- make sure NSS_NoDB_Init does not try to use wrong certificate

databases (CVE-2011-3640, bnc#726096, bmo#641052)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=86
This commit is contained in:
Wolfgang Rosenauer 2011-11-05 12:00:04 +00:00 committed by Git OBS Bridge
parent 84b82c7866
commit 7a675fbd45
3 changed files with 145 additions and 0 deletions

View File

@ -2,6 +2,8 @@
Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org
- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) - explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753)
- make sure NSS_NoDB_Init does not try to use wrong certificate
databases (CVE-2011-3640, bnc#726096, bmo#641052)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org

View File

@ -57,6 +57,7 @@ Patch5: nss-no-rpath.patch
Patch6: renegotiate-transitional.patch Patch6: renegotiate-transitional.patch
Patch9: malloc.patch Patch9: malloc.patch
Patch10: ckbi-1_88.patch Patch10: ckbi-1_88.patch
Patch11: nss-3.12.11_CVE-2011-3640.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -175,6 +176,7 @@ cd mozilla
%patch9 %patch9
%endif %endif
%patch10 -p1 %patch10 -p1
%patch11
# additional CA certificates # additional CA certificates
#cd security/nss/lib/ckfw/builtins #cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt #cat %{SOURCE2} >> certdata.txt

View File

@ -0,0 +1,141 @@
Index: security/nss/lib/softoken/sftkmod.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
retrieving revision 1.7
diff -u -p -r1.7 sftkmod.c
--- security/nss/lib/softoken/sftkmod.c 11 Jun 2009 06:28:07 -0000 1.7
+++ security/nss/lib/softoken/sftkmod.c 5 Nov 2011 11:55:24 -0000
@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
char *sep;
sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
-#ifdef WINDOWS
+#ifdef _WIN32
if (!sep) {
- sep = PORT_Strrchr(dirPath,'/');
+ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
+ sep = PORT_Strrchr(dirPath,'\\');
}
#endif
if (sep) {
- *(sep)=0;
+ *sep = 0;
+ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+ } else {
+ file = PR_smprintf("%s", filename);
}
- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
PORT_Free(dirPath);
return file;
}
@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
char *paramsValue=NULL;
PRBool failed = PR_TRUE;
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ if ((dbname != NULL) &&
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
}
moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
if (moduleList == NULL) return NULL;
+ if (dbname == NULL) {
+ goto return_default;
+ }
+
/* do we really want to use streams here */
fd = fopen(dbname, "r");
if (fd == NULL) goto done;
@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
moduleString = NULL;
}
done:
- /* if we couldn't open a pkcs11 database, look for the old one */
+ /* If we couldn't open a pkcs11 database, look for the old one.
+ * This is necessary to maintain the semantics of the transition from
+ * old to new DB's. If there is an old DB and not new DB, we will
+ * automatically use the old DB. If the DB was opened read/write, we
+ * create a new db and upgrade it from the old one. */
if (fd == NULL) {
char *olddbname = sftk_getOldSecmodName(dbname,filename);
PRStatus status;
@@ -462,6 +474,8 @@ bail:
PR_smprintf_free(olddbname);
}
}
+
+return_default:
if (!moduleList[0]) {
char * newParams;
@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
const char *filename, const char *dbname,
char **moduleSpecList, PRBool rw)
{
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ if ((dbname != NULL) &&
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
moduleSpecList, rw);
}
@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
PRBool skip = PR_FALSE;
PRBool found = PR_FALSE;
+ if (dbname == NULL) {
+ return SECFailure;
+ }
+
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
}
@@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
char *block = NULL;
PRBool libFound = PR_FALSE;
+ if (dbname == NULL) {
+ return SECFailure;
+ }
+
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
}
Index: security/nss/lib/softoken/sftkpars.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
retrieving revision 1.11
diff -u -p -r1.11 sftkpars.c
--- security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11
+++ security/nss/lib/softoken/sftkpars.c 5 Nov 2011 11:55:24 -0000
@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
char *value = NULL;
char *save_params = param;
const char *lconfigdir;
+ PRBool noModDB = PR_FALSE;
param = sftk_argStrip(param);
@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
if (sftk_argHasFlag("flags","noModDB",save_params)) {
/* there isn't a module db, don't load the legacy support */
+ noModDB = PR_TRUE;
*dbType = SDB_SQL;
+ PORT_Free(*filename);
+ *filename = NULL;
*rw = PR_FALSE;
}
@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
secmodName="pkcs11.txt";
}
- if (lconfigdir) {
+ if (noModDB) {
+ value = NULL;
+ } else if (lconfigdir && lconfigdir[0] != '\0') {
value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
} else {
value = PR_smprintf("%s",secmodName);