diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 11:04:12 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 11:04:12 +0000 |
commit | 9abcd899b8e98b5c862f44331591f9d64fefaff5 (patch) | |
tree | 78e97f2f820788187b153cdfb9aa9da0dcb3964f | |
parent | c6218a94cd4c77f12a2a44b5d2e4be97ae47ff68 (diff) | |
download | aports-9abcd899b8e98b5c862f44331591f9d64fefaff5.tar.bz2 aports-9abcd899b8e98b5c862f44331591f9d64fefaff5.tar.xz |
main/nss: fix CVE-2012-0441
fixes #1215
-rw-r--r-- | main/nss/APKBUILD | 31 | ||||
-rw-r--r-- | main/nss/CVE-2012-0441.patch | 202 | ||||
-rw-r--r-- | main/nss/cve-2011-3640.patch | 141 | ||||
-rw-r--r-- | main/nss/nss-no-rpath.patch | 4 |
4 files changed, 364 insertions, 14 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD index 4e5a6436c1..71e4a2a618 100644 --- a/main/nss/APKBUILD +++ b/main/nss/APKBUILD @@ -2,7 +2,7 @@ pkgname=nss pkgver=3.12.8 _ver=3_12_8 -pkgrel=0 +pkgrel=1 pkgdesc="Mozilla Network Security Services" url="http://www.mozilla.org/projects/security/pki/nss/" license="MPL GPL" @@ -14,19 +14,24 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src nss.pc.in nss-config.in add_spi+cacert_ca_certs.patch - ssl-renegotiate-transitional.patch" + ssl-renegotiate-transitional.patch + cve-2011-3640.patch + CVE-2012-0441.patch + " depends_dev="nspr-dev" _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" - patch -Np1 -i ""$srcdir"/add_spi+cacert_ca_certs.patch" || return 1 - patch -Np1 -i ""$srcdir"/ssl-renegotiate-transitional.patch" || return 1 - patch -Np0 -i ""$srcdir"/nss-no-rpath.patch" || return 1 + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done # Respect LDFLAGS sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' \ - mozilla/security/coreconf/rules.mk + mozilla/security/coreconf/rules.mk || return 1 } @@ -41,9 +46,9 @@ build() { export NSPR_INCLUDE_DIR=`pkg-config --cflags-only-I nspr | sed 's/-I//'` export NSPR_LIB_DIR=`pkg-config --libs-only-L nspr | sed 's/-L.//'` export XCFLAGS="${CFLAGS}" - make -j 1 -C mozilla/security/coreconf || return 1 - make -j 1 -C mozilla/security/dbm || return 1 - make -j 1 -C mozilla/security/nss || return 1 + make -j 1 -C mozilla/security/coreconf OS_RELEASE=2.6 || return 1 + make -j 1 -C mozilla/security/dbm OS_RELEASE=2.6 || return 1 + make -j 1 -C mozilla/security/nss OS_RELEASE=2.6 || return 1 } package() { @@ -110,8 +115,10 @@ libnss() { } md5sums="40bf1bb0c7567827d3768d1fc6081100 nss-3.12.8.tar.gz -e5c97db0c884d5f4cfda21e562dc9bba nss-no-rpath.patch +7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch +d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch +b61ff98f6b0d055f55883b4a36d1fa90 nss-no-rpath.patch c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in 46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in -7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch -d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch" +3774b459c4f7c70e9289249f6f566f48 cve-2011-3640.patch +447db747c4d5b10151a8a65be3bf76e3 CVE-2012-0441.patch" diff --git a/main/nss/CVE-2012-0441.patch b/main/nss/CVE-2012-0441.patch new file mode 100644 index 0000000000..bfb102f1c9 --- /dev/null +++ b/main/nss/CVE-2012-0441.patch @@ -0,0 +1,202 @@ +Index: nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:40:33.313201758 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:44:24.107462120 +0200 +@@ -1790,6 +1790,35 @@ + rv = SEC_QuickDERDecodeItem(permarena, pk, + nsslowkey_RSAPrivateKeyTemplate, + &newPrivateKey); ++ if (rv == SECSuccess) { ++ break; ++ } ++ /* Try decoding with the alternative template, but only allow ++ * a zero-length modulus for a secret key object. ++ * See bug 715073. ++ */ ++ rv = SEC_QuickDERDecodeItem(permarena, pk, ++ nsslowkey_RSAPrivateKeyTemplate2, ++ &newPrivateKey); ++ /* A publicExponent of 0 is the defining property of a secret ++ * key disguised as an RSA key. When decoding with the ++ * alternative template, only accept a secret key with an ++ * improperly encoded modulus and a publicExponent of 0. ++ */ ++ if (rv == SECSuccess) { ++ if (pk->u.rsa.modulus.len == 2 && ++ pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER && ++ pk->u.rsa.modulus.data[1] == 0 && ++ pk->u.rsa.publicExponent.len == 1 && ++ pk->u.rsa.publicExponent.data[0] == 0) { ++ /* Fix the zero-length integer by setting it to 0. */ ++ pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data; ++ pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len; ++ } else { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ rv = SECFailure; ++ } ++ } + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + pk->keyType = NSSLOWKEYDSAKey; +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:40:33.313201758 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:42:35.354166672 +0200 +@@ -818,11 +818,16 @@ + privKey->keyType = NSSLOWKEYRSAKey; + + /* The modulus is set to the key id of the symmetric key */ +- crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count, +- &privKey->u.rsa.modulus); +- if (crv != CKR_OK) goto loser; ++ privKey->u.rsa.modulus.data = ++ (unsigned char *) PORT_ArenaAlloc(arena, pubkey->len); ++ if (privKey->u.rsa.modulus.data == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ privKey->u.rsa.modulus.len = pubkey->len; ++ PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len); + +- /* The public exponent is set to 0 length to indicate a special key */ ++ /* The public exponent is set to 0 to indicate a special key */ + privKey->u.rsa.publicExponent.len = sizeof derZero; + privKey->u.rsa.publicExponent.data = derZero; + +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:40:33.317201659 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:45:10.962296923 +0200 +@@ -97,6 +97,24 @@ + { 0 } + }; + ++/* ++ * Allows u.rsa.modulus to be zero length for secret keys with an empty ++ * CKA_ID incorrectly generated in NSS 3.13.3 or earlier. Only used for ++ * decoding. See bug 715073. ++ */ ++const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[] = { ++ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) }, ++ { SEC_ASN1_ANY, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) }, ++ { 0 } ++}; + + const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:40:33.317201659 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:43:25.700914607 +0200 +@@ -72,6 +72,7 @@ + */ + extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[]; + extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[]; ++extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[]; + extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[]; + extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[]; + extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[]; +Index: nss/mozilla/security/nss/lib/util/quickder.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:40:33.341201062 +0200 ++++ nss/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:42:36.418140213 +0200 +@@ -815,40 +815,57 @@ + SECItem newtemp = temp; + rv = GetItem(&newtemp, &temp, PR_FALSE); + save = PR_TRUE; +- if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) +- switch (kind & SEC_ASN1_TAGNUM_MASK) ++ if ((SECSuccess == rv) && ++ SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) + { +- /* special cases of primitive types */ +- case SEC_ASN1_INTEGER: ++ unsigned long tagnum = kind & SEC_ASN1_TAGNUM_MASK; ++ if ( temp.len == 0 && (tagnum == SEC_ASN1_BOOLEAN || ++ tagnum == SEC_ASN1_INTEGER || ++ tagnum == SEC_ASN1_BIT_STRING || ++ tagnum == SEC_ASN1_OBJECT_ID || ++ tagnum == SEC_ASN1_ENUMERATED || ++ tagnum == SEC_ASN1_UTC_TIME || ++ tagnum == SEC_ASN1_GENERALIZED_TIME) ) + { +- /* remove leading zeroes if the caller requested siUnsignedInteger +- This is to allow RSA key operations to work */ +- SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset); +- if (destItem && (siUnsignedInteger == destItem->type)) ++ /* these types MUST have at least one content octet */ ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ rv = SECFailure; ++ } ++ else ++ switch (tagnum) ++ { ++ /* special cases of primitive types */ ++ case SEC_ASN1_INTEGER: + { +- while (temp.len > 1 && temp.data[0] == 0) +- { /* leading 0 */ +- temp.data++; +- temp.len--; ++ /* remove leading zeroes if the caller requested ++ siUnsignedInteger ++ This is to allow RSA key operations to work */ ++ SECItem* destItem = (SECItem*) ((char*)dest + ++ templateEntry->offset); ++ if (destItem && (siUnsignedInteger == destItem->type)) ++ { ++ while (temp.len > 1 && temp.data[0] == 0) ++ { /* leading 0 */ ++ temp.data++; ++ temp.len--; ++ } + } ++ break; + } +- break; +- } + +- case SEC_ASN1_BIT_STRING: +- { +- /* change the length in the SECItem to be the number of bits */ +- if (temp.len && temp.data) ++ case SEC_ASN1_BIT_STRING: + { +- temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7); +- temp.data = (unsigned char*)(temp.data+1); ++ /* change the length in the SECItem to be the number ++ of bits */ ++ temp.len = (temp.len-1)*8 - (temp.data[0] & 0x7); ++ temp.data++; ++ break; + } +- break; +- } + +- default: +- { +- break; ++ default: ++ { ++ break; ++ } + } + } + } +@@ -863,7 +880,7 @@ + If part of the destination was allocated by the decoder, in + cases of POINTER, SET OF and SEQUENCE OF, then type is set to + siBuffer due to the use of PORT_ArenaZAlloc*/ +- destItem->data = temp.data; ++ destItem->data = temp.len ? temp.data : NULL; + destItem->len = temp.len; + } + else diff --git a/main/nss/cve-2011-3640.patch b/main/nss/cve-2011-3640.patch new file mode 100644 index 0000000000..254aabf8a0 --- /dev/null +++ b/main/nss/cve-2011-3640.patch @@ -0,0 +1,141 @@ +Index: ./mozilla/security/nss/lib/softoken/sftkmod.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v +retrieving revision 1.8 +diff -p -u -r1.8 sftkmod.c +--- ./mozilla/security/nss/lib/softoken/sftkmod.c 15 Jan 2011 20:59:11 -0000 1.8 ++++ ./mozilla/security/nss/lib/softoken/sftkmod.c 2 Oct 2011 14:45:28 -0000 +@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char * + char *sep; + + sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR); +-#ifdef WINDOWS ++#ifdef _WIN32 + if (!sep) { +- sep = PORT_Strrchr(dirPath,'/'); ++ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */ ++ sep = PORT_Strrchr(dirPath,'\\'); + } + #endif + if (sep) { +- *(sep)=0; ++ *sep = 0; ++ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); ++ } else { ++ file = PR_smprintf("%s", filename); + } +- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); + PORT_Free(dirPath); + return file; + } +@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons + char *paramsValue=NULL; + PRBool failed = PR_TRUE; + +- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { ++ if ((dbname != NULL) && ++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { + return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw); + } + + moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **)); + if (moduleList == NULL) return NULL; + ++ if (dbname == NULL) { ++ goto return_default; ++ } ++ + /* do we really want to use streams here */ + fd = fopen(dbname, "r"); + if (fd == NULL) goto done; +@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons + moduleString = NULL; + } + done: +- /* if we couldn't open a pkcs11 database, look for the old one */ ++ /* If we couldn't open a pkcs11 database, look for the old one. ++ * This is necessary to maintain the semantics of the transition from ++ * old to new DB's. If there is an old DB and not new DB, we will ++ * automatically use the old DB. If the DB was opened read/write, we ++ * create a new db and upgrade it from the old one. */ + if (fd == NULL) { + char *olddbname = sftk_getOldSecmodName(dbname,filename); + PRStatus status; +@@ -462,6 +474,8 @@ bail: + PR_smprintf_free(olddbname); + } + } ++ ++return_default: + + if (!moduleList[0]) { + char * newParams; +@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp + const char *filename, const char *dbname, + char **moduleSpecList, PRBool rw) + { +- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { ++ if ((dbname != NULL) && ++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { + return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, + moduleSpecList, rw); + } +@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co + PRBool skip = PR_FALSE; + PRBool found = PR_FALSE; + ++ if (dbname == NULL) { ++ return SECFailure; ++ } ++ + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw); + } +@@ -669,6 +688,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const + char *block = NULL; + PRBool libFound = PR_FALSE; + ++ if (dbname == NULL) { ++ return SECFailure; ++ } ++ + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw); + } +Index: ./mozilla/security/nss/lib/softoken/sftkpars.c +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v +retrieving revision 1.11 +diff -p -u -r1.11 sftkpars.c +--- ./mozilla/security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11 ++++ ./mozilla/security/nss/lib/softoken/sftkpars.c 2 Oct 2011 14:45:29 -0000 +@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType + char *value = NULL; + char *save_params = param; + const char *lconfigdir; ++ PRBool noModDB = PR_FALSE; + param = sftk_argStrip(param); + + +@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType + + if (sftk_argHasFlag("flags","noModDB",save_params)) { + /* there isn't a module db, don't load the legacy support */ ++ noModDB = PR_TRUE; + *dbType = SDB_SQL; ++ PORT_Free(*filename); ++ *filename = NULL; + *rw = PR_FALSE; + } + +@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType + secmodName="pkcs11.txt"; + } + +- if (lconfigdir) { ++ if (noModDB) { ++ value = NULL; ++ } else if (lconfigdir && lconfigdir[0] != '\0') { + value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName); + } else { + value = PR_smprintf("%s",secmodName); diff --git a/main/nss/nss-no-rpath.patch b/main/nss/nss-no-rpath.patch index 35ea573154..29129ca4db 100644 --- a/main/nss/nss-no-rpath.patch +++ b/main/nss/nss-no-rpath.patch @@ -1,5 +1,5 @@ ---- ./mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100 -+++ ./mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100 +--- ././mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100 ++++ ././mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100 @@ -52,9 +52,9 @@ ifeq ($(OS_ARCH), Linux) |