From 5bcea76ae022e8adb116ab228eb31e32ba3c1ce3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 13:16:00 +0000 Subject: import nss-3.16.2.3-5.el7 --- diff --git a/SOURCES/Bug-1174527-fixsegfault.patch b/SOURCES/Bug-1174527-fixsegfault.patch new file mode 100644 index 0000000..ff24334 --- /dev/null +++ b/SOURCES/Bug-1174527-fixsegfault.patch @@ -0,0 +1,23 @@ +diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c +--- a/lib/pkcs12/p12local.c ++++ b/lib/pkcs12/p12local.c +@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre + if(!arena) { + PORT_Free(dest->data); + dest->data = NULL; + dest->len = 0; + } + return PR_FALSE; + } + +- if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) { ++ if ((dest->len >= 2) && ++ (dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) { + if(dest->len + 2 > 3 * src->len) { + if(arena) { + dest->data = (unsigned char*)PORT_ArenaGrow(arena, + dest->data, dest->len, + dest->len + 2); + } else { + dest->data = (unsigned char*)PORT_Realloc(dest->data, + dest->len + 2); diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch new file mode 100644 index 0000000..d3e0f21 --- /dev/null +++ b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch @@ -0,0 +1,154 @@ +diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c +--- a/lib/pki/pki3hack.c ++++ b/lib/pki/pki3hack.c +@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat + } + + static CERTCertificate * + stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate) + { + nssDecodedCert *dc = NULL; + CERTCertificate *cc = NULL; + CERTCertTrust certTrust; ++ nssPKIObject *object = &c->object; + +- nssPKIObject_Lock(&c->object); ++ /* make sure object does not go away until we finish */ ++ nssPKIObject_AddRef(object); ++ nssPKIObject_Lock(object); + + dc = c->decoding; + if (!dc) { + dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding); + if (!dc) { + goto loser; + } + cc = (CERTCertificate *)dc->data; +@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate * + trust = nssTrust_GetCERTCertTrustForCert(c, cc); + + CERT_LockCertTrust(cc); + cc->trust = trust; + CERT_UnlockCertTrust(cc); + } + + loser: +- nssPKIObject_Unlock(&c->object); ++ nssPKIObject_Unlock(object); ++ nssPKIObject_Destroy(object); + return cc; + } + + NSS_IMPLEMENT CERTCertificate * + STAN_ForceCERTCertificateUpdate(NSSCertificate *c) + { + if (c->decoding) { + return stan_GetCERTCertificate(c, PR_TRUE); +@@ -1265,16 +1269,17 @@ done: + */ + static PRStatus + DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject) + { + int numNotDestroyed = 0; /* the ones skipped plus the failures */ + int failureCount = 0; /* actual deletion failures by devices */ + int index; + ++ nssPKIObject_AddRef(tObject); + nssPKIObject_Lock(tObject); + /* Keep going even if a module fails to delete. */ + for (index = 0; index < tObject->numInstances; index++) { + nssCryptokiObject *instance = tObject->instances[index]; + if (!instance) { + continue; + } + +@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo + if (numNotDestroyed == 0) { + nss_ZFreeIf(tObject->instances); + tObject->numInstances = 0; + } else { + tObject->numInstances = numNotDestroyed; + } + + nssPKIObject_Unlock(tObject); ++ nssPKIObject_Destroy(tObject); + + return failureCount == 0 ? PR_SUCCESS : PR_FAILURE; + } + + /* + ** Delete trust objects matching the slot of the given certificate. + ** Returns an error if any device fails to delete. + */ +@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert + int i; + + /* Iterate through the cert and trust object instances looking for + * those with matching pk11 slots to delete. Even if some device + * can't delete we keep going. Keeping a status variable for the + * loop so that once it's failed the other gets set. + */ + NSSRWLock_LockRead(td->tokensLock); ++ nssPKIObject_AddRef(cobject); + nssPKIObject_Lock(cobject); + for (i = 0; i < cobject->numInstances; i++) { + nssCryptokiObject *cInstance = cobject->instances[i]; + if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) { + PRStatus status; + if (!tobject->numInstances || !tobject->instances) continue; + status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject); + if (status == PR_FAILURE) { + /* set the outer one but keep going */ + nssrv = PR_FAILURE; + } + } + } + nssPKIObject_Unlock(cobject); ++ nssPKIObject_Destroy(cobject); + NSSRWLock_UnlockRead(td->tokensLock); + return nssrv; + } + + /* CERT_TraversePermCertsForSubject */ + NSS_IMPLEMENT PRStatus + nssTrustDomain_TraverseCertificatesBySubject ( + NSSTrustDomain *td, +diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c +--- a/lib/pki/tdcache.c ++++ b/lib/pki/tdcache.c +@@ -386,16 +386,17 @@ struct token_cert_dtor { + + static void + remove_token_certs(const void *k, void *v, void *a) + { + NSSCertificate *c = (NSSCertificate *)k; + nssPKIObject *object = &c->object; + struct token_cert_dtor *dtor = a; + PRUint32 i; ++ nssPKIObject_AddRef(object); + nssPKIObject_Lock(object); + for (i=0; inumInstances; i++) { + if (object->instances[i]->token == dtor->token) { + nssCryptokiObject_Destroy(object->instances[i]); + object->instances[i] = object->instances[object->numInstances-1]; + object->instances[object->numInstances-1] = NULL; + object->numInstances--; + dtor->certs[dtor->numCerts++] = c; +@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void * + dtor->certs = nss_ZREALLOCARRAY(dtor->certs, + NSSCertificate *, + dtor->arrSize); + } + break; + } + } + nssPKIObject_Unlock(object); ++ nssPKIObject_Destroy(object); + return; + } + + /* + * Remove all certs for the given token from the cache. This is + * needed if the token is removed. + */ + NSS_IMPLEMENT PRStatus diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch deleted file mode 100644 index d3e0f21..0000000 --- a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1139349.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c ---- a/lib/pki/pki3hack.c -+++ b/lib/pki/pki3hack.c -@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat - } - - static CERTCertificate * - stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate) - { - nssDecodedCert *dc = NULL; - CERTCertificate *cc = NULL; - CERTCertTrust certTrust; -+ nssPKIObject *object = &c->object; - -- nssPKIObject_Lock(&c->object); -+ /* make sure object does not go away until we finish */ -+ nssPKIObject_AddRef(object); -+ nssPKIObject_Lock(object); - - dc = c->decoding; - if (!dc) { - dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding); - if (!dc) { - goto loser; - } - cc = (CERTCertificate *)dc->data; -@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate * - trust = nssTrust_GetCERTCertTrustForCert(c, cc); - - CERT_LockCertTrust(cc); - cc->trust = trust; - CERT_UnlockCertTrust(cc); - } - - loser: -- nssPKIObject_Unlock(&c->object); -+ nssPKIObject_Unlock(object); -+ nssPKIObject_Destroy(object); - return cc; - } - - NSS_IMPLEMENT CERTCertificate * - STAN_ForceCERTCertificateUpdate(NSSCertificate *c) - { - if (c->decoding) { - return stan_GetCERTCertificate(c, PR_TRUE); -@@ -1265,16 +1269,17 @@ done: - */ - static PRStatus - DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject) - { - int numNotDestroyed = 0; /* the ones skipped plus the failures */ - int failureCount = 0; /* actual deletion failures by devices */ - int index; - -+ nssPKIObject_AddRef(tObject); - nssPKIObject_Lock(tObject); - /* Keep going even if a module fails to delete. */ - for (index = 0; index < tObject->numInstances; index++) { - nssCryptokiObject *instance = tObject->instances[index]; - if (!instance) { - continue; - } - -@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo - if (numNotDestroyed == 0) { - nss_ZFreeIf(tObject->instances); - tObject->numInstances = 0; - } else { - tObject->numInstances = numNotDestroyed; - } - - nssPKIObject_Unlock(tObject); -+ nssPKIObject_Destroy(tObject); - - return failureCount == 0 ? PR_SUCCESS : PR_FAILURE; - } - - /* - ** Delete trust objects matching the slot of the given certificate. - ** Returns an error if any device fails to delete. - */ -@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert - int i; - - /* Iterate through the cert and trust object instances looking for - * those with matching pk11 slots to delete. Even if some device - * can't delete we keep going. Keeping a status variable for the - * loop so that once it's failed the other gets set. - */ - NSSRWLock_LockRead(td->tokensLock); -+ nssPKIObject_AddRef(cobject); - nssPKIObject_Lock(cobject); - for (i = 0; i < cobject->numInstances; i++) { - nssCryptokiObject *cInstance = cobject->instances[i]; - if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) { - PRStatus status; - if (!tobject->numInstances || !tobject->instances) continue; - status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject); - if (status == PR_FAILURE) { - /* set the outer one but keep going */ - nssrv = PR_FAILURE; - } - } - } - nssPKIObject_Unlock(cobject); -+ nssPKIObject_Destroy(cobject); - NSSRWLock_UnlockRead(td->tokensLock); - return nssrv; - } - - /* CERT_TraversePermCertsForSubject */ - NSS_IMPLEMENT PRStatus - nssTrustDomain_TraverseCertificatesBySubject ( - NSSTrustDomain *td, -diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c ---- a/lib/pki/tdcache.c -+++ b/lib/pki/tdcache.c -@@ -386,16 +386,17 @@ struct token_cert_dtor { - - static void - remove_token_certs(const void *k, void *v, void *a) - { - NSSCertificate *c = (NSSCertificate *)k; - nssPKIObject *object = &c->object; - struct token_cert_dtor *dtor = a; - PRUint32 i; -+ nssPKIObject_AddRef(object); - nssPKIObject_Lock(object); - for (i=0; inumInstances; i++) { - if (object->instances[i]->token == dtor->token) { - nssCryptokiObject_Destroy(object->instances[i]); - object->instances[i] = object->instances[object->numInstances-1]; - object->instances[object->numInstances-1] = NULL; - object->numInstances--; - dtor->certs[dtor->numCerts++] = c; -@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void * - dtor->certs = nss_ZREALLOCARRAY(dtor->certs, - NSSCertificate *, - dtor->arrSize); - } - break; - } - } - nssPKIObject_Unlock(object); -+ nssPKIObject_Destroy(object); - return; - } - - /* - * Remove all certs for the given token from the cache. This is - * needed if the token is removed. - */ - NSS_IMPLEMENT PRStatus diff --git a/SOURCES/nss-3.16-tcache-race.patch b/SOURCES/nss-3.16-tcache-race.patch new file mode 100644 index 0000000..8bbb329 --- /dev/null +++ b/SOURCES/nss-3.16-tcache-race.patch @@ -0,0 +1,29 @@ +diff -up ./nss/lib/pki/tdcache.c.race ./nss/lib/pki/tdcache.c +--- ./nss/lib/pki/tdcache.c.race 2014-12-18 15:39:42.975354956 -0800 ++++ ./nss/lib/pki/tdcache.c 2014-12-18 15:42:33.934201074 -0800 +@@ -399,6 +399,8 @@ remove_token_certs(const void *k, void * + object->instances[i] = object->instances[object->numInstances-1]; + object->instances[object->numInstances-1] = NULL; + object->numInstances--; ++ /* make sure id doesn't disappear on us before we finish */ ++ nssPKIObject_AddRef(object); + dtor->certs[dtor->numCerts++] = c; + if (dtor->numCerts == dtor->arrSize) { + dtor->arrSize *= 2; +@@ -441,13 +443,15 @@ nssTrustDomain_RemoveTokenCertsFromCache + for (i=0; iobject.numInstances == 0) { + nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); ++ nssPKIObject_Destroy(&dtor.certs[i]->object); + dtor.certs[i] = NULL; /* skip this cert in the second for loop */ +- } ++ } + } + PZ_Unlock(td->cache->lock); + for (i=0; iobject); + } + } + nss_ZFreeIf(dtor.certs); diff --git a/SPECS/nss.spec b/SPECS/nss.spec index eb50b36..0a233c4 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -21,7 +21,7 @@ Summary: Network Security Services Name: nss Version: 3.16.2.3 -Release: 2%{?dist} +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -101,11 +101,15 @@ Patch56: p-ignore-setpolicy.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684 Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069 -Patch64: Crash-in-stan_GetCERTCertificate-rhbz1139349.patch +Patch64: Crash-in-stan_GetCERTCertificate-rhbz1094468.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360 # support TLS_FALLBACK_SCSV in tstclnt and ssltap -Patch88: p-1083360.patch +Patch88: p-1083360.patch Patch89: certutil-man-supply-missing-options.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1111901 +Patch90: Bug-1174527-fixsegfault.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069 +Patch91: nss-3.16-tcache-race.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -201,10 +205,14 @@ popd %patch56 -p0 -b .1026677 %patch62 -p0 -b .1034409 pushd nss -%patch64 -p1 -b .1139349 +%patch64 -p1 -b .1094468 %patch88 -p1 -b .support_tls_fallback_scsv popd -%patch89 -p0 -b .missing_options +%patch89 -p0 -b .missing_options + pushd nss +%patch90 -p1 -b .1174527 +popd +%patch91 -p0 -b .race ######################################################### # Higher-level libraries and test tools need access to @@ -290,7 +298,7 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +%if %{__isa_bits} == 64 USE_64=1 export USE_64 %endif @@ -396,7 +404,7 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +%if %{__isa_bits} == 64 USE_64=1 export USE_64 %endif @@ -785,44 +793,52 @@ fi %changelog +* Mon Jan 19 2015 Elio Maldonado - 3.16.2.3-5 +- Reverse the sense of a test in patch to fix pk12util segfault +- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files + +* Thu Jan 08 2015 Elio Maldonado - 3.16.2.3-4 +- Fix race condition +- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate +- under the replication replay failure condition + +* Wed Jan 07 2015 Elio Maldonado - 3.16.2.3-3 +- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files + * Tue Nov 25 2014 Elio Maldonado - 3.16.2.3-2 - Restore patch for certutil man page - supply missing options descriptions -- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 -* Wed Nov 19 2014 Elio Maldonado - 3.16.2.3-1 -- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 +* Thu Nov 13 2014 Elio Maldonado - 3.16.2-10 +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 - Support TLS_FALLBACK_SCSV in tstclnt and ssltap -* Fri Sep 26 2014 Elio Maldonado - 3.16.2-8 -- Fix crash in stan_GetCERTCertificate -- Resolves: Bug 1139349 +* Mon Sep 29 2014 Elio Maldonado - 3.16.2-9 +- Resolves: Bug 1145434 - CVE-2014-1568 +- Using a release number higher than on rhel-7.0 branch -* Wed Sep 24 2014 Elio Maldonado - 3.16.2-7 -- Resolves: Bug 1145433 - CVE-2014-1568 +* Mon Aug 11 2014 Elio Maldonado - 3.16.2-4 +- Fix crash in stan_GetCERTCertificate +- Resolves: Bug 1094468 -* Wed Sep 24 2014 Elio Maldonado - 3.16.2-6 -- Rolling back to commit e5fb6e476c179665976e906604496cbbb24f22a7 -- Related: Bug 1145433 +* Tue Aug 05 2014 Elio Maldonado 3.16.2-3 +- Generic 32/64 bit platform detection (fix ppc64le build) +- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies) +- Fix contributed by Peter Robinson -* Wed Aug 06 2014 Elio Maldonado - 3.16.2-2 -- Restore missing options descriptions fix for certutil manpage -- Document certutil options --dump-ext-val, --extGeneric, and --extSAN -- Related: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1 +* Fri Aug 01 2014 Elio Maldonado - 3.16.2-2 +- Fix libssl and test patches that disable ssl2 support +- Resolves: Bug 1123435 +- Replace expired PayPal test certificate with current one -* Fri Aug 01 2014 Elio Maldonado - 3.16.2-1 +* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1 - Rebase to nss-3.16.2 -- Resolves: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1 (FF 31) +- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31) - Fix test failure detection in the %%check section - Move removal of unwanted source directories to the end of the %%prep section - Update various patches on account of the rebase - Remove unused patches rendered obsolete by the rebase -- Fix libssl and test patches that disable ssl2 support -- Replace expired PayPal test certificate that breaks the build - -* Fri Jul 04 2014 Elio Maldonado - 3.15.4-7 -- Fix race-condition in certificate validation -- Resolves: Bug 1116201 * Mon Mar 03 2014 Elio Maldonado - 3.15.4-6 - Disallow disabling the internal module