diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2018-10-02 15:11:45 +0200 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-10-02 15:11:45 +0200 |
commit | 447318e4bff01df5d8424ebddea8345bd4a29501 (patch) | |
tree | 053e9d935aaa076ee040a979b35c20d5f98077b5 | |
parent | 044957741907d97afb7e6b1510a87e94b430de1e (diff) |
main/nss: backport fix for CVE-2018-12384
fixes #9478
-rw-r--r-- | main/nss/APKBUILD | 10 | ||||
-rw-r--r-- | main/nss/CVE-2018-12384.patch | 80 |
2 files changed, 88 insertions, 2 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD index 169a1df4664..6e7d33fbed8 100644 --- a/main/nss/APKBUILD +++ b/main/nss/APKBUILD @@ -3,7 +3,7 @@ pkgname=nss pkgver=3.36.1 _ver=${pkgver//./_} -pkgrel=0 +pkgrel=1 pkgdesc="Mozilla Network Security Services" url="http://www.mozilla.org/projects/security/pki/nss/" arch="all" @@ -19,9 +19,14 @@ source="http://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${pkgver//./_} nss-softokn.pc.in nss-config.in add_spi+cacert_ca_certs.patch + CVE-2018-12384.patch " builddir="$srcdir/$pkgname-$pkgver" +# secfixes: +# 3.36.1-r1: +# - CVE-2018-12384 + prepare() { default_prepare @@ -152,4 +157,5 @@ sha512sums="096fe4360b6d584a746ac6156830f8cff821fd173bd889d7a396238919328a227fa4 0f2efa8563b11da68669d281b4459289a56f5a3a906eb60382126f3adcfe47420cdcedc6ab57727a3afeeffa2bbb4c750b43bef8b5f343a75c968411dfa30e09 nss-util.pc.in 09c69d4cc39ec9deebc88696a80d0f15eb2d8c94d9daa234a2adfec941b63805eb4ce7f2e1943857b938bddcaee1beac246a0ec627b71563d9f846e6119a4a15 nss-softokn.pc.in 2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b nss-config.in -6e04556858499aec465d6670818465327ba2cb099061c2afee4b5cac8aa61938e0095906acfb38df6a1b70a6bde6dd69f08bb4c00a9d188e4cb3131b26c1bc16 add_spi+cacert_ca_certs.patch" +6e04556858499aec465d6670818465327ba2cb099061c2afee4b5cac8aa61938e0095906acfb38df6a1b70a6bde6dd69f08bb4c00a9d188e4cb3131b26c1bc16 add_spi+cacert_ca_certs.patch +8dbaccb13187445f534fe6371462d71b178f156a405a8b6ac9c58df7412e28b82328e412ef6de06697dc39036d8af3ab7938dfbcf3feb6814a793563e0610b2e CVE-2018-12384.patch" diff --git a/main/nss/CVE-2018-12384.patch b/main/nss/CVE-2018-12384.patch new file mode 100644 index 00000000000..51447f97b31 --- /dev/null +++ b/main/nss/CVE-2018-12384.patch @@ -0,0 +1,80 @@ + +# HG changeset patch +# User Martin Thomson <mt@mozilla.com> +# Date 1535720767 -7200 +# Node ID 46f9a1f40c3dd53cf4627e007429530fe989f592 +# Parent 93108979390d163ae97d73db5a2df883d2bf8c62 +Bug 1483128, backported fix for CVE-2018-12384 to the NSS_3_36_BRANCH + +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +--- a/nss/lib/ssl/ssl3con.c ++++ b/nss/lib/ssl/ssl3con.c +@@ -8077,24 +8077,16 @@ ssl3_HandleClientHello(sslSocket *ss, PR + rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.fakeSid, &sidBytes); + if (rv != SECSuccess) { + desc = internal_error; + errCode = PORT_GetError(); + goto alert_loser; + } + } + +- /* Generate the Server Random now so it is available +- * when we process the ClientKeyShare in TLS 1.3 */ +- rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); +- if (rv != SECSuccess) { +- errCode = SSL_ERROR_GENERATE_RANDOM_FAILURE; +- goto loser; +- } +- + #ifndef TLS_1_3_DRAFT_VERSION + /* + * [draft-ietf-tls-tls13-11 Section 6.3.1.1]. + * TLS 1.3 server implementations which respond to a ClientHello with a + * client_version indicating TLS 1.2 or below MUST set the last eight + * bytes of their Random value to the bytes: + * + * 44 4F 57 4E 47 52 44 01 +@@ -8873,30 +8865,39 @@ loser: + + SECStatus + ssl_ConstructServerHello(sslSocket *ss, PRBool helloRetry, + const sslBuffer *extensionBuf, sslBuffer *messageBuf) + { + SECStatus rv; + SSL3ProtocolVersion version; + sslSessionID *sid = ss->sec.ci.sid; ++ const PRUint8 *random; + + if (IS_DTLS(ss) && ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { + version = dtls_TLSVersionToDTLSVersion(ss->version); + } else { + version = PR_MIN(ss->version, SSL_LIBRARY_VERSION_TLS_1_2); + } + + rv = sslBuffer_AppendNumber(messageBuf, version, 2); + if (rv != SECSuccess) { + return SECFailure; + } +- /* Random already generated in ssl3_HandleClientHello */ +- rv = sslBuffer_Append(messageBuf, helloRetry ? ssl_hello_retry_random : ss->ssl3.hs.server_random, +- SSL3_RANDOM_LENGTH); ++ ++ if (helloRetry) { ++ random = ssl_hello_retry_random; ++ } else { ++ rv = ssl3_GetNewRandom(ss->ssl3.hs.server_random); ++ if (rv != SECSuccess) { ++ return SECFailure; ++ } ++ random = ss->ssl3.hs.server_random; ++ } ++ rv = sslBuffer_Append(messageBuf, random, SSL3_RANDOM_LENGTH); + if (rv != SECSuccess) { + return SECFailure; + } + + if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { + if (sid) { + rv = sslBuffer_AppendVariable(messageBuf, sid->u.ssl3.sessionID, + sid->u.ssl3.sessionIDLength, 1); + |