diff options
author | Timo Teräs <timo.teras@iki.fi> | 2014-04-17 06:42:17 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2014-04-17 07:19:25 +0000 |
commit | 92aa2adfa30da9a1c8a51f7f501b084dc8a49daf (patch) | |
tree | 5f76d66626909e432a7bb765b36278c155e4a502 /main/nss | |
parent | cc320f1d439aa0d16ac54ebe63d293a7b4d30f55 (diff) | |
download | aports-92aa2adfa30da9a1c8a51f7f501b084dc8a49daf.tar.bz2 aports-92aa2adfa30da9a1c8a51f7f501b084dc8a49daf.tar.xz |
main/nss: security fix for CVE-2014-1492
fixes #2797
Diffstat (limited to 'main/nss')
-rw-r--r-- | main/nss/APKBUILD | 6 | ||||
-rw-r--r-- | main/nss/CVE-2014-1492.patch | 42 |
2 files changed, 46 insertions, 2 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD index c61f04777e..f2ac6314eb 100644 --- a/main/nss/APKBUILD +++ b/main/nss/APKBUILD @@ -2,7 +2,7 @@ pkgname=nss pkgver=3.13.4 _ver=${pkgver//./_} -pkgrel=1 +pkgrel=2 pkgdesc="Mozilla Network Security Services" url="http://www.mozilla.org/projects/security/pki/nss/" arch="all" @@ -17,6 +17,7 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src add_spi+cacert_ca_certs.patch ssl-renegotiate-transitional.patch distrusted-ac-dg-tresor-ssl.patch + CVE-2014-1492.patch " depends_dev="nspr-dev" @@ -147,4 +148,5 @@ c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in 46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in 7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch -c529827935164ef44d68efab40352563 distrusted-ac-dg-tresor-ssl.patch" +c529827935164ef44d68efab40352563 distrusted-ac-dg-tresor-ssl.patch +88e5200c5e61089b86c8d14bb0cc3d58 CVE-2014-1492.patch" diff --git a/main/nss/CVE-2014-1492.patch b/main/nss/CVE-2014-1492.patch new file mode 100644 index 0000000000..d53edbd2bf --- /dev/null +++ b/main/nss/CVE-2014-1492.patch @@ -0,0 +1,42 @@ +Description: fix incorrect IDNA wildcard handling +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/15ea62260c21 +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55 +Origin: upstream, https://hg.mozilla.org/projects/nss/rev/709d4e597979 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903885 + +Index: nss-3.15.4/nss/lib/certdb/certdb.c +=================================================================== +--- nss-3.15.4.orig/mozilla/security/nss/lib/certdb/certdb.c 2014-01-03 14:59:10.000000000 -0500 ++++ nss-3.15.4/mozilla/security/nss/lib/certdb/certdb.c 2014-04-02 10:13:42.488039726 -0400 +@@ -1381,7 +1381,7 @@ + return rv; + } + } else { +- /* New approach conforms to RFC 2818. */ ++ /* New approach conforms to RFC 6125. */ + char *wildcard = PORT_Strchr(cn, '*'); + char *firstcndot = PORT_Strchr(cn, '.'); + char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; +@@ -1390,14 +1390,17 @@ + /* For a cn pattern to be considered valid, the wildcard character... + * - may occur only in a DNS name with at least 3 components, and + * - may occur only as last character in the first component, and +- * - may be preceded by additional characters ++ * - may be preceded by additional characters, and ++ * - must not be preceded by an IDNA ACE prefix (xn--) + */ + if (wildcard && secondcndot && secondcndot[1] && firsthndot +- && firstcndot - wildcard == 1 +- && secondcndot - firstcndot > 1 +- && PORT_Strrchr(cn, '*') == wildcard ++ && firstcndot - wildcard == 1 /* wildcard is last char in first component */ ++ && secondcndot - firstcndot > 1 /* second component is non-empty */ ++ && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ + && !PORT_Strncasecmp(cn, hn, wildcard - cn) +- && !PORT_Strcasecmp(firstcndot, firsthndot)) { ++ && !PORT_Strcasecmp(firstcndot, firsthndot) ++ /* If hn starts with xn--, then cn must start with wildcard */ ++ && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { + /* valid wildcard pattern match */ + return SECSuccess; + } |