download.lst | 4 ++-- external/nss/ExternalProject_nss.mk | 4 +--- external/nss/nss_macosx.patch | 35 +++++++++++++---------------------- 3 files changed, 16 insertions(+), 27 deletions(-)
New commits: commit 964caf77892404ae09dea260eb4ea4bc024ba7be Author: Michael Stahl <[email protected]> AuthorDate: Mon Mar 2 10:58:56 2026 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 14:29:19 2026 +0100 nss: upgrade to release 3.121 Fixes CVE-2026-2781 Change-Id: I49936c56638dc6ce2bc5d7cf7d591586d4c5924a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/200787 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit e340bae8d3fb6b8d5ba4880e4853b975d48e8a8e) diff --git a/download.lst b/download.lst index cfca538e7c5a..1e23ecdaae60 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := fb5aa56fa35d963d4c65278328e2e9c99c2484c86f0e41537412477739dcf997 -NSS_TARBALL := nss-3.120-with-nspr-4.38.2.tar.gz +NSS_SHA256SUM := 76b9a1364bc4522abc652c4d676498d5062f502f64e38b32e9e2c7a3fff530f1 +NSS_TARBALL := nss-3.121-with-nspr-4.38.2.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch index e553cfda7042..eac99c97d9d5 100644 --- a/external/nss/nss_macosx.patch +++ b/external/nss/nss_macosx.patch @@ -23,38 +23,23 @@ diff -ru a/nspr/configure b/nspr/configure diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk --- a/a/nss/coreconf/Darwin.mk 2014-09-29 16:50:22.992304799 +0100 +++ b/b/nss/coreconf/Darwin.mk 2014-09-29 16:51:59.214931953 +0100 -@@ -20,35 +20,37 @@ +@@ -20,6 +20,7 @@ + CPU_ARCH := $(shell uname -p) + endif - ifeq (,$(filter-out i%86,$(CPU_ARCH))) - ifdef USE_64 +ifeq (,$(findstring -arch ,$(CC))) + ifeq (,$(filter-out i%86 x86_64,$(CPU_ARCH))) + ifdef USE_64 CC += -arch x86_64 - CCC += -arch x86_64 -+endif - override CPU_ARCH = x86_64 +@@ -46,6 +47,7 @@ else - OS_REL_CFLAGS = -Di386 -+ifeq (,$(findstring -arch ,$(CC))) - CC += -arch i386 - CCC += -arch i386 -+endif - override CPU_ARCH = x86 + $(error Unknown CPU architecture) endif --else ifeq (,$(filter-out aarch64 arm,$(CPU_ARCH))) --CC += -arch arm64 --CCC += -arch arm64 --override CPU_ARCH = aarch64 --else ifeq (powerpc,$(CPU_ARCH)) --OS_REL_CFLAGS = -Dppc --CC += -arch ppc --CCC += -arch ppc --override CPU_ARCH = ppc - else -- $(error Unknown CPU architecture) -+ifeq (arm,$(CPU_ARCH)) -+# Nothing set for arm currently. -+else -+endif ++endif # findstring -arch + + ifeq (,$(filter-out ppc ppc64,$(CPU_ARCH))) + ifneq ($(NSS_DISABLE_CRYPTO_VSX),0) +@@ -54,12 +56,16 @@ endif ifneq (,$(MACOS_SDK_DIR)) commit 33f0f5a13e1f073f4237348b472dd82f1e897ef2 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Jan 20 11:32:04 2026 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:05:20 2026 +0100 nss: upgrade to 3.120 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_120_RTM/src/nss-3.120-with-nspr-4.38.2.tar.gz Change-Id: I710faca7e285ff4de9a86d8041a69d38f62e149c Reviewed-on: https://gerrit.libreoffice.org/c/core/+/197653 Reviewed-by: Xisco Fauli <[email protected]> Tested-by: Jenkins (cherry picked from commit 63f374caf3e7dda9999cf24ed53fd89dfc0f8725) diff --git a/download.lst b/download.lst index 531bc6557952..cfca538e7c5a 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := 1e86aacdce66c3bdd38bb011e617a3c93013ed6f802102365a589d6f686efe4b -NSS_TARBALL := nss-3.119.1-with-nspr-4.38.2.tar.gz +NSS_SHA256SUM := fb5aa56fa35d963d4c65278328e2e9c99c2484c86f0e41537412477739dcf997 +NSS_TARBALL := nss-3.120-with-nspr-4.38.2.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts commit 41eadeaeeb88781c03baf10ece61815bfeba7932 Author: Xisco Fauli <[email protected]> AuthorDate: Thu Dec 11 10:22:14 2025 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:05:09 2026 +0100 nss: upgrade to 3.119.1 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_119_1_RTM/src/nss-3_119_1-with-nspr-4.38.2.tar.gz Change-Id: I281e1a7f7bb212e1e721deba6238f3bcc17795e3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195436 Reviewed-by: Xisco Fauli <[email protected]> Tested-by: Jenkins (cherry picked from commit a40ea776fe34d01682b4716d609e5b61d70226ae) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195912 Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit 328e95ffa3734afeb8e85891530af73bf5d511f8) diff --git a/download.lst b/download.lst index ee87349a3d31..531bc6557952 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := 8f12f61ef814662bf991a289bc6724d078cd79f135e09e260adbc35dfa9acaf3 -NSS_TARBALL := nss-3.119-with-nspr-4.38.2.tar.gz +NSS_SHA256SUM := 1e86aacdce66c3bdd38bb011e617a3c93013ed6f802102365a589d6f686efe4b +NSS_TARBALL := nss-3.119.1-with-nspr-4.38.2.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch index eaa025f1c205..e553cfda7042 100644 --- a/external/nss/nss_macosx.patch +++ b/external/nss/nss_macosx.patch @@ -23,33 +23,38 @@ diff -ru a/nspr/configure b/nspr/configure diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk --- a/a/nss/coreconf/Darwin.mk 2014-09-29 16:50:22.992304799 +0100 +++ b/b/nss/coreconf/Darwin.mk 2014-09-29 16:51:59.214931953 +0100 -@@ -19,34 +19,39 @@ - endif +@@ -20,35 +20,37 @@ - ifeq (x86_64,$(CPU_ARCH)) + ifeq (,$(filter-out i%86,$(CPU_ARCH))) + ifdef USE_64 +ifeq (,$(findstring -arch ,$(CC))) CC += -arch x86_64 CCC += -arch x86_64 +endif override CPU_ARCH = x86_64 - else ifeq (i386,$(CPU_ARCH)) + else OS_REL_CFLAGS = -Di386 +ifeq (,$(findstring -arch ,$(CC))) CC += -arch i386 CCC += -arch i386 +endif override CPU_ARCH = x86 - else ifeq (,$(filter-out aarch64 arm,$(CPU_ARCH))) - CC += -arch arm64 - CCC += -arch arm64 - override CPU_ARCH = aarch64 - else ifeq (powerpc,$(CPU_ARCH)) + endif +-else ifeq (,$(filter-out aarch64 arm,$(CPU_ARCH))) +-CC += -arch arm64 +-CCC += -arch arm64 +-override CPU_ARCH = aarch64 +-else ifeq (powerpc,$(CPU_ARCH)) -OS_REL_CFLAGS = -Dppc -CC += -arch ppc -CCC += -arch ppc - override CPU_ARCH = ppc +-override CPU_ARCH = ppc else - $(error Unknown CPU architecture) +- $(error Unknown CPU architecture) ++ifeq (arm,$(CPU_ARCH)) ++# Nothing set for arm currently. ++else ++endif endif ifneq (,$(MACOS_SDK_DIR)) @@ -67,7 +72,7 @@ diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk # GCC <= 3 DARWIN_SDK_FRAMEWORKS = -F$(MACOS_SDK_DIR)/System/Library/Frameworks ifneq (,$(shell find $(MACOS_SDK_DIR)/Library/Frameworks -maxdepth 0)) -@@ -108,7 +113,7 @@ +@@ -111,7 +113,7 @@ # May override this with different compatibility and current version numbers. DARWIN_DYLIB_VERSIONS = -compatibility_version 1 -current_version 1 # May override this with -bundle to create a loadable module. commit acf91d7897749e61c241a0bcc3cde386ba08ccd4 Author: Christian Lohmaier <[email protected]> AuthorDate: Thu Dec 11 10:57:57 2025 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:04:50 2026 +0100 fix nss/nspr build on intel macs regression from aba5f8016965e42075e68faa17ddfd3b3213247d nss' Darwin.mk uses uname -p to decide on the platform if CPU_ARCH is not set, and that still returns i386 on intel macs – in the old version that still worked since there was an additional ifdef USE_64 check that then set it to x86_64, but that has since been removed and only the custom guards to not add additional -arch parameter to the compiler flags remain, resulting in the built to attempt a 32bit and that then fails when it comes to the assembly instructions: mpi/mpi_sse2.s:35:5: error: instruction requires: Not 64-bit mode push %ebp ^ mpi/mpi_sse2.s:37:5: error: instruction requires: Not 64-bit mode push %edi ^ mpi/mpi_sse2.s:38:5: error: instruction requires: Not 64-bit mode push %esi ^ […] So don't rely on auto-detection and specify it explicitly as it was done for the other variants already, ironically also already for building for intel on arm. But the additional check whether it is building on arm is not necessary, our CPUNAME is sufficient already and that now superfluous bit can be removed. Change-Id: Ic467b06beb9b73e2d177eedede886681aa668b15 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195439 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> Reviewed-by: Dan Williams <[email protected]> (cherry picked from commit e11962c57a1a955f1509a653deea352583f3f77e) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195490 Reviewed-by: Christian Lohmaier <[email protected]> (cherry picked from commit d5071c1e46da4d85085e423d104a11dbbf485d5d) diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk index 63e8a3a87a86..2f2fead1e2ea 100644 --- a/external/nss/ExternalProject_nss.mk +++ b/external/nss/ExternalProject_nss.mk @@ -55,7 +55,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): \ $(SRCDIR)/external/nss/nsinstall.py $(call gb_Trace_StartRange,nss,EXTERNAL) $(call gb_ExternalProject_run,build,\ - $(if $(filter ANDROID FREEBSD LINUX MACOSX,$(OS)),$(if $(filter X86_64,$(CPUNAME)),USE_64=1)) \ + $(if $(filter ANDROID FREEBSD LINUX MACOSX,$(OS)),$(if $(filter X86_64,$(CPUNAME)),USE_64=1 CPU_ARCH=x86_64)) \ $(if $(filter AARCH64,$(CPUNAME)),USE_64=1 CPU_ARCH=aarch64) \ $(if $(filter POWERPC64,$(CPUNAME)),USE_64=1 CPU_ARCH=ppc64le) \ $(if $(filter MACOSX,$(OS)),\ @@ -66,8 +66,6 @@ $(call gb_ExternalProject_get_state_target,nss,build): \ $(if $(filter ARM,$(CPUNAME)),NSS_DISABLE_ARM32_NEON=1) \ NSPR_CONFIGURE_OPTS="$(gb_CONFIGURE_PLATFORMS)" \ $(if $(CROSS_COMPILING),CROSS_COMPILE=1) \ - $(if $(filter MACOSX-X86_64-arm64,$(OS)-$(CPUNAME)-$(shell uname -m)), \ - CPU_ARCH=x86_64) \ NSDISTMODE=copy \ $(MAKE) \ AR="$(AR)" \ commit 273132fa7ef0c5cd159e5d15711c2f9e5769cfea Author: Xisco Fauli <[email protected]> AuthorDate: Fri Dec 5 14:20:42 2025 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:04:37 2026 +0100 nss: upgrade to 3.119 * external/nss/connectx.patch.0 has been fixed upstream Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_119_RTM/src/nss-3.119-with-nspr-4.38.2.tar.gz Change-Id: I0477965c9ab62f21684278e5ed7860360521b270 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195081 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit aba5f8016965e42075e68faa17ddfd3b3213247d) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/195312 (cherry picked from commit fb22ad4fa2b3adc6b8502e6e22e6032a2075df21) diff --git a/download.lst b/download.lst index 91c226978eee..ee87349a3d31 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := 9e1f7da9f4e5e3bdfd73f7dc2c618d6125a12354aadaeedbb35af3699bc03e15 -NSS_TARBALL := nss-3.118.1-with-nspr-4.37.tar.gz +NSS_SHA256SUM := 8f12f61ef814662bf991a289bc6724d078cd79f135e09e260adbc35dfa9acaf3 +NSS_TARBALL := nss-3.119-with-nspr-4.38.2.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index a1e47c307a96..5915af095a54 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -28,7 +28,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss-restore-manual-pre-dependencies.patch.1 \ external/nss/Wincompatible-function-pointer-types.patch.0 \ external/nss/nspr-win95-target.patch \ - external/nss/connectx.patch.0 \ $(if $(filter LINUX,$(OS)), \ external/nss/nss.disablefsync.patch \ external/nss/nss.getrandom.patch) \ diff --git a/external/nss/connectx.patch.0 b/external/nss/connectx.patch.0 deleted file mode 100644 index 29c6fd1a8469..000000000000 --- a/external/nss/connectx.patch.0 +++ /dev/null @@ -1,11 +0,0 @@ ---- nspr/pr/src/pthreads/ptio.c -+++ nspr/pr/src/pthreads/ptio.c -@@ -1989,7 +1989,7 @@ - PRIntn flags, const PRNetAddr* addr, - PRIntervalTime timeout) { - # if defined(LINUX) || HAS_CONNECTX -- PRInt32 syserrno, bytes = -1; -+ PRInt32 syserrno; ssize_t bytes = -1; - PRBool fNeedContinue = PR_FALSE; - pt_SockLen addr_len; - const PRNetAddr* addrp = addr; diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch index 13cf0cda706b..eaa025f1c205 100644 --- a/external/nss/nss_macosx.patch +++ b/external/nss/nss_macosx.patch @@ -23,32 +23,33 @@ diff -ru a/nspr/configure b/nspr/configure diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk --- a/a/nss/coreconf/Darwin.mk 2014-09-29 16:50:22.992304799 +0100 +++ b/b/nss/coreconf/Darwin.mk 2014-09-29 16:51:59.214931953 +0100 -@@ -20,13 +20,17 @@ +@@ -19,34 +19,39 @@ + endif - ifeq (,$(filter-out i%86,$(CPU_ARCH))) - ifdef USE_64 + ifeq (x86_64,$(CPU_ARCH)) +ifeq (,$(findstring -arch ,$(CC))) CC += -arch x86_64 CCC += -arch x86_64 +endif override CPU_ARCH = x86_64 - else + else ifeq (i386,$(CPU_ARCH)) OS_REL_CFLAGS = -Di386 +ifeq (,$(findstring -arch ,$(CC))) CC += -arch i386 CCC += -arch i386 +endif override CPU_ARCH = x86 - endif - else -@@ -33,19 +37,20 @@ - ifeq (arm,$(CPU_ARCH)) - # Nothing set for arm currently. - else + else ifeq (,$(filter-out aarch64 arm,$(CPU_ARCH))) + CC += -arch arm64 + CCC += -arch arm64 + override CPU_ARCH = aarch64 + else ifeq (powerpc,$(CPU_ARCH)) -OS_REL_CFLAGS = -Dppc -CC += -arch ppc -CCC += -arch ppc - endif + override CPU_ARCH = ppc + else + $(error Unknown CPU architecture) endif ifneq (,$(MACOS_SDK_DIR)) commit 31e1f4b7f36ed6e66a045fb032c957c42376ec96 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Nov 18 23:07:37 2025 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:02:25 2026 +0100 nss: upgrade to 3.118.1 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_118_1_RTM/src/nss-3.118.1-with-nspr-4.37.tar.gz Change-Id: I9e9dcfed8e8f047862ff07c1f87220a52e26ae77 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/194179 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit 045bd3292b9db696b35e3983bec4a4c038c2b0a4) diff --git a/download.lst b/download.lst index 55b19aae7733..91c226978eee 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := cda19ca82e3f4839b0cb72fc633545a83b3f73dd3385a24a176860c461773a70 -NSS_TARBALL := nss-3.117-with-nspr-4.37.tar.gz +NSS_SHA256SUM := 9e1f7da9f4e5e3bdfd73f7dc2c618d6125a12354aadaeedbb35af3699bc03e15 +NSS_TARBALL := nss-3.118.1-with-nspr-4.37.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts commit 5bec7a6e4ae8f9b5184c04238130431e2ddad536 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Oct 21 16:13:07 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:02:12 2026 +0100 nss: upgrade to 3.117 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_117_RTM/src/nss-3.117-with-nspr-4.37.tar.gz Change-Id: If381a7686a6d3db93e45778855ec74ee90be426b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/192799 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit b168b52022d59e79dc2c3a9ebdb1b8b968b9c3e2) diff --git a/download.lst b/download.lst index 4a45d09283db..55b19aae7733 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := af6f21bae9f16534988842597871754450fd6cdbd786750e7cd069f8d231ce10 -NSS_TARBALL := nss-3.116-with-nspr-4.37.tar.gz +NSS_SHA256SUM := cda19ca82e3f4839b0cb72fc633545a83b3f73dd3385a24a176860c461773a70 +NSS_TARBALL := nss-3.117-with-nspr-4.37.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts commit 2747356fd255220fd013dec77f2f6a8521f7001c Author: Stephan Bergmann <[email protected]> AuthorDate: Tue Sep 23 08:20:08 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:01:58 2026 +0100 external/nss: Fix -Wincompatible-pointer-types ...on macOS, where connectx(2) "appeared in Darwin 15.0.0" according to its man page, and where recent Clang with <https://github.com/llvm/llvm-project/commit/b24769855d97697de08e2296a548c033f193caf4> "[Clang] [Sema] Make `-Wincompatible-pointer-types` an error by default (#157364)" now started to fail with > ../../../../pr/src/pthreads/ptio.c:2046:58: error: incompatible pointer types passing 'PRInt32 *' (aka 'int *') to parameter of type 'size_t *' (aka 'unsigned long *') [-Wincompatible-pointer-types] > 2046 | CONNECT_DATA_IDEMPOTENT, iov, 1, &bytes, NULL); > | ^~~~~~ > /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX26.0.sdk/usr/include/sys/socket.h:741:49: note: passing argument to parameter here > 741 | const struct iovec *, unsigned int, size_t *, sae_connid_t *); > | ^ > ../../../../pr/src/pthreads/ptio.c:2045:11: warning: unused variable 'rv' [-Wunused-variable] > 2045 | PRInt32 rv = connectx(fd->secret->md.osfd, &endpoints, SAE_ASSOCID_ANY, > | ^~ Change-Id: I047a987e443ab0283f38d997d03062fe969a65c5 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/191375 Tested-by: Jenkins Reviewed-by: Stephan Bergmann <[email protected]> (cherry picked from commit 1edb882cd03a632644f90003e07ca57f4268b053) diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 5915af095a54..a1e47c307a96 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -28,6 +28,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss-restore-manual-pre-dependencies.patch.1 \ external/nss/Wincompatible-function-pointer-types.patch.0 \ external/nss/nspr-win95-target.patch \ + external/nss/connectx.patch.0 \ $(if $(filter LINUX,$(OS)), \ external/nss/nss.disablefsync.patch \ external/nss/nss.getrandom.patch) \ diff --git a/external/nss/connectx.patch.0 b/external/nss/connectx.patch.0 new file mode 100644 index 000000000000..29c6fd1a8469 --- /dev/null +++ b/external/nss/connectx.patch.0 @@ -0,0 +1,11 @@ +--- nspr/pr/src/pthreads/ptio.c ++++ nspr/pr/src/pthreads/ptio.c +@@ -1989,7 +1989,7 @@ + PRIntn flags, const PRNetAddr* addr, + PRIntervalTime timeout) { + # if defined(LINUX) || HAS_CONNECTX +- PRInt32 syserrno, bytes = -1; ++ PRInt32 syserrno; ssize_t bytes = -1; + PRBool fNeedContinue = PR_FALSE; + pt_SockLen addr_len; + const PRNetAddr* addrp = addr; commit 254496ad0eda2f310cf65bc39a920384e8209616 Author: Xisco Fauli <[email protected]> AuthorDate: Mon Sep 15 12:00:07 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:01:40 2026 +0100 nss: upgrade to 3.116 0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 has been fixed upstream Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_116_RTM/src/nss-3.116-with-nspr-4.37.tar.gz Change-Id: I61f7efe779c89ca00e6698dd834cf282ea43f5d3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190960 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit c46712bcd7a6f811aa406f2db97d94d3d1b67350) diff --git a/download.lst b/download.lst index 6be7a60e91c5..4a45d09283db 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := 5ff67daaa778ff302ccacdd00e665ce71da59f05dcdaab62bcdab6e23c90d320 -NSS_TARBALL := nss-3.115.1-with-nspr-4.37.tar.gz +NSS_SHA256SUM := af6f21bae9f16534988842597871754450fd6cdbd786750e7cd069f8d231ce10 +NSS_TARBALL := nss-3.116-with-nspr-4.37.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 b/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 deleted file mode 100644 index 8a1fa9c5cfb7..000000000000 --- a/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 +++ /dev/null @@ -1,77 +0,0 @@ -From 41b30bd6ee62ed0b8420c45e71ea9f1e6e46cc67 Mon Sep 17 00:00:00 2001 -From: Robert Relyea <[email protected]> -Date: Tue, 19 Aug 2025 17:35:17 -0700 -Subject: [PATCH] Bug 1983399 lib/softtoken/{sdb.c,sftkdbti.h}: Align - sftkdb_known_attributes_size type r=rrelyea patch by nvinson234 - -sftkdb_known_attributes_size is defined with conflicting types. In /lib/softtoken/sdb.c it is defined as a 'const size_t'; whereas in lib/softtoken/sftkdbti.h it is defined as an 'unsigned int'. The correct type for sftkdb_known_attributes_size is size_t since its value is derived from the size of the sftkdb_known_attributes array. - -Differential Revision: https://phabricator.services.mozilla.com/D261440 - ---HG-- -extra : rebase_source : e234b04d1754b26d2b4e8b79978bd8403d85fa5e ---- - lib/softoken/sdb.c | 12 ++++++------ - lib/softoken/sftkdbti.h | 2 +- - 2 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c -index 8b5ce70e3..28480ee2a 100644 ---- nss/nss/lib/softoken/sdb.c -+++ nss/nss/lib/softoken/sdb.c -@@ -158,7 +158,7 @@ const CK_ATTRIBUTE_TYPE sftkdb_known_attributes[] = { - }; - // clang-format on - --const int sftkdb_known_attributes_size = PR_ARRAY_SIZE(sftkdb_known_attributes); -+const size_t sftkdb_known_attributes_size = PR_ARRAY_SIZE(sftkdb_known_attributes); - - /* - * Note on use of sqlReadDB: Only one thread at a time may have an actual -@@ -2024,8 +2024,8 @@ sdb_update_column(sqlite3 *sqlDB, const char *table, sdbDataType type) - } - /* we have more attributes than in the database, so we know things - * are missing, find what was missing */ -- for (int i = 0; i < sftkdb_known_attributes_size; i++) { -- char *typeString = sqlite3_mprintf("a%x", sftkdb_known_attributes[i]); -+ for (size_t i = 0; i < sftkdb_known_attributes_size; i++) { -+ char *typeString = sqlite3_mprintf("a%lx", sftkdb_known_attributes[i]); - PRBool found = PR_FALSE; - /* this one index is important, we skip the first column (id), since - * it will never match, starting at zero isn't a bug, -@@ -2072,7 +2072,6 @@ CK_RV - sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, - int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb) - { -- int i; - char *initStr = NULL; - char *newStr; - char *queryStr = NULL; -@@ -2136,8 +2135,9 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, - goto loser; - } - initStr = sqlite3_mprintf(""); -- for (i = 0; initStr && i < sftkdb_known_attributes_size; i++) { -- newStr = sqlite3_mprintf("%s, a%x", initStr, sftkdb_known_attributes[i]); -+ for (size_t i = 0; initStr && i < sftkdb_known_attributes_size; i++) { -+ newStr = sqlite3_mprintf("%s, a%lx", initStr, -+ sftkdb_known_attributes[i]); - sqlite3_free(initStr); - initStr = newStr; - } -diff --git a/lib/softoken/sftkdbti.h b/lib/softoken/sftkdbti.h -index c08334919..7dfbdabf1 100644 ---- nss/nss/lib/softoken/sftkdbti.h -+++ nss/nss/lib/softoken/sftkdbti.h -@@ -27,7 +27,7 @@ struct SFTKDBHandleStr { - }; - - extern const CK_ATTRIBUTE_TYPE sftkdb_known_attributes[]; --extern unsigned int sftkdb_known_attributes_size; -+extern size_t sftkdb_known_attributes_size; - - #define SFTK_KEYDB_TYPE 0x40000000 - #define SFTK_CERTDB_TYPE 0x00000000 --- -2.39.5 - diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index c1e9de7b777b..5915af095a54 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -39,7 +39,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss.windows.patch \ external/nss/nss.nowerror.patch \ external/nss/nss.utf8bom.patch.1) \ - external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 \ )) ifeq ($(COM_IS_CLANG),TRUE) commit 04131c3b1264d595ba8166a6b87606c1777270f5 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Aug 26 13:34:18 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:01:28 2026 +0100 nss: fix aarch64 build dbtool.obj : error LNK2048: relocation PAGEOFFSET_12L targeting 'sftkdb_known_attributes_size' (00007F3C) is invalid for the instruction (F9400108 at RVA 000017B8) at section 0xD offset 0x48, due to bad alignment of offset to target (F3C); expected to be 8 bytes aligned dbtool.obj : error LNK2048: relocation PAGEOFFSET_12L targeting 'sftkdb_known_attributes_size' (00007F3C) is invalid for the instruction (F9400108 at RVA 00001B20) at section 0xD offset 0x3B0, due to bad alignment of offset to target (F3C); expected to be 8 bytes aligned Change-Id: I7c5331d4976073a7a84575fec5f66db0f12d54cd Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190219 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit 9653afbbe9ed5b124b2fc3186577c3788f664692) diff --git a/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 b/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 new file mode 100644 index 000000000000..8a1fa9c5cfb7 --- /dev/null +++ b/external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 @@ -0,0 +1,77 @@ +From 41b30bd6ee62ed0b8420c45e71ea9f1e6e46cc67 Mon Sep 17 00:00:00 2001 +From: Robert Relyea <[email protected]> +Date: Tue, 19 Aug 2025 17:35:17 -0700 +Subject: [PATCH] Bug 1983399 lib/softtoken/{sdb.c,sftkdbti.h}: Align + sftkdb_known_attributes_size type r=rrelyea patch by nvinson234 + +sftkdb_known_attributes_size is defined with conflicting types. In /lib/softtoken/sdb.c it is defined as a 'const size_t'; whereas in lib/softtoken/sftkdbti.h it is defined as an 'unsigned int'. The correct type for sftkdb_known_attributes_size is size_t since its value is derived from the size of the sftkdb_known_attributes array. + +Differential Revision: https://phabricator.services.mozilla.com/D261440 + +--HG-- +extra : rebase_source : e234b04d1754b26d2b4e8b79978bd8403d85fa5e +--- + lib/softoken/sdb.c | 12 ++++++------ + lib/softoken/sftkdbti.h | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c +index 8b5ce70e3..28480ee2a 100644 +--- nss/nss/lib/softoken/sdb.c ++++ nss/nss/lib/softoken/sdb.c +@@ -158,7 +158,7 @@ const CK_ATTRIBUTE_TYPE sftkdb_known_attributes[] = { + }; + // clang-format on + +-const int sftkdb_known_attributes_size = PR_ARRAY_SIZE(sftkdb_known_attributes); ++const size_t sftkdb_known_attributes_size = PR_ARRAY_SIZE(sftkdb_known_attributes); + + /* + * Note on use of sqlReadDB: Only one thread at a time may have an actual +@@ -2024,8 +2024,8 @@ sdb_update_column(sqlite3 *sqlDB, const char *table, sdbDataType type) + } + /* we have more attributes than in the database, so we know things + * are missing, find what was missing */ +- for (int i = 0; i < sftkdb_known_attributes_size; i++) { +- char *typeString = sqlite3_mprintf("a%x", sftkdb_known_attributes[i]); ++ for (size_t i = 0; i < sftkdb_known_attributes_size; i++) { ++ char *typeString = sqlite3_mprintf("a%lx", sftkdb_known_attributes[i]); + PRBool found = PR_FALSE; + /* this one index is important, we skip the first column (id), since + * it will never match, starting at zero isn't a bug, +@@ -2072,7 +2072,6 @@ CK_RV + sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, + int *newInit, int inFlags, PRUint32 accessOps, SDB **pSdb) + { +- int i; + char *initStr = NULL; + char *newStr; + char *queryStr = NULL; +@@ -2136,8 +2135,9 @@ sdb_init(char *dbname, char *table, sdbDataType type, int *inUpdate, + goto loser; + } + initStr = sqlite3_mprintf(""); +- for (i = 0; initStr && i < sftkdb_known_attributes_size; i++) { +- newStr = sqlite3_mprintf("%s, a%x", initStr, sftkdb_known_attributes[i]); ++ for (size_t i = 0; initStr && i < sftkdb_known_attributes_size; i++) { ++ newStr = sqlite3_mprintf("%s, a%lx", initStr, ++ sftkdb_known_attributes[i]); + sqlite3_free(initStr); + initStr = newStr; + } +diff --git a/lib/softoken/sftkdbti.h b/lib/softoken/sftkdbti.h +index c08334919..7dfbdabf1 100644 +--- nss/nss/lib/softoken/sftkdbti.h ++++ nss/nss/lib/softoken/sftkdbti.h +@@ -27,7 +27,7 @@ struct SFTKDBHandleStr { + }; + + extern const CK_ATTRIBUTE_TYPE sftkdb_known_attributes[]; +-extern unsigned int sftkdb_known_attributes_size; ++extern size_t sftkdb_known_attributes_size; + + #define SFTK_KEYDB_TYPE 0x40000000 + #define SFTK_CERTDB_TYPE 0x00000000 +-- +2.39.5 + diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 5915af095a54..c1e9de7b777b 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -39,6 +39,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss.windows.patch \ external/nss/nss.nowerror.patch \ external/nss/nss.utf8bom.patch.1) \ + external/nss/0001-Bug-1983399-lib-softtoken-sdb.c-sftkdbti.h-Align-sft.patch.1 \ )) ifeq ($(COM_IS_CLANG),TRUE) commit 68b443006eb9bf5e370c78955dd4fcc7803daed6 Author: Xisco Fauli <[email protected]> AuthorDate: Fri Aug 22 11:30:09 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:01:20 2026 +0100 nss: upgrade to 3.115.1 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_115_1_RTM/src/nss-3.115.1-with-nspr-4.37.tar.gz Change-Id: Ie887520c9177bfca2a7aff78787f14109bb3c4fc Reviewed-on: https://gerrit.libreoffice.org/c/core/+/190052 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit c55cd1bbef1d59bbf8733556a6cc7fcc8797ee17) diff --git a/download.lst b/download.lst index a2664071b9e8..6be7a60e91c5 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := 83503e5c77024ecc6349e9d7216a8e8aa2423495da4ff752a65ad128638abacf -NSS_TARBALL := nss-3.115-with-nspr-4.37.tar.gz +NSS_SHA256SUM := 5ff67daaa778ff302ccacdd00e665ce71da59f05dcdaab62bcdab6e23c90d320 +NSS_TARBALL := nss-3.115.1-with-nspr-4.37.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts commit 1209a2c45930bc48b6948874d3f493111f756397 Author: Xisco Fauli <[email protected]> AuthorDate: Fri Aug 15 22:34:39 2025 +0200 Commit: Michael Stahl <[email protected]> CommitDate: Mon Mar 2 12:01:11 2026 +0100 nss: upgrade to 3.115 Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_115_RTM/src/nss-3.115-with-nspr-4.37.tar.gz Change-Id: I285043704622fa23a72bf5fd9932c20c2953d374 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/189729 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit c2d0d27c6c132f6844b8eaaa8e3e05357f6c42d3) diff --git a/download.lst b/download.lst index 599d18377b18..a2664071b9e8 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := aa927a8610354483b52fdb3c9445f3e2f4a231cc03754ed47e96d2697c2e2329 -NSS_TARBALL := nss-3.114-with-nspr-4.37.tar.gz +NSS_SHA256SUM := 83503e5c77024ecc6349e9d7216a8e8aa2423495da4ff752a65ad128638abacf +NSS_TARBALL := nss-3.115-with-nspr-4.37.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts
