main/nss/CVE-2014-1492.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

Description: fix incorrect IDNA wildcard handling
Origin: upstream, https://hg.mozilla.org/projects/nss/rev/15ea62260c21
Origin: upstream, https://hg.mozilla.org/projects/nss/rev/2ffa40a3ff55
Origin: upstream, https://hg.mozilla.org/projects/nss/rev/709d4e597979
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=903885

Index: nss-3.15.4/nss/lib/certdb/certdb.c
===================================================================
--- nss-3.15.4.orig/nss/lib/certdb/certdb.c	2014-01-03 14:59:10.000000000 -0500
+++ nss-3.15.4/nss/lib/certdb/certdb.c	2014-04-02 10:13:42.488039726 -0400
@@ -1381,7 +1381,7 @@
 	    return rv;
 	}
     } else {
-	/* New approach conforms to RFC 2818. */
+	/* New approach conforms to RFC 6125. */
 	char *wildcard    = PORT_Strchr(cn, '*');
 	char *firstcndot  = PORT_Strchr(cn, '.');
 	char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
@@ -1390,14 +1390,17 @@
 	/* For a cn pattern to be considered valid, the wildcard character...
 	 * - may occur only in a DNS name with at least 3 components, and
 	 * - may occur only as last character in the first component, and
-	 * - may be preceded by additional characters
+	 * - may be preceded by additional characters, and
+	 * - must not be preceded by an IDNA ACE prefix (xn--)
 	 */
 	if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-	    && firstcndot  - wildcard  == 1
-	    && secondcndot - firstcndot > 1
-	    && PORT_Strrchr(cn, '*') == wildcard
+	    && firstcndot  - wildcard  == 1 /* wildcard is last char in first component */
+	    && secondcndot - firstcndot > 1 /* second component is non-empty */
+	    && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
 	    && !PORT_Strncasecmp(cn, hn, wildcard - cn)
-	    && !PORT_Strcasecmp(firstcndot, firsthndot)) {
+	    && !PORT_Strcasecmp(firstcndot, firsthndot)
+	       /* If hn starts with xn--, then cn must start with wildcard */
+	    && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
 	    /* valid wildcard pattern match */
 	    return SECSuccess;
 	}