Merge #30143: firefox-*: critical security updates

pkgs/applications/networking/browsers/firefox/common.nix

@@ -8,8 +8,7 @@
 , yasm, mesa, sqlite, unzip, makeWrapper
 , hunspell, libevent, libstartup_notification, libvpx
 , cairo, icu, libpng, jemalloc
-, autoconf213, which, gnused, cargo, rustc
-
+, autoconf213, which, gnused, cargo, rustc, llvmPackages
 , debugBuild ? false
 
 ### optionals
@@ -50,6 +49,7 @@ assert stdenv.cc ? libc && stdenv.cc.libc != null;
 
 let
   flag = tf: x: [(if tf then "--enable-${x}" else "--disable-${x}")];
+  gcc = if stdenv.cc.isGNU then stdenv.cc.cc else stdenv.cc.cc.gcc;
 in
 
 stdenv.mkDerivation (rec {
@@ -74,6 +74,8 @@ stdenv.mkDerivation (rec {
   ++ lib.optionals ffmpegSupport [ gstreamer gst-plugins-base ]
   ++ lib.optional  gtk3Support gtk3;
 
+  NIX_CFLAGS_COMPILE = "-I${nspr.dev}/include/nspr -I${nss.dev}/include/nss";
+
   nativeBuildInputs =
     [ autoconf213 which gnused pkgconfig perl python cargo rustc ]
     ++ lib.optional gtk3Support wrapGAppsHook;
@@ -88,6 +90,12 @@ stdenv.mkDerivation (rec {
     make -f client.mk configure-files
 
     configureScript="$(realpath ./configure)"
+
+    cxxLib=$( echo -n ${gcc}/include/c++/* )
+    archLib=$cxxLib/$( ${gcc}/bin/gcc -dumpmachine )
+
+    test -f layout/style/ServoBindings.toml && sed -i -e '/"-DMOZ_STYLO"/ a , "-cxx-isystem", "'$cxxLib'", "-isystem", "'$archLib'"' layout/style/ServoBindings.toml
+
     cd obj-*
   '' + lib.optionalString googleAPISupport ''
     # Google API key used by Chromium and Firefox.
@@ -120,6 +128,10 @@ stdenv.mkDerivation (rec {
     "--disable-gconf"
     "--enable-default-toolkit=cairo-gtk${if gtk3Support then "3" else "2"}"
   ]
+  ++ lib.optionals (stdenv.lib.versionAtLeast version "56") [
+    "--with-libclang-path=${llvmPackages.clang-unwrapped}/lib"
+    "--with-clang-path=${llvmPackages.clang}/bin/clang"
+  ]
 
   # TorBrowser patches these
   ++ lib.optionals (!isTorBrowserLike) [

pkgs/applications/networking/browsers/firefox/packages.nix

@@ -6,10 +6,10 @@ rec {
 
   firefox = common rec {
     pname = "firefox";
-    version = "55.0.3";
+    version = "56.0.1";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "3cacc87b97871f3a8c5e97c17ef7025079cb5c81f32377d9402cdad45815ac6c4c4762c79187f1e477910161c2377c42d41de62a50b6741d5d7c1cd70e8c6416";
+      sha512 = "6a07de6bfb71ccdef04b0f2ced720e309d037dd89fe983178ac59ea972147360552e2b8e33d8caa476008cabf53a99003807b0e817150b7a39e0bc143d82b88f";
     };
 
     patches =
@@ -32,10 +32,10 @@ rec {
 
   firefox-esr = common rec {
     pname = "firefox-esr";
-    version = "52.3.0esr";
+    version = "52.4.0esr";
     src = fetchurl {
       url = "mirror://mozilla/firefox/releases/${version}/source/firefox-${version}.source.tar.xz";
-      sha512 = "36da8f14b50334e36fca06e09f15583101cadd10e510268255587ea9b09b1fea918da034d6f1d439ab8c34612f6cebc409a0b8d812dddb3f997afebe64d09fe9";
+      sha512 = "be3be7f9dbf4bd0344d5d76f26d1a5090bb012154d25833d5cd58e5e707c080515b42ed751e1f7e58b15b96939d7da634cafb6e8aa9bb1627ff420836b802183";
     };
 
     meta = firefox.meta // {

pkgs/development/libraries/icu/58.nix

@@ -0,0 +1,14 @@
+args @ { stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
+let
+  keywordFix = fetchurl {
+    url = "http://bugs.icu-project.org/trac/changeset/39484?format=diff";
+    name = "icu-changeset-39484.diff";
+    sha256 = "0hxhpgydalyxacaaxlmaddc1sjwh65rsnpmg0j414mnblq74vmm8";
+  };
+in
+import ./base.nix {
+  version = "58.2";
+  sha256 = "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib";
+  patches = [ keywordFix ];
+  patchFlags = "-p4";
+} args

pkgs/development/libraries/icu/59.nix

@@ -0,0 +1,4 @@
+import ./base.nix {
+  version = "59.1";
+  sha256 = "1zkmbg2932ggvpgjp8pys0cj6z8bw087y8858009shkrjfpzscki";
+}

pkgs/development/libraries/icu/base.nix

@@ -1,16 +1,8 @@
+{ version, sha256, patches ? [], patchFlags ? "" }:
 { stdenv, fetchurl, fetchpatch, fixDarwinDylibNames }:
 
 let
   pname = "icu4c";
-  version = "58.2";
-
-  # this patch should no longer be needed in 58.3
-  # https://bugs.gentoo.org/show_bug.cgi?id=599142#c14
-  keywordFix = fetchurl {
-    url = "http://bugs.icu-project.org/trac/changeset/39484?format=diff";
-    name = "icu-changeset-39484.diff";
-    sha256 = "0hxhpgydalyxacaaxlmaddc1sjwh65rsnpmg0j414mnblq74vmm8";
-  };
 in
 stdenv.mkDerivation {
   name = pname + "-" + version;
@@ -18,7 +10,7 @@ stdenv.mkDerivation {
   src = fetchurl {
     url = "http://download.icu-project.org/files/${pname}/${version}/${pname}-"
       + (stdenv.lib.replaceChars ["."] ["_"] version) + "-src.tgz";
-    sha256 = "036shcb3f8bm1lynhlsb4kpjm9s9c2vdiir01vg216rs2l8482ib";
+    inherit sha256;
   };
 
   outputs = [ "out" "dev" ];
@@ -33,9 +25,7 @@ stdenv.mkDerivation {
     echo Source root reset to ''${sourceRoot}
   '';
 
-  patchFlags = "-p4";
-
-  patches = [ keywordFix ];
+  inherit patchFlags patches;
 
   preConfigure = ''
     sed -i -e "s|/bin/sh|${stdenv.shell}|" configure

pkgs/development/libraries/nspr/default.nix

@@ -1,14 +1,14 @@
 { stdenv, fetchurl
 , CoreServices ? null }:
 
-let version = "4.15"; in
+let version = "4.16"; in
 
 stdenv.mkDerivation {
   name = "nspr-${version}";
 
   src = fetchurl {
     url = "mirror://mozilla/nspr/releases/v${version}/src/nspr-${version}.tar.gz";
-    sha256 = "101dksqm1z0hzd7ap82ccbxjr48s6q3xhshdl81qkj6hqdmy1p97";
+    sha256 = "1l9wlnb9y0bzicv448jjl9kssqn044dc2qrkwzp4ll35fvch4ccv";
   };
 
   outputs = [ "out" "dev" ];

pkgs/development/libraries/nss/default.nix

@@ -9,11 +9,11 @@ let
 
 in stdenv.mkDerivation rec {
   name = "nss-${version}";
-  version = "3.31";
+  version = "3.32.1";
 
   src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_3_31_RTM/src/${name}.tar.gz";
-    sha256 = "0pd643a8ns7q5az5ai3ascrw666i2kbfiyy1c9hlhw9jd8jn21g9";
+    url = "mirror://mozilla/security/nss/releases/NSS_3_32_1_RTM/src/${name}.tar.gz";
+    sha256 = "0lj6c94102aa81bnjisnix09zfjly9aa1d6vrzxmcjmzynkrrrad";
   };
 
   buildInputs = [ perl zlib sqlite ];
@@ -25,37 +25,13 @@ in stdenv.mkDerivation rec {
   '';
 
   patches =
-    [ # Install a nss.pc (pkgconfig) file and nss-config script
-      # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
-      (fetchurl {
-        name = "nss-3.28-gentoo-fixups.patch";
-        url = "https://gitweb.gentoo.org/repo/gentoo.git/plain/"
-            + "dev-libs/nss/files/nss-3.28-gentoo-fixups.patch"
-            + "?id=05c31f8cca591b3ce8219e4def7c26c7b1b130d6";
-        sha256 = "0z58axd1n7vq4kdp5mrb3dsg6di39a1g40s3shl6n2dzs14c1y2q";
-      })
+    [
       # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
       ./85_security_load.patch
     ];
 
   patchFlags = "-p0";
 
-  postPatch = ''
-    # Fix up the patch from Gentoo.
-    sed -i \
-      -e "/^PREFIX =/s|= /usr|= $out|" \
-      -e '/@libdir@/s|gentoo/nss|lib|' \
-      -e '/ln -sf/d' \
-      nss/config/Makefile
-
-    # Note for spacing/tab nazis: The TAB characters are intentional!
-    cat >> nss/config/Makefile <<INSTALL_TARGET
-    install:
-    	mkdir -p \$(DIST)/lib/pkgconfig
-    	cp nss.pc \$(DIST)/lib/pkgconfig
-    INSTALL_TARGET
-  '';
-
   outputs = [ "out" "dev" "tools" ];
 
   preConfigure = "cd nss";
@@ -79,9 +55,31 @@ in stdenv.mkDerivation rec {
     mv $out/*.OBJ/* $out/
     rmdir $out/*.OBJ
 
-    cp -av config/nss-config $out/bin/nss-config
-
     ln -s lib $out/lib64
+
+    # Upstream issue: https://bugzilla.mozilla.org/show_bug.cgi?id=530672
+    # https://gitweb.gentoo.org/repo/gentoo.git/plain/dev-libs/nss/files/nss-3.32-gentoo-fixups.patch?id=af1acce6c6d2c3adb17689261dfe2c2b6771ab8a
+    NSS_MAJOR_VERSION=`grep "NSS_VMAJOR" lib/nss/nss.h | awk '{print $3}'`
+    NSS_MINOR_VERSION=`grep "NSS_VMINOR" lib/nss/nss.h | awk '{print $3}'`
+    NSS_PATCH_VERSION=`grep "NSS_VPATCH" lib/nss/nss.h | awk '{print $3}'`
+    PREFIX="$out"
+
+    mkdir -p $out/lib/pkgconfig
+    sed -e "s,%prefix%,$PREFIX," \
+        -e "s,%exec_prefix%,$PREFIX," \
+        -e "s,%libdir%,$PREFIX/lib64," \
+        -e "s,%includedir%,$PREFIX/include/nss," \
+        -e "s,%NSS_VERSION%,$NSS_MAJOR_VERSION.$NSS_MINOR_VERSION.$NSS_PATCH_VERSION,g" \
+        -e "s,%NSPR_VERSION%,4.16,g" \
+        pkg/pkg-config/nss.pc.in > $out/lib/pkgconfig/nss.pc
+    chmod 0644 $out/lib/pkgconfig/nss.pc
+
+    sed -e "s,@prefix@,$PREFIX," \
+        -e "s,@MOD_MAJOR_VERSION@,$NSS_MAJOR_VERSION," \
+        -e "s,@MOD_MINOR_VERSION@,$NSS_MINOR_VERSION," \
+        -e "s,@MOD_PATCH_VERSION@,$NSS_PATCH_VERSION," \
+        pkg/pkg-config/nss-config.in > $out/bin/nss-config
+    chmod 0755 $out/bin/nss-config
   '';
 
   postFixup = ''

pkgs/top-level/all-packages.nix

@@ -8645,7 +8645,10 @@ with pkgs;
 
   hyena = callPackage ../development/libraries/hyena { };
 
-  icu = callPackage ../development/libraries/icu { };
+  icu58 = callPackage ../development/libraries/icu/58.nix { };
+  icu59 = callPackage ../development/libraries/icu/59.nix { };
+
+  icu = icu59;
 
   id3lib = callPackage ../development/libraries/id3lib { };
 
@@ -14572,6 +14575,7 @@ with pkgs;
       libpng = libpng_apng;
       python = python2;
       gnused = gnused_422;
+      icu = icu59;
     };
   });