From 1e77c4773490bd4cb24b66e574f1b081faf5de9d Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 25 Apr 2017 18:31:45 +0200
Subject: [PATCH] Resolves: #1444860 - nss: do not leak PKCS #11 slot while
 loading a key

---
 0001-curl-7.54.0-nss-pem-slot-leak.patch | 42 ++++++++++++++++++++++++
 curl.spec                                |  9 ++++-
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 0001-curl-7.54.0-nss-pem-slot-leak.patch

diff --git a/0001-curl-7.54.0-nss-pem-slot-leak.patch b/0001-curl-7.54.0-nss-pem-slot-leak.patch
new file mode 100644
index 0000000..27bed46
--- /dev/null
+++ b/0001-curl-7.54.0-nss-pem-slot-leak.patch
@@ -0,0 +1,42 @@
+From ba1da47aa5080a73742ca9bc7c22ce2a703a3925 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 24 Apr 2017 15:01:04 +0200
+Subject: [PATCH] nss: do not leak PKCS #11 slot while loading a key
+
+It could prevent nss-pem from being unloaded later on.
+
+Bug: https://bugzilla.redhat.com/1444860
+
+Upstream-commit: c8ea86f377a2f341db635ec96f99314023b5a8f3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 89a16d3..099f364 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -581,7 +581,7 @@ fail:
+ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
+                              char *key_file)
+ {
+-  PK11SlotInfo *slot;
++  PK11SlotInfo *slot, *tmp;
+   SECStatus status;
+   CURLcode result;
+   struct ssl_connect_data *ssl = conn->ssl;
+@@ -600,7 +600,9 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
+     return CURLE_SSL_CERTPROBLEM;
+ 
+   /* This will force the token to be seen as re-inserted */
+-  SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
++  tmp = SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
++  if(tmp)
++    PK11_FreeSlot(tmp);
+   PK11_IsPresent(slot);
+ 
+   status = PK11_Authenticate(slot, PR_TRUE, SSL_SET_OPTION(key_passwd));
+-- 
+2.9.3
+
diff --git a/curl.spec b/curl.spec
index 3545586..cd3b5c7 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,11 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.54.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 
+# nss: do not leak PKCS #11 slot while loading a key (#1444860)
+Patch1:   0001-curl-7.54.0-nss-pem-slot-leak.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
 
@@ -138,6 +141,7 @@ be installed.
 %setup -q
 
 # upstream patches
+%patch1 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -297,6 +301,9 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
 
 %changelog
+* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
+- nss: do not leak PKCS #11 slot while loading a key (#1444860)
+
 * Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
 - new upstream release (fixes CVE-2017-7468)