diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 09:47:38 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2012-07-03 09:47:38 +0000 |
commit | bd2a8ab1293c86b933624a04df277b5d01ce006d (patch) | |
tree | 14bfa3be01048f50e0a93998cc1b0617839be826 | |
parent | 5ac332d538776445fcb36dd52bf81fbcc8bf1def (diff) |
main/nss: fix CVE-2012-0441
fixes #1214
-rw-r--r-- | main/nss/APKBUILD | 32 | ||||
-rw-r--r-- | main/nss/CVE-2012-0441.patch | 202 | ||||
-rw-r--r-- | main/nss/cve-2011-3640.patch | 12 | ||||
-rw-r--r-- | main/nss/nss-no-rpath.patch | 4 |
4 files changed, 228 insertions, 22 deletions
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD index e8e0d0c9147..ca0b1a710ee 100644 --- a/main/nss/APKBUILD +++ b/main/nss/APKBUILD @@ -2,7 +2,7 @@ pkgname=nss pkgver=3.12.9 _ver=${pkgver//./_} -pkgrel=1 +pkgrel=2 pkgdesc="Mozilla Network Security Services" url="http://www.mozilla.org/projects/security/pki/nss/" arch="all" @@ -11,25 +11,28 @@ depends= makedepends="nspr-dev sqlite-dev zlib-dev perl" subpackages="$pkgname-dev $pkgname-tools" source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src/$pkgname-$pkgver.tar.gz + add_spi+cacert_ca_certs.patch + ssl-renegotiate-transitional.patch nss-no-rpath.patch nss.pc.in nss-config.in - add_spi+cacert_ca_certs.patch - ssl-renegotiate-transitional.patch cve-2011-3640.patch + CVE-2012-0441.patch " depends_dev="nspr-dev" _builddir="$srcdir"/$pkgname-$pkgver prepare() { cd "$_builddir" - patch -Np1 -i ""$srcdir"/add_spi+cacert_ca_certs.patch" || return 1 - patch -Np1 -i ""$srcdir"/ssl-renegotiate-transitional.patch" || return 1 - patch -Np0 -i ""$srcdir"/nss-no-rpath.patch" || return 1 + for i in $source; do + case $i in + *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; + esac + done # Respect LDFLAGS sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' \ - mozilla/security/coreconf/rules.mk + mozilla/security/coreconf/rules.mk || return 1 } @@ -47,9 +50,9 @@ build() { if [ "$CARCH" = "x86_64" ]; then export USE_64=1 fi - make -j 1 -C mozilla/security/coreconf || return 1 - make -j 1 -C mozilla/security/dbm || return 1 - make -j 1 -C mozilla/security/nss || return 1 + make -j 1 -C mozilla/security/coreconf OS_RELEASE=2.6 || return 1 + make -j 1 -C mozilla/security/dbm OS_RELEASE=2.6 || return 1 + make -j 1 -C mozilla/security/nss OS_RELEASE=2.6 || return 1 } package() { @@ -140,9 +143,10 @@ tools() { } md5sums="bd32f183ca28440c1744650be31a9ccc nss-3.12.9.tar.gz -e5c97db0c884d5f4cfda21e562dc9bba nss-no-rpath.patch -c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in -46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in 7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch -390afb28ce73a26973c7921c9e18fa2c cve-2011-3640.patch" +b61ff98f6b0d055f55883b4a36d1fa90 nss-no-rpath.patch +c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in +46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in +3774b459c4f7c70e9289249f6f566f48 cve-2011-3640.patch +447db747c4d5b10151a8a65be3bf76e3 CVE-2012-0441.patch" diff --git a/main/nss/CVE-2012-0441.patch b/main/nss/CVE-2012-0441.patch new file mode 100644 index 00000000000..bfb102f1c9d --- /dev/null +++ b/main/nss/CVE-2012-0441.patch @@ -0,0 +1,202 @@ +Index: nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:40:33.313201758 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:44:24.107462120 +0200 +@@ -1790,6 +1790,35 @@ + rv = SEC_QuickDERDecodeItem(permarena, pk, + nsslowkey_RSAPrivateKeyTemplate, + &newPrivateKey); ++ if (rv == SECSuccess) { ++ break; ++ } ++ /* Try decoding with the alternative template, but only allow ++ * a zero-length modulus for a secret key object. ++ * See bug 715073. ++ */ ++ rv = SEC_QuickDERDecodeItem(permarena, pk, ++ nsslowkey_RSAPrivateKeyTemplate2, ++ &newPrivateKey); ++ /* A publicExponent of 0 is the defining property of a secret ++ * key disguised as an RSA key. When decoding with the ++ * alternative template, only accept a secret key with an ++ * improperly encoded modulus and a publicExponent of 0. ++ */ ++ if (rv == SECSuccess) { ++ if (pk->u.rsa.modulus.len == 2 && ++ pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER && ++ pk->u.rsa.modulus.data[1] == 0 && ++ pk->u.rsa.publicExponent.len == 1 && ++ pk->u.rsa.publicExponent.data[0] == 0) { ++ /* Fix the zero-length integer by setting it to 0. */ ++ pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data; ++ pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len; ++ } else { ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ rv = SECFailure; ++ } ++ } + break; + case SEC_OID_ANSIX9_DSA_SIGNATURE: + pk->keyType = NSSLOWKEYDSAKey; +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:40:33.313201758 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:42:35.354166672 +0200 +@@ -818,11 +818,16 @@ + privKey->keyType = NSSLOWKEYRSAKey; + + /* The modulus is set to the key id of the symmetric key */ +- crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count, +- &privKey->u.rsa.modulus); +- if (crv != CKR_OK) goto loser; ++ privKey->u.rsa.modulus.data = ++ (unsigned char *) PORT_ArenaAlloc(arena, pubkey->len); ++ if (privKey->u.rsa.modulus.data == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto loser; ++ } ++ privKey->u.rsa.modulus.len = pubkey->len; ++ PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len); + +- /* The public exponent is set to 0 length to indicate a special key */ ++ /* The public exponent is set to 0 to indicate a special key */ + privKey->u.rsa.publicExponent.len = sizeof derZero; + privKey->u.rsa.publicExponent.data = derZero; + +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:40:33.317201659 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:45:10.962296923 +0200 +@@ -97,6 +97,24 @@ + { 0 } + }; + ++/* ++ * Allows u.rsa.modulus to be zero length for secret keys with an empty ++ * CKA_ID incorrectly generated in NSS 3.13.3 or earlier. Only used for ++ * decoding. See bug 715073. ++ */ ++const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[] = { ++ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) }, ++ { SEC_ASN1_ANY, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) }, ++ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) }, ++ { 0 } ++}; + + const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = { + { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) }, +Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h +=================================================================== +--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:40:33.317201659 +0200 ++++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:43:25.700914607 +0200 +@@ -72,6 +72,7 @@ + */ + extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[]; + extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[]; ++extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[]; + extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[]; + extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[]; + extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[]; +Index: nss/mozilla/security/nss/lib/util/quickder.c +=================================================================== +--- nss.orig/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:40:33.341201062 +0200 ++++ nss/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:42:36.418140213 +0200 +@@ -815,40 +815,57 @@ + SECItem newtemp = temp; + rv = GetItem(&newtemp, &temp, PR_FALSE); + save = PR_TRUE; +- if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) +- switch (kind & SEC_ASN1_TAGNUM_MASK) ++ if ((SECSuccess == rv) && ++ SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK)) + { +- /* special cases of primitive types */ +- case SEC_ASN1_INTEGER: ++ unsigned long tagnum = kind & SEC_ASN1_TAGNUM_MASK; ++ if ( temp.len == 0 && (tagnum == SEC_ASN1_BOOLEAN || ++ tagnum == SEC_ASN1_INTEGER || ++ tagnum == SEC_ASN1_BIT_STRING || ++ tagnum == SEC_ASN1_OBJECT_ID || ++ tagnum == SEC_ASN1_ENUMERATED || ++ tagnum == SEC_ASN1_UTC_TIME || ++ tagnum == SEC_ASN1_GENERALIZED_TIME) ) + { +- /* remove leading zeroes if the caller requested siUnsignedInteger +- This is to allow RSA key operations to work */ +- SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset); +- if (destItem && (siUnsignedInteger == destItem->type)) ++ /* these types MUST have at least one content octet */ ++ PORT_SetError(SEC_ERROR_BAD_DER); ++ rv = SECFailure; ++ } ++ else ++ switch (tagnum) ++ { ++ /* special cases of primitive types */ ++ case SEC_ASN1_INTEGER: + { +- while (temp.len > 1 && temp.data[0] == 0) +- { /* leading 0 */ +- temp.data++; +- temp.len--; ++ /* remove leading zeroes if the caller requested ++ siUnsignedInteger ++ This is to allow RSA key operations to work */ ++ SECItem* destItem = (SECItem*) ((char*)dest + ++ templateEntry->offset); ++ if (destItem && (siUnsignedInteger == destItem->type)) ++ { ++ while (temp.len > 1 && temp.data[0] == 0) ++ { /* leading 0 */ ++ temp.data++; ++ temp.len--; ++ } + } ++ break; + } +- break; +- } + +- case SEC_ASN1_BIT_STRING: +- { +- /* change the length in the SECItem to be the number of bits */ +- if (temp.len && temp.data) ++ case SEC_ASN1_BIT_STRING: + { +- temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7); +- temp.data = (unsigned char*)(temp.data+1); ++ /* change the length in the SECItem to be the number ++ of bits */ ++ temp.len = (temp.len-1)*8 - (temp.data[0] & 0x7); ++ temp.data++; ++ break; + } +- break; +- } + +- default: +- { +- break; ++ default: ++ { ++ break; ++ } + } + } + } +@@ -863,7 +880,7 @@ + If part of the destination was allocated by the decoder, in + cases of POINTER, SET OF and SEQUENCE OF, then type is set to + siBuffer due to the use of PORT_ArenaZAlloc*/ +- destItem->data = temp.data; ++ destItem->data = temp.len ? temp.data : NULL; + destItem->len = temp.len; + } + else diff --git a/main/nss/cve-2011-3640.patch b/main/nss/cve-2011-3640.patch index 932d3d978d5..254aabf8a0d 100644 --- a/main/nss/cve-2011-3640.patch +++ b/main/nss/cve-2011-3640.patch @@ -1,10 +1,10 @@ -Index: mozilla/security/nss/lib/softoken/sftkmod.c +Index: ./mozilla/security/nss/lib/softoken/sftkmod.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v retrieving revision 1.8 diff -p -u -r1.8 sftkmod.c ---- mozilla/security/nss/lib/softoken/sftkmod.c 15 Jan 2011 20:59:11 -0000 1.8 -+++ mozilla/security/nss/lib/softoken/sftkmod.c 2 Oct 2011 14:45:28 -0000 +--- ./mozilla/security/nss/lib/softoken/sftkmod.c 15 Jan 2011 20:59:11 -0000 1.8 ++++ ./mozilla/security/nss/lib/softoken/sftkmod.c 2 Oct 2011 14:45:28 -0000 @@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char * char *sep; @@ -102,13 +102,13 @@ diff -p -u -r1.8 sftkmod.c if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw); } -Index: mozilla/security/nss/lib/softoken/sftkpars.c +Index: ./mozilla/security/nss/lib/softoken/sftkpars.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v retrieving revision 1.11 diff -p -u -r1.11 sftkpars.c ---- mozilla/security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11 -+++ mozilla/security/nss/lib/softoken/sftkpars.c 2 Oct 2011 14:45:29 -0000 +--- ./mozilla/security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11 ++++ ./mozilla/security/nss/lib/softoken/sftkpars.c 2 Oct 2011 14:45:29 -0000 @@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType char *value = NULL; char *save_params = param; diff --git a/main/nss/nss-no-rpath.patch b/main/nss/nss-no-rpath.patch index 35ea5731542..29129ca4db2 100644 --- a/main/nss/nss-no-rpath.patch +++ b/main/nss/nss-no-rpath.patch @@ -1,5 +1,5 @@ ---- ./mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100 -+++ ./mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100 +--- ././mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100 ++++ ././mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100 @@ -52,9 +52,9 @@ ifeq ($(OS_ARCH), Linux) |