Accepting request 90154 from mozilla:Factory

Please consider for 12.1 (would need to be released as update otherwise) - explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - make sure NSS_NoDB_Init does not try to use wrong certificate databases (CVE-2011-3640, bnc#726096, bmo#641052) OBS-URL: https://build.opensuse.org/request/show/90154 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=62
2011-11-07 13:22:38 +00:00 · 2011-11-07 13:22:38 +00:00 · 763f240ade
commit 763f240ade
parent 251217c211 7a675fbd45
4 changed files with 874 additions and 167 deletions
--- a/nss-3.12.11-diginotar.patch
+++ b/nss-3.12.11-diginotar.patch
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,7 +1,14 @@
+-------------------------------------------------------------------
+Sat Nov  5 10:47:51 UTC 2011 - wr@rosenauer.org
+
+- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)
+- make sure NSS_NoDB_Init does not try to use wrong certificate
+  databases (CVE-2011-3640, bnc#726096, bmo#641052)
+
 -------------------------------------------------------------------
 Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org

- Workaround qemu-arm bugs. 
+- Workaround qemu-arm bugs.

 -------------------------------------------------------------------
 Fri Sep  9 05:44:15 UTC 2011 - wr@rosenauer.org
--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -56,7 +56,8 @@ Patch4:         char.patch
 Patch5:         nss-no-rpath.patch
 Patch6:         renegotiate-transitional.patch
 Patch9:         malloc.patch
-Patch10:        nss-3.12.11-diginotar.patch
+Patch10:        ckbi-1_88.patch
+Patch11:        nss-3.12.11_CVE-2011-3640.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@ -174,7 +175,8 @@ cd mozilla
 %if %suse_version > 1110
 %patch9
 %endif
-%patch10 -p2
+%patch10 -p1
+%patch11
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
--- a/nss-3.12.11_CVE-2011-3640.patch
+++ b/nss-3.12.11_CVE-2011-3640.patch
@ -0,0 +1,141 @@
+Index: security/nss/lib/softoken/sftkmod.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
+retrieving revision 1.7
+diff -u -p -r1.7 sftkmod.c
+--- security/nss/lib/softoken/sftkmod.c	11 Jun 2009 06:28:07 -0000	1.7
+++ security/nss/lib/softoken/sftkmod.c	5 Nov 2011 11:55:24 -0000
+@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
+     char *sep;
+ 
+     sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
+-#ifdef WINDOWS
+#ifdef _WIN32
+     if (!sep) {
+-	sep = PORT_Strrchr(dirPath,'/');
+	/* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
+	sep = PORT_Strrchr(dirPath,'\\');
+     }
+ #endif
+     if (sep) {
+-	*(sep)=0;
+	*sep = 0;
+	file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+    } else {
+	file = PR_smprintf("%s", filename);
+     }
+-    file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+     PORT_Free(dirPath);
+     return file;
+ }
+@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+     char *paramsValue=NULL;
+     PRBool failed = PR_TRUE;
+ 
+-    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+    if ((dbname != NULL) &&
+		((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ 	return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
+     }
+ 
+     moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+     if (moduleList == NULL) return NULL;
+ 
+    if (dbname == NULL) {
+	goto return_default;
+    }
+
+     /* do we really want to use streams here */
+     fd = fopen(dbname, "r");
+     if (fd == NULL) goto done;
+@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ 	moduleString = NULL;
+     }
+ done:
+-    /* if we couldn't open a pkcs11 database, look for the old one */
+    /* If we couldn't open a pkcs11 database, look for the old one.
+     * This is necessary to maintain the semantics of the transition from
+     * old to new DB's. If there is an old DB and not new DB, we will
+     * automatically use the old DB. If the DB was opened read/write, we
+     * create a new db and upgrade it from the old one. */
+     if (fd == NULL) {
+ 	char *olddbname = sftk_getOldSecmodName(dbname,filename);
+ 	PRStatus status;
+@@ -462,6 +474,8 @@ bail:
+ 	    PR_smprintf_free(olddbname);
+ 	}
+     }
+
+return_default:
+ 	
+     if (!moduleList[0]) {
+ 	char * newParams;
+@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
+ 			const char *filename, const char *dbname, 
+ 			char **moduleSpecList, PRBool rw)
+ {
+-    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+    if ((dbname != NULL) &&
+		((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ 	return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, 
+ 					  moduleSpecList, rw);
+     }
+@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+     PRBool skip = PR_FALSE;
+     PRBool found = PR_FALSE;
+ 
+    if (dbname == NULL) {
+	return SECFailure;
+    }
+
+     if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ 	return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
+     }
+@@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
+     char *block = NULL;
+     PRBool libFound = PR_FALSE;
+ 
+    if (dbname == NULL) {
+	return SECFailure;
+    }
+
+     if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ 	return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
+     }
+Index: security/nss/lib/softoken/sftkpars.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
+retrieving revision 1.11
+diff -u -p -r1.11 sftkpars.c
+--- security/nss/lib/softoken/sftkpars.c	18 Jun 2010 04:09:27 -0000	1.11
+++ security/nss/lib/softoken/sftkpars.c	5 Nov 2011 11:55:24 -0000
+@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType 
+     char *value = NULL;
+     char *save_params = param;
+     const char *lconfigdir;
+    PRBool noModDB = PR_FALSE;
+     param = sftk_argStrip(param);
+ 	
+ 
+@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType 
+ 
+    if (sftk_argHasFlag("flags","noModDB",save_params)) {
+ 	/* there isn't a module db, don't load the legacy support */
+	noModDB = PR_TRUE;
+ 	*dbType = SDB_SQL;
+	PORT_Free(*filename);
+	*filename = NULL;
+         *rw = PR_FALSE;
+    }
+ 
+@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType 
+ 	secmodName="pkcs11.txt";
+    }
+ 
+-   if (lconfigdir) {
+   if (noModDB) {
+	value = NULL;
+   } else if (lconfigdir && lconfigdir[0] != '\0') {
+ 	value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+    } else {
+ 	value = PR_smprintf("%s",secmodName);