aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2011-11-18 14:09:12 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2011-11-18 14:09:12 +0000
commit4f73d2d7b4f2ba743c47e8be0248da03661af1d7 (patch)
tree27d88ee223e29bc7b5a7de27b6f742ee91b42a18
parent2027888c93163b7263ef7b8e9e5a3bbc5ab053da (diff)
downloadaports-4f73d2d7b4f2ba743c47e8be0248da03661af1d7.tar.bz2
aports-4f73d2d7b4f2ba743c47e8be0248da03661af1d7.tar.xz
main/nss: security fix (CVE-2011-3640)
ref #815 ref #816
-rw-r--r--main/nss/APKBUILD9
-rw-r--r--main/nss/cve-2011-3640.patch141
2 files changed, 147 insertions, 3 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD
index c507cdba24..c8b1199456 100644
--- a/main/nss/APKBUILD
+++ b/main/nss/APKBUILD
@@ -2,7 +2,7 @@
pkgname=nss
pkgver=3.12.11
_ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
pkgdesc="Mozilla Network Security Services"
url="http://www.mozilla.org/projects/security/pki/nss/"
arch="all"
@@ -15,7 +15,9 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src
nss.pc.in
nss-config.in
add_spi+cacert_ca_certs.patch
- ssl-renegotiate-transitional.patch"
+ ssl-renegotiate-transitional.patch
+ cve-2011-3640.patch
+ "
depends_dev="nspr-dev"
_builddir="$srcdir"/$pkgname-$pkgver
@@ -142,4 +144,5 @@ e5c97db0c884d5f4cfda21e562dc9bba nss-no-rpath.patch
c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in
46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in
7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch
-d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch"
+d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch
+6fa44457270956d634abe15d1f3340ab cve-2011-3640.patch"
diff --git a/main/nss/cve-2011-3640.patch b/main/nss/cve-2011-3640.patch
new file mode 100644
index 0000000000..ced9915102
--- /dev/null
+++ b/main/nss/cve-2011-3640.patch
@@ -0,0 +1,141 @@
+Index: mozilla/security/nss/lib/softoken/sftkmod.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
+retrieving revision 1.8
+diff -p -u -r1.8 sftkmod.c
+--- a/mozilla/security/nss/lib/softoken/sftkmod.c 15 Jan 2011 20:59:11 -0000 1.8
++++ b/mozilla/security/nss/lib/softoken/sftkmod.c 2 Oct 2011 14:45:28 -0000
+@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
+ char *sep;
+
+ sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
+-#ifdef WINDOWS
++#ifdef _WIN32
+ if (!sep) {
+- sep = PORT_Strrchr(dirPath,'/');
++ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
++ sep = PORT_Strrchr(dirPath,'\\');
+ }
+ #endif
+ if (sep) {
+- *(sep)=0;
++ *sep = 0;
++ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
++ } else {
++ file = PR_smprintf("%s", filename);
+ }
+- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+ PORT_Free(dirPath);
+ return file;
+ }
+@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ char *paramsValue=NULL;
+ PRBool failed = PR_TRUE;
+
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
+ }
+
+ moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+ if (moduleList == NULL) return NULL;
+
++ if (dbname == NULL) {
++ goto return_default;
++ }
++
+ /* do we really want to use streams here */
+ fd = fopen(dbname, "r");
+ if (fd == NULL) goto done;
+@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ moduleString = NULL;
+ }
+ done:
+- /* if we couldn't open a pkcs11 database, look for the old one */
++ /* If we couldn't open a pkcs11 database, look for the old one.
++ * This is necessary to maintain the semantics of the transition from
++ * old to new DB's. If there is an old DB and not new DB, we will
++ * automatically use the old DB. If the DB was opened read/write, we
++ * create a new db and upgrade it from the old one. */
+ if (fd == NULL) {
+ char *olddbname = sftk_getOldSecmodName(dbname,filename);
+ PRStatus status;
+@@ -462,6 +474,8 @@ bail:
+ PR_smprintf_free(olddbname);
+ }
+ }
++
++return_default:
+
+ if (!moduleList[0]) {
+ char * newParams;
+@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
+ const char *filename, const char *dbname,
+ char **moduleSpecList, PRBool rw)
+ {
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
+ moduleSpecList, rw);
+ }
+@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+ PRBool skip = PR_FALSE;
+ PRBool found = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
+ }
+@@ -669,6 +688,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
+ char *block = NULL;
+ PRBool libFound = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
+ }
+Index: mozilla/security/nss/lib/softoken/sftkpars.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
+retrieving revision 1.11
+diff -p -u -r1.11 sftkpars.c
+--- a/mozilla/security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11
++++ b/mozilla/security/nss/lib/softoken/sftkpars.c 2 Oct 2011 14:45:29 -0000
+@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
+ char *value = NULL;
+ char *save_params = param;
+ const char *lconfigdir;
++ PRBool noModDB = PR_FALSE;
+ param = sftk_argStrip(param);
+
+
+@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
+
+ if (sftk_argHasFlag("flags","noModDB",save_params)) {
+ /* there isn't a module db, don't load the legacy support */
++ noModDB = PR_TRUE;
+ *dbType = SDB_SQL;
++ PORT_Free(*filename);
++ *filename = NULL;
+ *rw = PR_FALSE;
+ }
+
+@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
+ secmodName="pkcs11.txt";
+ }
+
+- if (lconfigdir) {
++ if (noModDB) {
++ value = NULL;
++ } else if (lconfigdir && lconfigdir[0] != '\0') {
+ value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+ } else {
+ value = PR_smprintf("%s",secmodName);