diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 9149789..2326ed5 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -2,6 +2,8 @@ Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org - explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) +- make sure NSS_NoDB_Init does not try to use wrong certificate + databases (CVE-2011-3640, bnc#726096, bmo#641052) ------------------------------------------------------------------- Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index b84f07f..32f92d9 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -57,6 +57,7 @@ Patch5: nss-no-rpath.patch Patch6: renegotiate-transitional.patch Patch9: malloc.patch Patch10: ckbi-1_88.patch +Patch11: nss-3.12.11_CVE-2011-3640.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -175,6 +176,7 @@ cd mozilla %patch9 %endif %patch10 -p1 +%patch11 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt diff --git a/nss-3.12.11_CVE-2011-3640.patch b/nss-3.12.11_CVE-2011-3640.patch new file mode 100644 index 0000000..89bdf71 --- /dev/null +++ b/nss-3.12.11_CVE-2011-3640.patch @@ -0,0 +1,141 @@ +Index: security/nss/lib/softoken/sftkmod.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v +retrieving revision 1.7 +diff -u -p -r1.7 sftkmod.c +--- security/nss/lib/softoken/sftkmod.c 11 Jun 2009 06:28:07 -0000 1.7 ++++ security/nss/lib/softoken/sftkmod.c 5 Nov 2011 11:55:24 -0000 +@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char * + char *sep; + + sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR); +-#ifdef WINDOWS ++#ifdef _WIN32 + if (!sep) { +- sep = PORT_Strrchr(dirPath,'/'); ++ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */ ++ sep = PORT_Strrchr(dirPath,'\\'); + } + #endif + if (sep) { +- *(sep)=0; ++ *sep = 0; ++ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); ++ } else { ++ file = PR_smprintf("%s", filename); + } +- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); + PORT_Free(dirPath); + return file; + } +@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons + char *paramsValue=NULL; + PRBool failed = PR_TRUE; + +- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { ++ if ((dbname != NULL) && ++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { + return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw); + } + + moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **)); + if (moduleList == NULL) return NULL; + ++ if (dbname == NULL) { ++ goto return_default; ++ } ++ + /* do we really want to use streams here */ + fd = fopen(dbname, "r"); + if (fd == NULL) goto done; +@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons + moduleString = NULL; + } + done: +- /* if we couldn't open a pkcs11 database, look for the old one */ ++ /* If we couldn't open a pkcs11 database, look for the old one. ++ * This is necessary to maintain the semantics of the transition from ++ * old to new DB's. If there is an old DB and not new DB, we will ++ * automatically use the old DB. If the DB was opened read/write, we ++ * create a new db and upgrade it from the old one. */ + if (fd == NULL) { + char *olddbname = sftk_getOldSecmodName(dbname,filename); + PRStatus status; +@@ -462,6 +474,8 @@ bail: + PR_smprintf_free(olddbname); + } + } ++ ++return_default: + + if (!moduleList[0]) { + char * newParams; +@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp + const char *filename, const char *dbname, + char **moduleSpecList, PRBool rw) + { +- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { ++ if ((dbname != NULL) && ++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { + return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, + moduleSpecList, rw); + } +@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co + PRBool skip = PR_FALSE; + PRBool found = PR_FALSE; + ++ if (dbname == NULL) { ++ return SECFailure; ++ } ++ + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw); + } +@@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const + char *block = NULL; + PRBool libFound = PR_FALSE; + ++ if (dbname == NULL) { ++ return SECFailure; ++ } ++ + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw); + } +Index: security/nss/lib/softoken/sftkpars.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v +retrieving revision 1.11 +diff -u -p -r1.11 sftkpars.c +--- security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11 ++++ security/nss/lib/softoken/sftkpars.c 5 Nov 2011 11:55:24 -0000 +@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType + char *value = NULL; + char *save_params = param; + const char *lconfigdir; ++ PRBool noModDB = PR_FALSE; + param = sftk_argStrip(param); + + +@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType + + if (sftk_argHasFlag("flags","noModDB",save_params)) { + /* there isn't a module db, don't load the legacy support */ ++ noModDB = PR_TRUE; + *dbType = SDB_SQL; ++ PORT_Free(*filename); ++ *filename = NULL; + *rw = PR_FALSE; + } + +@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType + secmodName="pkcs11.txt"; + } + +- if (lconfigdir) { ++ if (noModDB) { ++ value = NULL; ++ } else if (lconfigdir && lconfigdir[0] != '\0') { + value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName); + } else { + value = PR_smprintf("%s",secmodName);