diff --git a/SOURCES/cve-2016-1950.patch b/SOURCES/cve-2016-1950.patch new file mode 100644 index 0000000..b6f4f3c --- /dev/null +++ b/SOURCES/cve-2016-1950.patch @@ -0,0 +1,141 @@ + +# HG changeset patch +# User David Keeler +# Date 1455892169 -3600 +# Node ID b9a31471759d751a56bf261b24c138c8f5d3925f +# Parent 9e2af044dfa443ccff8587177c8f1b5b7b627f37 +bug 1245528 - fix bugs in ASN.1 decoding, r=ryan.sleevi + +diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c +--- a/lib/util/secasn1d.c ++++ b/lib/util/secasn1d.c +@@ -9,16 +9,18 @@ + + /* #define DEBUG_ASN1D_STATES 1 */ + + #ifdef DEBUG_ASN1D_STATES + #include + #define PR_Assert sec_asn1d_Assert + #endif + ++#include ++ + #include "secasn1.h" + #include "secerr.h" + + typedef enum { + beforeIdentifier, + duringIdentifier, + afterIdentifier, + beforeLength, +@@ -1588,28 +1590,63 @@ sec_asn1d_parse_leaf (sec_asn1d_state *s + + if (state->pending < len) + len = state->pending; + + bufLen = len; + + item = (SECItem *)(state->dest); + if (item != NULL && item->data != NULL) { ++ unsigned long offset; + /* Strip leading zeroes when target is unsigned integer */ + if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER */ + item->len == 0 && /* MSB */ + item->type == siUnsignedInteger) /* unsigned */ + { + while (len > 1 && buf[0] == 0) { /* leading 0 */ + buf++; + len--; + } + } +- PORT_Memcpy (item->data + item->len, buf, len); +- item->len += len; ++ offset = item->len; ++ if (state->underlying_kind == SEC_ASN1_BIT_STRING) { ++ // The previous bit string must have no unused bits. ++ if (item->len & 0x7) { ++ PORT_SetError (SEC_ERROR_BAD_DER); ++ state->top->status = decodeError; ++ return 0; ++ } ++ // If this is a bit string, the length is bits, not bytes. ++ offset = item->len >> 3; ++ } ++ if (state->underlying_kind == SEC_ASN1_BIT_STRING) { ++ unsigned long len_in_bits; ++ // Protect against overflow during the bytes-to-bits conversion. ++ if (len >= (ULONG_MAX >> 3) + 1) { ++ PORT_SetError (SEC_ERROR_BAD_DER); ++ state->top->status = decodeError; ++ return 0; ++ } ++ len_in_bits = (len << 3) - state->bit_string_unused_bits; ++ // Protect against overflow when computing the total length in bits. ++ if (UINT_MAX - item->len < len_in_bits) { ++ PORT_SetError (SEC_ERROR_BAD_DER); ++ state->top->status = decodeError; ++ return 0; ++ } ++ item->len += len_in_bits; ++ } else { ++ if (UINT_MAX - item->len < len) { ++ PORT_SetError (SEC_ERROR_BAD_DER); ++ state->top->status = decodeError; ++ return 0; ++ } ++ item->len += len; ++ } ++ PORT_Memcpy (item->data + offset, buf, len); + } + state->pending -= bufLen; + if (state->pending == 0) + state->place = beforeEndOfContents; + + return bufLen; + } + +@@ -1666,24 +1703,16 @@ sec_asn1d_parse_more_bit_string (sec_asn + } else { + /* An empty bit string with no unused bits is OK. */ + state->place = beforeEndOfContents; + } + return 0; + } + + len = sec_asn1d_parse_leaf (state, buf, len); +- if (state->place == beforeEndOfContents && state->dest != NULL) { +- SECItem *item; +- +- item = (SECItem *)(state->dest); +- if (item->len) +- item->len = (item->len << 3) - state->bit_string_unused_bits; +- } +- + return len; + } + + + /* + * XXX All callers should be looking at return value to detect + * out-of-memory errors (and stop!). + */ +@@ -2203,17 +2232,17 @@ sec_asn1d_concat_substrings (sec_asn1d_s + ? PR_TRUE : PR_FALSE; + + substring = state->subitems_head; + while (substring != NULL) { + /* + * All bit-string substrings except the last one should be + * a clean multiple of 8 bits. + */ +- if (is_bit_string && (substring->next == NULL) ++ if (is_bit_string && (substring->next != NULL) + && (substring->len & 0x7)) { + PORT_SetError (SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return; + } + item_len += substring->len; + substring = substring->next; + } + diff --git a/SOURCES/hasht-dont-include-prtypes.patch b/SOURCES/hasht-dont-include-prtypes.patch index 6f85c8e..2a2ee9b 100644 --- a/SOURCES/hasht-dont-include-prtypes.patch +++ b/SOURCES/hasht-dont-include-prtypes.patch @@ -1,6 +1,6 @@ diff -up ./nss/lib/util/hasht.h.prtypes ./nss/lib/util/hasht.h ---- ./nss/lib/util/hasht.h.prtypes 2013-11-09 09:23:30.000000000 -0800 -+++ ./nss/lib/util/hasht.h 2013-11-25 02:59:15.481044180 -0800 +--- ./nss/lib/util/hasht.h.prtypes 2013-11-23 21:23:12.729136309 -0800 ++++ ./nss/lib/util/hasht.h 2013-11-23 21:23:32.873289479 -0800 @@ -5,7 +5,6 @@ #ifndef _HASHT_H_ #define _HASHT_H_ diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index 2be6b13..6b9a3e0 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -5,7 +5,7 @@ Summary: Network Security Services Utilities Library Name: nss-util Version: 3.19.1 -Release: 4%{?dist} +Release: 9%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -36,9 +36,12 @@ Source3: nss-util-config.in Patch1: build-nss-util-only.patch Patch2: hasht-dont-include-prtypes.patch Patch7: pkcs1sig-include-prtypes.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 Patch8: nss-util-3.19.1-tls12-mechanisms.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205157 Patch9: nss-3.20.1-security-fix.patch +Patch10: cve-2016-1950.patch %description Utilities for Network Security Services and the Softoken module @@ -65,6 +68,7 @@ Header and library files for doing development with Network Security Services. pushd nss %patch8 -p1 -b .tls12_mechs %patch9 -p1 -b .various_flaws +%patch10 -p1 -b .cve-2016-1950 popd @@ -100,10 +104,12 @@ export NSS_USE_SYSTEM_SQLITE NSS_BUILD_NSSUTIL_ONLY=1 export NSS_BUILD_NSSUTIL_ONLY -%if %{__isa_bits} == 64 +%ifnarch noarch +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif # make util %{__make} -C ./nss/coreconf @@ -232,8 +238,24 @@ done %{_includedir}/nss3/templates/templates.c %changelog -* Fri Oct 16 2015 Elio Maldonado - 3.19.1-4 -- Resolves: Bug 1269357 - CVE-2015-7182 CVE-2015-7181 +* Thu Mar 03 2016 Kai Engert - 3.19.1-9 +- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ... + +* Thu Feb 25 2016 Kai Engert - 3.19.1-8 +- Fix a spec file syntax error + +* Thu Feb 25 2016 Kai Engert - 3.19.1-7 +- Rebuild to ensure use of correct NSPR. + +* Wed Feb 24 2016 Kai Engert - 3.19.1-6 +- Include the fix for CVE-2016-1950 from NSS 3.19.2.3 + +* Fri Nov 20 2015 Elio Maldonado - 3.19.1-5 +- Merge security fix from the RHEL-7.1 branch +- Resolves: Bug 1269358 - CVE-2015-7182 CVE-2015-7181 + +* Thu Jul 16 2015 Elio Maldonado - 3.19.1-4 +- Add links to filed upstream bugs to better track patches in spec file * Thu Jun 18 2015 Elio Maldonado - 3.19.1-3 - Remove unused patch @@ -242,11 +264,10 @@ done - Add support for TLS 1.2 SHA384 per PKCS #11 v2.40 * Fri Jun 05 2015 Elio Maldonado - 3.19.1-1 -- Rebase to nss-3.19.1 -- Resolves: Bug 1224451 +- Resolves: Bug 1228913: Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1] -* Mon Apr 13 2015 Elio Maldonado - 3.18.0-1 -- Resolves: Bug 1211373 - [RHEL7.1] nss-util 3.18 rebase required for firefox 38 ESR +* Mon Mar 30 2015 Elio Maldonado - 3.18.0-1 +- Resolves: Bug 1200931 - [RHEL7.1] nss-util 3.18 rebase required for firefox 38 ESR * Thu Jan 22 2015 Elio Maldonado - 3.16.2.3-2 - Bump the release number to be higher than the one for rhel-7.0