mirrors/aports
1
0
Fork 0
mirror of https://gitlab.alpinelinux.org/alpine/aports.git synced 2026-05-05 04:16:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

main/nss: fix CVE-2012-0441

Browse Source 
fixes #1215
This commit is contained in:
Natanael Copa 2012-07-03 11:04:12 +00:00
parent c6218a94cd
commit 9abcd899b8
4 changed files with 364 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
main/nss/APKBUILD
View File

@ -2,7 +2,7 @@
pkgname=nss
pkgver=3.12.8
_ver=3_12_8
pkgrel=0
pkgrel=1
pkgdesc="Mozilla Network Security Services"
url="http://www.mozilla.org/projects/security/pki/nss/"
license="MPL GPL"
@ -14,19 +14,24 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src
nss.pc.in
nss-config.in
add_spi+cacert_ca_certs.patch
ssl-renegotiate-transitional.patch"
ssl-renegotiate-transitional.patch
cve-2011-3640.patch
CVE-2012-0441.patch
"
depends_dev="nspr-dev"
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
patch -Np1 -i ""$srcdir"/add_spi+cacert_ca_certs.patch" || return 1
patch -Np1 -i ""$srcdir"/ssl-renegotiate-transitional.patch" || return 1
patch -Np0 -i ""$srcdir"/nss-no-rpath.patch" || return 1
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
# Respect LDFLAGS
sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' \
mozilla/security/coreconf/rules.mk
mozilla/security/coreconf/rules.mk || return 1
}
@ -41,9 +46,9 @@ build() {
export NSPR_INCLUDE_DIR=`pkg-config --cflags-only-I nspr | sed 's/-I//'`
export NSPR_LIB_DIR=`pkg-config --libs-only-L nspr | sed 's/-L.//'`
export XCFLAGS="${CFLAGS}"
make -j 1 -C mozilla/security/coreconf || return 1
make -j 1 -C mozilla/security/dbm || return 1
make -j 1 -C mozilla/security/nss || return 1
make -j 1 -C mozilla/security/coreconf OS_RELEASE=2.6 || return 1
make -j 1 -C mozilla/security/dbm OS_RELEASE=2.6 || return 1
make -j 1 -C mozilla/security/nss OS_RELEASE=2.6 || return 1
}
package() {
@ -110,8 +115,10 @@ libnss() {
}
md5sums="40bf1bb0c7567827d3768d1fc6081100 nss-3.12.8.tar.gz
e5c97db0c884d5f4cfda21e562dc9bba nss-no-rpath.patch
7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch
d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch
b61ff98f6b0d055f55883b4a36d1fa90 nss-no-rpath.patch
c547b030c57fe1ed8b77c73bf52b3ded nss.pc.in
46bee81908f1e5b26d6a7a2e14c64d9f nss-config.in
7f39c19b1dfd62d7db7d8bf19f156fed add_spi+cacert_ca_certs.patch
d83c7b61abb7e9f8f7bcd157183d1ade ssl-renegotiate-transitional.patch"
3774b459c4f7c70e9289249f6f566f48 cve-2011-3640.patch
447db747c4d5b10151a8a65be3bf76e3 CVE-2012-0441.patch"

202
main/nss/CVE-2012-0441.patch Normal file
View File

@ -0,0 +1,202 @@
Index: nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c
===================================================================
--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:40:33.313201758 +0200
+++ nss/mozilla/security/nss/lib/softoken/legacydb/keydb.c 2012-06-02 09:44:24.107462120 +0200
@@ -1790,6 +1790,35 @@
rv = SEC_QuickDERDecodeItem(permarena, pk,
nsslowkey_RSAPrivateKeyTemplate,
&newPrivateKey);
+ if (rv == SECSuccess) {
+ break;
+ }
+ /* Try decoding with the alternative template, but only allow
+ * a zero-length modulus for a secret key object.
+ * See bug 715073.
+ */
+ rv = SEC_QuickDERDecodeItem(permarena, pk,
+ nsslowkey_RSAPrivateKeyTemplate2,
+ &newPrivateKey);
+ /* A publicExponent of 0 is the defining property of a secret
+ * key disguised as an RSA key. When decoding with the
+ * alternative template, only accept a secret key with an
+ * improperly encoded modulus and a publicExponent of 0.
+ */
+ if (rv == SECSuccess) {
+ if (pk->u.rsa.modulus.len == 2 &&
+ pk->u.rsa.modulus.data[0] == SEC_ASN1_INTEGER &&
+ pk->u.rsa.modulus.data[1] == 0 &&
+ pk->u.rsa.publicExponent.len == 1 &&
+ pk->u.rsa.publicExponent.data[0] == 0) {
+ /* Fix the zero-length integer by setting it to 0. */
+ pk->u.rsa.modulus.data = pk->u.rsa.publicExponent.data;
+ pk->u.rsa.modulus.len = pk->u.rsa.publicExponent.len;
+ } else {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ rv = SECFailure;
+ }
+ }
break;
case SEC_OID_ANSIX9_DSA_SIGNATURE:
pk->keyType = NSSLOWKEYDSAKey;
Index: nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c
===================================================================
--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:40:33.313201758 +0200
+++ nss/mozilla/security/nss/lib/softoken/legacydb/lgcreate.c 2012-06-02 09:42:35.354166672 +0200
@@ -818,11 +818,16 @@
privKey->keyType = NSSLOWKEYRSAKey;
/* The modulus is set to the key id of the symmetric key */
- crv = lg_Attribute2SecItem(arena, CKA_ID, templ, count,
- &privKey->u.rsa.modulus);
- if (crv != CKR_OK) goto loser;
+ privKey->u.rsa.modulus.data =
+ (unsigned char *) PORT_ArenaAlloc(arena, pubkey->len);
+ if (privKey->u.rsa.modulus.data == NULL) {
+ crv = CKR_HOST_MEMORY;
+ goto loser;
+ }
+ privKey->u.rsa.modulus.len = pubkey->len;
+ PORT_Memcpy(privKey->u.rsa.modulus.data, pubkey->data, pubkey->len);
- /* The public exponent is set to 0 length to indicate a special key */
+ /* The public exponent is set to 0 to indicate a special key */
privKey->u.rsa.publicExponent.len = sizeof derZero;
privKey->u.rsa.publicExponent.data = derZero;
Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c
===================================================================
--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:40:33.317201659 +0200
+++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkey.c 2012-06-02 09:45:10.962296923 +0200
@@ -97,6 +97,24 @@
{ 0 }
};
+/*
+ * Allows u.rsa.modulus to be zero length for secret keys with an empty
+ * CKA_ID incorrectly generated in NSS 3.13.3 or earlier. Only used for
+ * decoding. See bug 715073.
+ */
+const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[] = {
+ { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.version) },
+ { SEC_ASN1_ANY, offsetof(NSSLOWKEYPrivateKey,u.rsa.modulus) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.publicExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.privateExponent) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.prime2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent1) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.exponent2) },
+ { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.rsa.coefficient) },
+ { 0 }
+};
const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[] = {
{ SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
Index: nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h
===================================================================
--- nss.orig/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:40:33.317201659 +0200
+++ nss/mozilla/security/nss/lib/softoken/legacydb/lowkeyti.h 2012-06-02 09:43:25.700914607 +0200
@@ -72,6 +72,7 @@
*/
extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
+extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate2[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
Index: nss/mozilla/security/nss/lib/util/quickder.c
===================================================================
--- nss.orig/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:40:33.341201062 +0200
+++ nss/mozilla/security/nss/lib/util/quickder.c 2012-06-02 09:42:36.418140213 +0200
@@ -815,40 +815,57 @@
SECItem newtemp = temp;
rv = GetItem(&newtemp, &temp, PR_FALSE);
save = PR_TRUE;
- if ((SECSuccess == rv) && SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK))
- switch (kind & SEC_ASN1_TAGNUM_MASK)
+ if ((SECSuccess == rv) &&
+ SEC_ASN1_UNIVERSAL == (kind & SEC_ASN1_CLASS_MASK))
{
- /* special cases of primitive types */
- case SEC_ASN1_INTEGER:
+ unsigned long tagnum = kind & SEC_ASN1_TAGNUM_MASK;
+ if ( temp.len == 0 && (tagnum == SEC_ASN1_BOOLEAN ||
+ tagnum == SEC_ASN1_INTEGER ||
+ tagnum == SEC_ASN1_BIT_STRING ||
+ tagnum == SEC_ASN1_OBJECT_ID ||
+ tagnum == SEC_ASN1_ENUMERATED ||
+ tagnum == SEC_ASN1_UTC_TIME ||
+ tagnum == SEC_ASN1_GENERALIZED_TIME) )
{
- /* remove leading zeroes if the caller requested siUnsignedInteger
- This is to allow RSA key operations to work */
- SECItem* destItem = (SECItem*) ((char*)dest + templateEntry->offset);
- if (destItem && (siUnsignedInteger == destItem->type))
+ /* these types MUST have at least one content octet */
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ rv = SECFailure;
+ }
+ else
+ switch (tagnum)
+ {
+ /* special cases of primitive types */
+ case SEC_ASN1_INTEGER:
{
- while (temp.len > 1 && temp.data[0] == 0)
- { /* leading 0 */
- temp.data++;
- temp.len--;
+ /* remove leading zeroes if the caller requested
+ siUnsignedInteger
+ This is to allow RSA key operations to work */
+ SECItem* destItem = (SECItem*) ((char*)dest +
+ templateEntry->offset);
+ if (destItem && (siUnsignedInteger == destItem->type))
+ {
+ while (temp.len > 1 && temp.data[0] == 0)
+ { /* leading 0 */
+ temp.data++;
+ temp.len--;
+ }
}
+ break;
}
- break;
- }
- case SEC_ASN1_BIT_STRING:
- {
- /* change the length in the SECItem to be the number of bits */
- if (temp.len && temp.data)
+ case SEC_ASN1_BIT_STRING:
{
- temp.len = (temp.len-1)*8 - ((*(unsigned char*)temp.data) & 0x7);
- temp.data = (unsigned char*)(temp.data+1);
+ /* change the length in the SECItem to be the number
+ of bits */
+ temp.len = (temp.len-1)*8 - (temp.data[0] & 0x7);
+ temp.data++;
+ break;
}
- break;
- }
- default:
- {
- break;
+ default:
+ {
+ break;
+ }
}
}
}
@@ -863,7 +880,7 @@
If part of the destination was allocated by the decoder, in
cases of POINTER, SET OF and SEQUENCE OF, then type is set to
siBuffer due to the use of PORT_ArenaZAlloc*/
- destItem->data = temp.data;
+ destItem->data = temp.len ? temp.data : NULL;
destItem->len = temp.len;
}
else

141
main/nss/cve-2011-3640.patch Normal file
View File

@ -0,0 +1,141 @@
Index: ./mozilla/security/nss/lib/softoken/sftkmod.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
retrieving revision 1.8
diff -p -u -r1.8 sftkmod.c
--- ./mozilla/security/nss/lib/softoken/sftkmod.c 15 Jan 2011 20:59:11 -0000 1.8
+++ ./mozilla/security/nss/lib/softoken/sftkmod.c 2 Oct 2011 14:45:28 -0000
@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
char *sep;
sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
-#ifdef WINDOWS
+#ifdef _WIN32
if (!sep) {
- sep = PORT_Strrchr(dirPath,'/');
+ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
+ sep = PORT_Strrchr(dirPath,'\\');
}
#endif
if (sep) {
- *(sep)=0;
+ *sep = 0;
+ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+ } else {
+ file = PR_smprintf("%s", filename);
}
- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
PORT_Free(dirPath);
return file;
}
@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
char *paramsValue=NULL;
PRBool failed = PR_TRUE;
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ if ((dbname != NULL) &&
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
}
moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
if (moduleList == NULL) return NULL;
+ if (dbname == NULL) {
+ goto return_default;
+ }
+
/* do we really want to use streams here */
fd = fopen(dbname, "r");
if (fd == NULL) goto done;
@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
moduleString = NULL;
}
done:
- /* if we couldn't open a pkcs11 database, look for the old one */
+ /* If we couldn't open a pkcs11 database, look for the old one.
+ * This is necessary to maintain the semantics of the transition from
+ * old to new DB's. If there is an old DB and not new DB, we will
+ * automatically use the old DB. If the DB was opened read/write, we
+ * create a new db and upgrade it from the old one. */
if (fd == NULL) {
char *olddbname = sftk_getOldSecmodName(dbname,filename);
PRStatus status;
@@ -462,6 +474,8 @@ bail:
PR_smprintf_free(olddbname);
}
}
+
+return_default:
if (!moduleList[0]) {
char * newParams;
@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
const char *filename, const char *dbname,
char **moduleSpecList, PRBool rw)
{
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ if ((dbname != NULL) &&
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
moduleSpecList, rw);
}
@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
PRBool skip = PR_FALSE;
PRBool found = PR_FALSE;
+ if (dbname == NULL) {
+ return SECFailure;
+ }
+
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
}
@@ -669,6 +688,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
char *block = NULL;
PRBool libFound = PR_FALSE;
+ if (dbname == NULL) {
+ return SECFailure;
+ }
+
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
}
Index: ./mozilla/security/nss/lib/softoken/sftkpars.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
retrieving revision 1.11
diff -p -u -r1.11 sftkpars.c
--- ./mozilla/security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11
+++ ./mozilla/security/nss/lib/softoken/sftkpars.c 2 Oct 2011 14:45:29 -0000
@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
char *value = NULL;
char *save_params = param;
const char *lconfigdir;
+ PRBool noModDB = PR_FALSE;
param = sftk_argStrip(param);
@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
if (sftk_argHasFlag("flags","noModDB",save_params)) {
/* there isn't a module db, don't load the legacy support */
+ noModDB = PR_TRUE;
*dbType = SDB_SQL;
+ PORT_Free(*filename);
+ *filename = NULL;
*rw = PR_FALSE;
}
@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
secmodName="pkcs11.txt";
}
- if (lconfigdir) {
+ if (noModDB) {
+ value = NULL;
+ } else if (lconfigdir && lconfigdir[0] != '\0') {
value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
} else {
value = PR_smprintf("%s",secmodName);

4
main/nss/nss-no-rpath.patch
View File

@ -1,5 +1,5 @@
--- ./mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100
+++ ./mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100
--- ././mozilla/security/nss/cmd/platlibs.mk.withrpath 2007-02-19 07:17:06.000000000 +0100
+++ ././mozilla/security/nss/cmd/platlibs.mk 2007-02-19 07:18:07.000000000 +0100
@@ -52,9 +52,9 @@
ifeq ($(OS_ARCH), Linux)