rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

Resolves: #1444860 - nss: do not leak PKCS #11 slot while loading a key

Browse Source
This commit is contained in:
Kamil Dudka 2017-04-25 18:31:45 +02:00
parent 0f99fceebe
commit 1e77c47734
2 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0001-curl-7.54.0-nss-pem-slot-leak.patch Normal file
View File

@ -0,0 +1,42 @@
From ba1da47aa5080a73742ca9bc7c22ce2a703a3925 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 24 Apr 2017 15:01:04 +0200
Subject: [PATCH] nss: do not leak PKCS #11 slot while loading a key
It could prevent nss-pem from being unloaded later on.
Bug: https://bugzilla.redhat.com/1444860
Upstream-commit: c8ea86f377a2f341db635ec96f99314023b5a8f3
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/nss.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 89a16d3..099f364 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -581,7 +581,7 @@ fail:
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
- PK11SlotInfo *slot;
+ PK11SlotInfo *slot, *tmp;
SECStatus status;
CURLcode result;
struct ssl_connect_data *ssl = conn->ssl;
@@ -600,7 +600,9 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
return CURLE_SSL_CERTPROBLEM;
/* This will force the token to be seen as re-inserted */
- SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
+ tmp = SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
+ if(tmp)
+ PK11_FreeSlot(tmp);
PK11_IsPresent(slot);
status = PK11_Authenticate(slot, PR_TRUE, SSL_SET_OPTION(key_passwd));
--
2.9.3

9
curl.spec
View File

@ -1,11 +1,14 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.54.0 Version: 7.54.0
Release: 1%{?dist} Release: 2%{?dist}
License: MIT License: MIT
Group: Applications/Internet Group: Applications/Internet
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma
# nss: do not leak PKCS #11 slot while loading a key (#1444860)
Patch1: 0001-curl-7.54.0-nss-pem-slot-leak.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -138,6 +141,7 @@ be installed.
%setup -q %setup -q
# upstream patches # upstream patches
%patch1 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -297,6 +301,9 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
%{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal
%changelog %changelog
* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
- nss: do not leak PKCS #11 slot while loading a key (#1444860)
* Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1 * Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
- new upstream release (fixes CVE-2017-7468) - new upstream release (fixes CVE-2017-7468)