diff --git a/.gitignore b/.gitignore index aa8148b..47ef717 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nss-util-3.21.0.tar.gz +SOURCES/nss-util-3.21.3.tar.gz diff --git a/.nss-util.metadata b/.nss-util.metadata index 3f37be8..75e24d8 100644 --- a/.nss-util.metadata +++ b/.nss-util.metadata @@ -1 +1 @@ -d812083a23ddf6d1a7262ef8799b1d418126688a SOURCES/nss-util-3.21.0.tar.gz +5fbd7801bca0ececb9867770af7beb2b6cf43a91 SOURCES/nss-util-3.21.3.tar.gz diff --git a/SOURCES/cve-2016-1950.patch b/SOURCES/cve-2016-1950.patch deleted file mode 100644 index b6f4f3c..0000000 --- a/SOURCES/cve-2016-1950.patch +++ /dev/null @@ -1,141 +0,0 @@ - -# HG changeset patch -# User David Keeler -# Date 1455892169 -3600 -# Node ID b9a31471759d751a56bf261b24c138c8f5d3925f -# Parent 9e2af044dfa443ccff8587177c8f1b5b7b627f37 -bug 1245528 - fix bugs in ASN.1 decoding, r=ryan.sleevi - -diff --git a/lib/util/secasn1d.c b/lib/util/secasn1d.c ---- a/lib/util/secasn1d.c -+++ b/lib/util/secasn1d.c -@@ -9,16 +9,18 @@ - - /* #define DEBUG_ASN1D_STATES 1 */ - - #ifdef DEBUG_ASN1D_STATES - #include - #define PR_Assert sec_asn1d_Assert - #endif - -+#include -+ - #include "secasn1.h" - #include "secerr.h" - - typedef enum { - beforeIdentifier, - duringIdentifier, - afterIdentifier, - beforeLength, -@@ -1588,28 +1590,63 @@ sec_asn1d_parse_leaf (sec_asn1d_state *s - - if (state->pending < len) - len = state->pending; - - bufLen = len; - - item = (SECItem *)(state->dest); - if (item != NULL && item->data != NULL) { -+ unsigned long offset; - /* Strip leading zeroes when target is unsigned integer */ - if (state->underlying_kind == SEC_ASN1_INTEGER && /* INTEGER */ - item->len == 0 && /* MSB */ - item->type == siUnsignedInteger) /* unsigned */ - { - while (len > 1 && buf[0] == 0) { /* leading 0 */ - buf++; - len--; - } - } -- PORT_Memcpy (item->data + item->len, buf, len); -- item->len += len; -+ offset = item->len; -+ if (state->underlying_kind == SEC_ASN1_BIT_STRING) { -+ // The previous bit string must have no unused bits. -+ if (item->len & 0x7) { -+ PORT_SetError (SEC_ERROR_BAD_DER); -+ state->top->status = decodeError; -+ return 0; -+ } -+ // If this is a bit string, the length is bits, not bytes. -+ offset = item->len >> 3; -+ } -+ if (state->underlying_kind == SEC_ASN1_BIT_STRING) { -+ unsigned long len_in_bits; -+ // Protect against overflow during the bytes-to-bits conversion. -+ if (len >= (ULONG_MAX >> 3) + 1) { -+ PORT_SetError (SEC_ERROR_BAD_DER); -+ state->top->status = decodeError; -+ return 0; -+ } -+ len_in_bits = (len << 3) - state->bit_string_unused_bits; -+ // Protect against overflow when computing the total length in bits. -+ if (UINT_MAX - item->len < len_in_bits) { -+ PORT_SetError (SEC_ERROR_BAD_DER); -+ state->top->status = decodeError; -+ return 0; -+ } -+ item->len += len_in_bits; -+ } else { -+ if (UINT_MAX - item->len < len) { -+ PORT_SetError (SEC_ERROR_BAD_DER); -+ state->top->status = decodeError; -+ return 0; -+ } -+ item->len += len; -+ } -+ PORT_Memcpy (item->data + offset, buf, len); - } - state->pending -= bufLen; - if (state->pending == 0) - state->place = beforeEndOfContents; - - return bufLen; - } - -@@ -1666,24 +1703,16 @@ sec_asn1d_parse_more_bit_string (sec_asn - } else { - /* An empty bit string with no unused bits is OK. */ - state->place = beforeEndOfContents; - } - return 0; - } - - len = sec_asn1d_parse_leaf (state, buf, len); -- if (state->place == beforeEndOfContents && state->dest != NULL) { -- SECItem *item; -- -- item = (SECItem *)(state->dest); -- if (item->len) -- item->len = (item->len << 3) - state->bit_string_unused_bits; -- } -- - return len; - } - - - /* - * XXX All callers should be looking at return value to detect - * out-of-memory errors (and stop!). - */ -@@ -2203,17 +2232,17 @@ sec_asn1d_concat_substrings (sec_asn1d_s - ? PR_TRUE : PR_FALSE; - - substring = state->subitems_head; - while (substring != NULL) { - /* - * All bit-string substrings except the last one should be - * a clean multiple of 8 bits. - */ -- if (is_bit_string && (substring->next == NULL) -+ if (is_bit_string && (substring->next != NULL) - && (substring->len & 0x7)) { - PORT_SetError (SEC_ERROR_BAD_DER); - state->top->status = decodeError; - return; - } - item_len += substring->len; - substring = substring->next; - } - diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index 81b6c16..eaddc20 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -4,8 +4,8 @@ Summary: Network Security Services Utilities Library Name: nss-util -Version: 3.21.0 -Release: 2.2%{?dist} +Version: 3.21.3 +Release: 1.1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -41,7 +41,6 @@ Patch7: pkcs1sig-include-prtypes.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 Patch8: nss-util-3.19.1-tls12-mechanisms.patch -Patch10: cve-2016-1950.patch %description Utilities for Network Security Services and the Softoken module @@ -66,9 +65,6 @@ Header and library files for doing development with Network Security Services. %patch2 -p0 -b .prtypes %patch7 -p0 -b .include_prtypes %patch8 -p1 -b .tls12_mechs -pushd nss -%patch10 -p1 -b .cve-2016-1950 -popd %build @@ -239,21 +235,25 @@ done %{_includedir}/nss3/templates/templates.c %changelog -* Wed Mar 30 2016 Kai Engert - 3.21.0-2.2 -- Rebase to nss-util from nss 3.21 -- Add aliases for naming compatibility with prior release +* Wed Nov 02 2016 Kai Engert - 3.21.3-1.1 +- rebuild -* Thu Mar 03 2016 Kai Engert - 3.19.1-9 -- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ... +* Mon Oct 24 2016 Daiki Ueno - 3.21.3-1 +- Rebase to nss-3.21.3 +- Remove patch for CVE-2016-1950, which is included in the release +- Related: Bug 1347908 -* Thu Feb 25 2016 Kai Engert - 3.19.1-8 -- Fix a spec file syntax error +* Mon Apr 18 2016 Elio Maldonado - 3.21.0-4 +- Manual merge from the rhel-7.2 branch +- Fix one alias for naming compatibility with prior release +- Remove an unused patch -* Thu Feb 25 2016 Kai Engert - 3.19.1-7 -- Rebuild to ensure use of correct NSPR. +* Mon Feb 22 2016 Kai Engert - 3.21.0-3 +- Added upstream patch for CVE-2016-1950 -* Wed Feb 24 2016 Kai Engert - 3.19.1-6 -- Include the fix for CVE-2016-1950 from NSS 3.19.2.3 +* Thu Jan 28 2016 Elio Maldonado - 3.21.0-1 +- Rebase to nss-util from nss 3.21 +- Resolves: Bug 1297940 - Rebase RHEL 7.3 to NSS-util 3.21 in preparation for Firefox 45 * Fri Nov 20 2015 Elio Maldonado - 3.19.1-5 - Merge security fix from the RHEL-7.1 branch