diff options
author | nia <nia@pkgsrc.org> | 2020-06-23 17:38:49 +0000 |
---|---|---|
committer | nia <nia@pkgsrc.org> | 2020-06-23 17:38:49 +0000 |
commit | 94d4b620e9ff7b13b5f5f197eaa8e5caaf032e27 (patch) | |
tree | 5fe4b93e1e64c4e02ecb38921cca3abf8a346f2b /www/firefox | |
parent | 1bdf64fe7f4f49dd39eef589c532411a84addff7 (diff) | |
download | pkgsrc-94d4b620e9ff7b13b5f5f197eaa8e5caaf032e27.tar.gz |
firefox: Avoid reading from /dev/random on NetBSD
Motivation: This becomes a problem when a user is on a system without
HWRNG or a preexisting seed file (to increase the estimated entropy to
256 bits), where Firefox will hang forever on startup waiting for a
user to write to /dev/random. Since this was reported on port-arm@,
I decided to investigate this, and believe this is the only place
Firefox might end up reading from /dev/random.
Risk: Probably not much. For actual Transport Layer Security purposes,
Network Security Services reads directly from /dev/urandom. On systems
where Firefox is used, we can probably reasonably assume that enough
entropy has been generated from user input, on-board sensors, and network
devices to provide a state that is fairly difficult to predict, even if the
NetBSD kernel assigns no value to it (since in embedded environments
where the device's operator may be absent, such events can be manipulated
to theoretically produce a predictable state - although I don't think
this theoretical attack is necessarily something we should be concerned
with on low-end desktop systems). Other kernels do assign value to these
inputs, so have much lower criteria for unblocking.
Bump PKGREVISION
Diffstat (limited to 'www/firefox')
-rw-r--r-- | www/firefox/Makefile | 9 | ||||
-rw-r--r-- | www/firefox/distinfo | 3 | ||||
-rw-r--r-- | www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs | 24 |
3 files changed, 33 insertions, 3 deletions
diff --git a/www/firefox/Makefile b/www/firefox/Makefile index 79743bcebfb..d1b719f2140 100644 --- a/www/firefox/Makefile +++ b/www/firefox/Makefile @@ -1,9 +1,9 @@ -# $NetBSD: Makefile,v 1.433 2020/06/17 17:54:26 nia Exp $ +# $NetBSD: Makefile,v 1.434 2020/06/23 17:38:49 nia Exp $ FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR} MOZ_BRANCH= 77.0 MOZ_BRANCH_MINOR= .1 -PKGREVISION= 2 +PKGREVISION= 3 DISTNAME= firefox-${FIREFOX_VER}.source PKGNAME= ${DISTNAME:S/.source//:S/b/beta/:S/esr//} @@ -99,6 +99,11 @@ CKSUMS+= efdada601d13c489451da9d65a78c42598841cebddf6f3a8012add2380628a51 CKSUMS+= 34f9aa76b6c9c05136bb69dcd6455397faef571a567254d2c541d50a962994db CKSUMS+= e5581852eec87918901a129284b4965aefc8a19394187a8095779a084f28fabe +CKSUM_CRATES+= third_party/rust/getrandom + +CKSUMS+= 0e52f6bde42d7bb05c297ce1c25b9879d61b28caba98f6226a152bff538db6c2 +CKSUMS+= 394425b4ba03c21c494e64d993678f7014575b1e3d590b9ee452b5c2d83ec4ac + SUBST_CLASSES+= cksum SUBST_STAGE.cksum= pre-configure .for crate in ${CKSUM_CRATES} diff --git a/www/firefox/distinfo b/www/firefox/distinfo index e4b5edd0642..1d7dcf4ef61 100644 --- a/www/firefox/distinfo +++ b/www/firefox/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.399 2020/06/17 17:54:26 nia Exp $ +$NetBSD: distinfo,v 1.400 2020/06/23 17:38:49 nia Exp $ SHA1 (firefox-77.0.1.source.tar.xz) = 86735b221c17964f5e6a756a973b6d0696fbf1c5 RMD160 (firefox-77.0.1.source.tar.xz) = 59ef718e1bf9eef0a6b90c60ec20bbe4c7402ffe @@ -30,6 +30,7 @@ SHA1 (patch-media_libtheora_lib_info.c) = f6dbf536d73859a1ff78304c2e9f6a6f74dac0 SHA1 (patch-media_libvorbis_lib_vorbis__info.c) = b6b1a84a095db8459bdff24c04f4d56886ddbe45 SHA1 (patch-nsprpub_pr_src_pthreads_ptsynch.c) = 13e512c7ee9fa1e14ba415d62fa853e5fbfc91c0 SHA1 (patch-security_nss_lib_freebl_mpi_mpi.c) = a7cd867916524770609d1c307a65b315b88456f4 +SHA1 (patch-third__party_rust_getrandom_src_lib.rs) = 2ad80d10ebfeef0dc27435fc2c16be7b5e5d444a SHA1 (patch-third__party_rust_libc_src_unix_bsd_netbsdlike_netbsd_mod.rs) = 3755f32fea84900cc0f00af3d9f53ed5fcfb0b4b SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = 5a516d377d491e0504aaf2d7aed04bb9ebeccc56 SHA1 (patch-toolkit_modules_subprocess_subprocess__shared__unix.js) = 22a39e54e042ab2270a3cb54e4e307c8900cad12 diff --git a/www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs b/www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs new file mode 100644 index 00000000000..e19c45c6306 --- /dev/null +++ b/www/firefox/patches/patch-third__party_rust_getrandom_src_lib.rs @@ -0,0 +1,24 @@ +$NetBSD: patch-third__party_rust_getrandom_src_lib.rs,v 1.1 2020/06/23 17:38:50 nia Exp $ + +https://github.com/rust-random/getrandom/pull/115 + +--- third_party/rust/getrandom/src/lib.rs.orig 2020-06-02 23:37:31.000000000 +0000 ++++ third_party/rust/getrandom/src/lib.rs +@@ -17,7 +17,7 @@ + //! | macOS, iOS | [`SecRandomCopyBytes`][4] + //! | FreeBSD | [`kern.arandom`][5] + //! | OpenBSD, Bitrig | [`getentropy`][6] +-//! | NetBSD | [`/dev/urandom`][7] after reading from `/dev/random` once ++//! | NetBSD | [`kern.arandom`][5] + //! | Dragonfly BSD | [`/dev/random`][8] + //! | Solaris, illumos | [`getrandom`][9] system call if available, otherwise [`/dev/random`][10] + //! | Fuchsia OS | [`cprng_draw`][11] +@@ -184,7 +184,7 @@ mod_use!(cfg(target_os = "illumos"), sol + mod_use!(cfg(target_os = "ios"), macos); + mod_use!(cfg(target_os = "linux"), linux_android); + mod_use!(cfg(target_os = "macos"), macos); +-mod_use!(cfg(target_os = "netbsd"), use_file); ++mod_use!(cfg(target_os = "netbsd"), freebsd); + mod_use!(cfg(target_os = "openbsd"), openbsd_bitrig); + mod_use!(cfg(target_os = "redox"), use_file); + mod_use!(cfg(target_os = "solaris"), solaris_illumos); |