diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2014-04-17 06:42:17 +0000 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2014-04-17 06:42:44 +0000 |
| commit | 7e5212b7f595cf6e9bee5e565bc6b5bee041efc7 (patch) | |
| tree | 376cfc1c01024ec3543396eadfb543d09d96a81d | |
| parent | 623c0906aa469523f04146e10b8ad7ab8cdc35f2 (diff) | |
| download | aports-7e5212b7f595cf6e9bee5e565bc6b5bee041efc7.tar.bz2 aports-7e5212b7f595cf6e9bee5e565bc6b5bee041efc7.tar.xz | |
main/nss: security fix for CVE-2014-1492
fixes #2799
| -rw-r--r-- | main/nss/APKBUILD | 12 | ||||
| -rw-r--r-- | main/nss/CVE-2014-1492.patch | 42 |
2 files changed, 50 insertions, 4 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD index d499365208..fa25590cb5 100644 --- a/main/nss/APKBUILD +++ b/main/nss/APKBUILD @@ -2,7 +2,7 @@ pkgname=nss pkgver=3.15.4 _ver=${pkgver//./_} -pkgrel=1 +pkgrel=2 pkgdesc="Mozilla Network Security Services" url="http://www.mozilla.org/projects/security/pki/nss/" arch="all" @@ -15,6 +15,7 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src nss-config.in add_spi+cacert_ca_certs.patch ssl-renegotiate-transitional.patch + CVE-2014-1492.patch " depends_dev="nspr-dev" @@ -144,14 +145,17 @@ md5sums="74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in 46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in 981e0df9e9cb7a9426b316f68911fb17 add_spi+cacert_ca_certs.patch -2412ff2e97b3ec452cb016f2506a0e08 ssl-renegotiate-transitional.patch" +2412ff2e97b3ec452cb016f2506a0e08 ssl-renegotiate-transitional.patch +b40e8ef567247a77965c64b7afc97369 CVE-2014-1492.patch" sha256sums="14d69a0735c5af6b3cc12591f7ebf272203e889f09104182148091d0af682d7c nss-3.15.4.tar.gz b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd nss.pc.in e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9 nss-config.in 592aa85184c5edb076c3355f85e50373a59dfcd06a4f4a79621f43df19404c1e add_spi+cacert_ca_certs.patch -1a49be9d7f835be737825252f50e4ee2869228eb303a087dde7fb81794b92ebd ssl-renegotiate-transitional.patch" +1a49be9d7f835be737825252f50e4ee2869228eb303a087dde7fb81794b92ebd ssl-renegotiate-transitional.patch +3c5678da4e577f091363861ed9984d50dbb2dbe068aa0fd5d774ce56001026f1 CVE-2014-1492.patch" sha512sums="21ca81b636f7e230715556bc874d5c1c4f370c6fe57a39cb12fa349d0414a88e13aa931060613a793f7267868e026eaf167cbab5f2a5e8759e7a4b176d97fc6a nss-3.15.4.tar.gz 75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531 nss.pc.in 2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b nss-config.in 6e04556858499aec465d6670818465327ba2cb099061c2afee4b5cac8aa61938e0095906acfb38df6a1b70a6bde6dd69f08bb4c00a9d188e4cb3131b26c1bc16 add_spi+cacert_ca_certs.patch -c21a82247d87d74cb27575efc517a6771476320ce412cd444e83d0782e29f82552676247da093518b07d3eb7dc67c53cd1901ee8d6f59b342d02e47784c39192 ssl-renegotiate-transitional.patch" +c21a82247d87d74cb27575efc517a6771476320ce412cd444e83d0782e29f82552676247da093518b07d3eb7dc67c53cd1901ee8d6f59b342d02e47784c39192 ssl-renegotiate-transitional.patch +5c61407776e9d163dc91d56be8eec542f01c4a255bf163cd1bdeaaf1fc5d26a85547d233add0868cf025b8fc64667872d895c754753ff1f740f9d72c4d77228f CVE-2014-1492.patch" diff --git a/main/nss/CVE-2014-1492.patch b/main/nss/CVE-2014-1492.patch new file mode 100644 index 0000000000..729bb58a9a --- /dev/null +++ b/main/nss/CVE-2014-1492.patch @@ -0,0 +1,42 @@ +Description: fix incorrect IDNA wildcard handling +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/15ea62260c21 +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55 +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/709d4e597979 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903885 + +Index: nss-3.15.4/nss/lib/certdb/certdb.c +=================================================================== +--- nss-3.15.4.orig/nss/lib/certdb/certdb.c 2014-01-03 14:59:10.000000000 -0500 ++++ nss-3.15.4/nss/lib/certdb/certdb.c 2014-04-02 10:13:42.488039726 -0400 +@@ -1381,7 +1381,7 @@ + return rv; + } + } else { +- /* New approach conforms to RFC 2818. */ ++ /* New approach conforms to RFC 6125. */ + char *wildcard = PORT_Strchr(cn, '*'); + char *firstcndot = PORT_Strchr(cn, '.'); + char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; +@@ -1390,14 +1390,17 @@ + /* For a cn pattern to be considered valid, the wildcard character... + * - may occur only in a DNS name with at least 3 components, and + * - may occur only as last character in the first component, and +- * - may be preceded by additional characters ++ * - may be preceded by additional characters, and ++ * - must not be preceded by an IDNA ACE prefix (xn--) + */ + if (wildcard && secondcndot && secondcndot[1] && firsthndot +- && firstcndot - wildcard == 1 +- && secondcndot - firstcndot > 1 +- && PORT_Strrchr(cn, '*') == wildcard ++ && firstcndot - wildcard == 1 /* wildcard is last char in first component */ ++ && secondcndot - firstcndot > 1 /* second component is non-empty */ ++ && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ + && !PORT_Strncasecmp(cn, hn, wildcard - cn) +- && !PORT_Strcasecmp(firstcndot, firsthndot)) { ++ && !PORT_Strcasecmp(firstcndot, firsthndot) ++ /* If hn starts with xn--, then cn must start with wildcard */ ++ && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { + /* valid wildcard pattern match */ + return SECSuccess; + } |