.
 
---- icecat-52.0.2/xpcom/build/moz.build.orig
-+++ icecat-52.0.2/xpcom/build/moz.build
-@@ -93,10 +93,5 @@
+--- icecat-60.2.0/xpcom/build/moz.build.orig	2018-09-13 17:46:49.000000000 -0400
++++ icecat-60.2.0/xpcom/build/moz.build	2018-09-22 04:26:50.659564554 -0400
+@@ -99,10 +99,5 @@
      '/docshell/base',
  ]
  
@@ -13,9 +13,9 @@ Fixes needed when avoiding bundled libraries.
 -
  if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa':
      CXXFLAGS += CONFIG['TK_CFLAGS']
---- icecat-52.0.2/storage/moz.build.orig
-+++ icecat-52.0.2/storage/moz.build
-@@ -114,7 +114,6 @@
+--- icecat-60.2.0/storage/moz.build.orig	2018-09-13 17:51:11.000000000 -0400
++++ icecat-60.2.0/storage/moz.build	2018-09-22 04:26:50.659564554 -0400
+@@ -117,7 +117,6 @@
      DEFINES['MOZ_MEMORY_TEMP_STORE_PRAGMA'] = True
  
  LOCAL_INCLUDES += [
@@ -23,13 +23,13 @@ Fixes needed when avoiding bundled libraries.
      '/dom/base',
  ]
  
---- icecat-52.0.2/dom/indexedDB/moz.build.orig
-+++ icecat-52.0.2/dom/indexedDB/moz.build
-@@ -101,7 +101,6 @@
+--- icecat-60.2.0/dom/indexedDB/moz.build.orig	2018-09-13 17:49:42.000000000 -0400
++++ icecat-60.2.0/dom/indexedDB/moz.build	2018-09-22 04:26:50.663564574 -0400
+@@ -102,7 +102,6 @@
      CXXFLAGS += ['-Wno-error=shadow']
  
  LOCAL_INCLUDES += [
 -    '/db/sqlite3/src',
      '/dom/base',
      '/dom/storage',
-     '/dom/workers',
+     '/ipc/glue',