From 67efe221c25c2c37997e46f5ce3d39f2376c8c5a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mar 20 2023 09:02:33 +0000
Subject: import nss-3.79.0-5.el7_9


---

diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch
new file mode 100644
index 0000000..fc5d4fa
--- /dev/null
+++ b/SOURCES/cve-2023-0767.patch
@@ -0,0 +1,92 @@
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -335,35 +335,42 @@
+     sec_PKCS12SafeContentsContext *safeContentsCtx =
+         (sec_PKCS12SafeContentsContext *)arg;
+     SEC_PKCS12DecoderContext *p12dcx;
+     SECStatus rv;
+ 
+-    /* make sure that we are not skipping the current safeBag,
+-     * and that there are no errors.  If so, just return rather
+-     * than continuing to process.
+-     */
+-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
+-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
+         return;
+     }
+     p12dcx = safeContentsCtx->p12dcx;
+ 
++    /* make sure that there are no errors and we are not skipping the current safeBag */
++    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++        goto loser;
++    }
++
+     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
+     if (rv != SECSuccess) {
+         p12dcx->errorValue = PORT_GetError();
++        p12dcx->error = PR_TRUE;
++        goto loser;
++    }
++
++    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
++     * may not get another opportunity to clean up the decoder context.
++     */
++    if (safeContentsCtx->skipCurrentSafeBag) {
+         goto loser;
+     }
+ 
+     return;
+ 
+ loser:
+-    /* set the error, and finish the decoder context.  because there
++    /* Finish the decoder context. Because there
+      * is not a way of returning an error message, it may be worth
+      * while to do a check higher up and finish any decoding contexts
+      * that are still open.
+      */
+-    p12dcx->error = PR_TRUE;
+     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
+     safeContentsCtx->currentSafeBagA1Dcx = NULL;
+     return;
+ }
+ 
+diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
+--- a/lib/pkcs12/p12t.h
++++ b/lib/pkcs12/p12t.h
+@@ -71,10 +71,11 @@
+         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+         sec_PKCS12CertBag *certBag;
+         sec_PKCS12CRLBag *crlBag;
+         sec_PKCS12SecretBag *secretBag;
+         sec_PKCS12SafeContents *safeContents;
++        SECItem *unknownBag;
+     } safeBagContent;
+ 
+     sec_PKCS12Attribute **attribs;
+ 
+     /* used locally */
+diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
+--- a/lib/pkcs12/p12tmpl.c
++++ b/lib/pkcs12/p12tmpl.c
+@@ -28,16 +28,16 @@
+ 
+     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
+ 
+     oiddata = SECOID_FindOID(&safeBag->safeBagType);
+     if (oiddata == NULL) {
+-        return SEC_ASN1_GET(SEC_AnyTemplate);
++        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+     }
+ 
+     switch (oiddata->offset) {
+         default:
+-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
++            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index 1efc0f7..2ed4f53 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -42,7 +42,7 @@ rpm.define(string.format("nss_archive_version %s",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          4%{?dist}
+Release:          5%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -164,6 +164,9 @@ Patch161: nss-3.66-disable-external-host-test.patch
 # keep expired distrusted certs
 Patch162: nss-3.79-distrusted-certs.patch
 #-----------------------------------
+# cve 2023-0767, remove on rebase to nss 3.88.1 or later
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640
+Patch170: cve-2023-0767.patch
 
 # remove when nss-softokn is 3.79 during builds
 Patch200: nss-3.79-skip-pwdecrypt-time.patch
@@ -279,6 +282,7 @@ pushd nss
 %patch160 -p1 -b .restore-pkcs12-defaults
 %patch161 -p1 -b .brew
 %patch162 -R -p1 -b .distrusted-certs
+%patch170 -p1 -b .cve-2023-0767
 
 %patch200 -p1 -b .skip-pwdecrypt-time
 %patch300 -p1 -b .remove-explicit-ipv4
@@ -942,6 +946,9 @@ fi
 
 
 %changelog
+* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
+- fix CVE-2023-0767
+
 * Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
 - fix regression for pkcs12.