From 22aeef2bcc525aad876d03eda93fa95f38e85c54 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Wed, 15 Mar 2023 09:49:21 +0000
Subject: [PATCH] import nss-3.79.0-11.el8_7

---
 SOURCES/cve-2023-0767.patch | 92 +++++++++++++++++++++++++++++++++++++
 SPECS/nss.spec              | 10 +++-
 2 files changed, 100 insertions(+), 2 deletions(-)
 create mode 100644 SOURCES/cve-2023-0767.patch

diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch
new file mode 100644
index 0000000..fc5d4fa
--- /dev/null
+++ b/SOURCES/cve-2023-0767.patch
@@ -0,0 +1,92 @@
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -335,35 +335,42 @@
+     sec_PKCS12SafeContentsContext *safeContentsCtx =
+         (sec_PKCS12SafeContentsContext *)arg;
+     SEC_PKCS12DecoderContext *p12dcx;
+     SECStatus rv;
+ 
+-    /* make sure that we are not skipping the current safeBag,
+-     * and that there are no errors.  If so, just return rather
+-     * than continuing to process.
+-     */
+-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
+-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
+         return;
+     }
+     p12dcx = safeContentsCtx->p12dcx;
+ 
++    /* make sure that there are no errors and we are not skipping the current safeBag */
++    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++        goto loser;
++    }
++
+     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
+     if (rv != SECSuccess) {
+         p12dcx->errorValue = PORT_GetError();
++        p12dcx->error = PR_TRUE;
++        goto loser;
++    }
++
++    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
++     * may not get another opportunity to clean up the decoder context.
++     */
++    if (safeContentsCtx->skipCurrentSafeBag) {
+         goto loser;
+     }
+ 
+     return;
+ 
+ loser:
+-    /* set the error, and finish the decoder context.  because there
++    /* Finish the decoder context. Because there
+      * is not a way of returning an error message, it may be worth
+      * while to do a check higher up and finish any decoding contexts
+      * that are still open.
+      */
+-    p12dcx->error = PR_TRUE;
+     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
+     safeContentsCtx->currentSafeBagA1Dcx = NULL;
+     return;
+ }
+ 
+diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
+--- a/lib/pkcs12/p12t.h
++++ b/lib/pkcs12/p12t.h
+@@ -71,10 +71,11 @@
+         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+         sec_PKCS12CertBag *certBag;
+         sec_PKCS12CRLBag *crlBag;
+         sec_PKCS12SecretBag *secretBag;
+         sec_PKCS12SafeContents *safeContents;
++        SECItem *unknownBag;
+     } safeBagContent;
+ 
+     sec_PKCS12Attribute **attribs;
+ 
+     /* used locally */
+diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
+--- a/lib/pkcs12/p12tmpl.c
++++ b/lib/pkcs12/p12tmpl.c
+@@ -28,16 +28,16 @@
+ 
+     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
+ 
+     oiddata = SECOID_FindOID(&safeBag->safeBagType);
+     if (oiddata == NULL) {
+-        return SEC_ASN1_GET(SEC_AnyTemplate);
++        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+     }
+ 
+     switch (oiddata->offset) {
+         default:
+-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
++            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+
diff --git a/SPECS/nss.spec b/SPECS/nss.spec
index bf8c1f2..0efdf0a 100644
--- a/SPECS/nss.spec
+++ b/SPECS/nss.spec
@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          10%{?dist}
+Release:          11%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -167,6 +167,9 @@ Patch65:          nss-3.79-enable-POST-rerun.patch
 Patch66:          nss-3.79-increase-pbe-cache.patch
 Patch67:          nss-3.79-pkcs12-fix-null-password.patch
 Patch68:          nss-3.79-fips.patch
+# cve 2023-0767, remove on rebase to nss 3.88.1 or later
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640
+Patch70:          cve-2023-0767.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -944,7 +947,10 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
-* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
+* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
+- Fix CVE-2023-0767
+
+* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
 - Fix QA found failures:
 -  remove extra '+' from sslpolicy.txt file causing test error values
 -  only use GRND_RANDOM if the kernel is in FIPS mode.