- Fix attempt to free initialized pointer (#717338)
- Fix leak on pem_CreateObject when given non-existing file name (#734760) - Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
This commit is contained in:
parent
c26c5b1326
commit
3586aff4e7
21
0001-libnsspem-rhbz-734760.patch
Normal file
21
0001-libnsspem-rhbz-734760.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 ./mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||||
|
--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 2011-09-10 10:21:38.819248564 -0700
|
||||||
|
+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:28:47.970083785 -0700
|
||||||
|
@@ -1117,7 +1117,7 @@ pem_CreateObject
|
||||||
|
|
||||||
|
nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||||
|
if (nobjs < 1)
|
||||||
|
- return (NSSCKMDObject *) NULL;
|
||||||
|
+ goto loser;
|
||||||
|
|
||||||
|
objid = -1;
|
||||||
|
/* Brute force: find the id of the key, if any, in this slot */
|
||||||
|
@@ -1176,7 +1176,7 @@ pem_CreateObject
|
||||||
|
|
||||||
|
nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */);
|
||||||
|
if (nobjs < 1)
|
||||||
|
- return (NSSCKMDObject *) NULL;
|
||||||
|
+ goto loser;
|
||||||
|
|
||||||
|
certDER.len = 0; /* in case there is no equivalent cert */
|
||||||
|
certDER.data = NULL;
|
16
nss.spec
16
nss.spec
@ -6,7 +6,7 @@
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: 3.12.11
|
Version: 3.12.11
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -55,9 +55,12 @@ Patch6: nss-enable-pem.patch
|
|||||||
Patch7: nsspem-642433.patch
|
Patch7: nsspem-642433.patch
|
||||||
Patch8: 0001-Bug-695011-PEM-logging.patch
|
Patch8: 0001-Bug-695011-PEM-logging.patch
|
||||||
Patch16: nss-539183.patch
|
Patch16: nss-539183.patch
|
||||||
#Patch17: nss-703658.patch
|
|
||||||
Patch18: nss-646045.patch
|
Patch18: nss-646045.patch
|
||||||
Patch19: builtins-nssckbi_1_87_rtm.patch
|
Patch19: builtins-nssckbi_1_87_rtm.patch
|
||||||
|
Patch20: nsspem-createobject-initialize-pointer.patch
|
||||||
|
Patch21: 0001-libnsspem-rhbz-734760.patch
|
||||||
|
Patch22: nsspem-init-inform-not-thread-safe.patch
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -133,9 +136,11 @@ low level services.
|
|||||||
%patch7 -p0 -b .642433
|
%patch7 -p0 -b .642433
|
||||||
%patch8 -p1 -b .695011
|
%patch8 -p1 -b .695011
|
||||||
%patch16 -p0 -b .539183
|
%patch16 -p0 -b .539183
|
||||||
#%patch17 -p0 -b .703658
|
|
||||||
%patch18 -p0 -b .646045
|
%patch18 -p0 -b .646045
|
||||||
%patch19 -p0 -b .ckbi187
|
%patch19 -p0 -b .ckbi187
|
||||||
|
%patch20 -p1 -b .717338
|
||||||
|
%patch21 -p1 -b .734760
|
||||||
|
%patch22 -p0 -b .736410
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -546,6 +551,11 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Sep 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.11-3
|
||||||
|
- Fix attempt to free initilized pointer (#717338)
|
||||||
|
- Fix leak on pem_CreateObject when given non-existing file name (#734760)
|
||||||
|
- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410)
|
||||||
|
|
||||||
* Tue Sep 06 2011 Kai Engert <kaie@redhat.com> - 3.12.11-2
|
* Tue Sep 06 2011 Kai Engert <kaie@redhat.com> - 3.12.11-2
|
||||||
- Update builtins certs to those from NSSCKBI_1_87_RTM
|
- Update builtins certs to those from NSSCKBI_1_87_RTM
|
||||||
|
|
||||||
|
11
nsspem-createobject-initialize-pointer.patch
Normal file
11
nsspem-createobject-initialize-pointer.patch
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 ./mozilla/security/nss/lib/ckfw/pem/pobject.c
|
||||||
|
--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 2010-11-25 10:49:27.000000000 -0800
|
||||||
|
+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:16:58.752726964 -0700
|
||||||
|
@@ -1179,6 +1179,7 @@ pem_CreateObject
|
||||||
|
return (NSSCKMDObject *) NULL;
|
||||||
|
|
||||||
|
certDER.len = 0; /* in case there is no equivalent cert */
|
||||||
|
+ certDER.data = NULL;
|
||||||
|
|
||||||
|
objid = -1;
|
||||||
|
for (i = 0; i < pem_nobjs; i++) {
|
129
nsspem-init-inform-not-thread-safe.patch
Normal file
129
nsspem-init-inform-not-thread-safe.patch
Normal file
@ -0,0 +1,129 @@
|
|||||||
|
--- mozilla/security/nss/lib/ckfw/pem/pinst.c.736410 2010-11-25 11:51:52.000000000 -0800
|
||||||
|
+++ mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-09-13 16:59:49.325215540 -0700
|
||||||
|
@@ -364,39 +364,37 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla
|
||||||
|
size += PEM_ITEM_CHUNK;
|
||||||
|
}
|
||||||
|
gobj[count] = io;
|
||||||
|
count++;
|
||||||
|
pem_nobjs++;
|
||||||
|
|
||||||
|
io->refCount ++;
|
||||||
|
return io;
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV
|
||||||
|
AddCertificate(char *certfile, char *keyfile, PRBool cacert,
|
||||||
|
CK_SLOT_ID slotID)
|
||||||
|
{
|
||||||
|
pemInternalObject *o;
|
||||||
|
- SECItem certDER;
|
||||||
|
CK_RV error = 0;
|
||||||
|
int objid, i;
|
||||||
|
int nobjs = 0;
|
||||||
|
SECItem **objs = NULL;
|
||||||
|
char *ivstring = NULL;
|
||||||
|
int cipher;
|
||||||
|
|
||||||
|
- certDER.data = NULL;
|
||||||
|
nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||||
|
if (nobjs <= 0) {
|
||||||
|
nss_ZFreeIf(objs);
|
||||||
|
return CKR_GENERAL_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* For now load as many certs as are in the file for CAs only */
|
||||||
|
if (cacert) {
|
||||||
|
for (i = 0; i < nobjs; i++) {
|
||||||
|
char nickname[1024];
|
||||||
|
objid = pem_nobjs + 1;
|
||||||
|
|
||||||
|
snprintf(nickname, 1024, "%s - %d", certfile, i);
|
||||||
|
|
||||||
|
o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL,
|
||||||
|
@@ -456,72 +454,76 @@ AddCertificate(char *certfile, char *key
|
||||||
|
loser:
|
||||||
|
nss_ZFreeIf(objs);
|
||||||
|
nss_ZFreeIf(o);
|
||||||
|
return error;
|
||||||
|
}
|
||||||
|
|
||||||
|
CK_RV
|
||||||
|
pem_Initialize
|
||||||
|
(
|
||||||
|
NSSCKMDInstance * mdInstance,
|
||||||
|
NSSCKFWInstance * fwInstance,
|
||||||
|
NSSUTF8 * configurationData
|
||||||
|
)
|
||||||
|
{
|
||||||
|
CK_RV rv;
|
||||||
|
- /* parse the initialization string and initialize CRLInstances */
|
||||||
|
+ /* parse the initialization string */
|
||||||
|
char **certstrings = NULL;
|
||||||
|
+ char *modparms = NULL;
|
||||||
|
PRInt32 numcerts = 0;
|
||||||
|
PRBool status, error = PR_FALSE;
|
||||||
|
int i;
|
||||||
|
+ CK_C_INITIALIZE_ARGS_PTR modArgs = NULL;
|
||||||
|
+
|
||||||
|
+ if (!fwInstance) return CKR_ARGUMENTS_BAD;
|
||||||
|
+
|
||||||
|
+ modArgs = NSSCKFWInstance_GetInitArgs(fwInstance);
|
||||||
|
+ if (modArgs &&
|
||||||
|
+ ((modArgs->flags & CKF_OS_LOCKING_OK) || (modArgs->CreateMutex != 0))) {
|
||||||
|
+ return CKR_CANT_LOCK;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (pemInitialized) {
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
RNG_RNGInit();
|
||||||
|
|
||||||
|
open_log();
|
||||||
|
|
||||||
|
plog("pem_Initialize\n");
|
||||||
|
|
||||||
|
- unsigned char *modparms = NULL;
|
||||||
|
- if (!fwInstance) {
|
||||||
|
- return CKR_ARGUMENTS_BAD;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- CK_C_INITIALIZE_ARGS_PTR modArgs =
|
||||||
|
- NSSCKFWInstance_GetInitArgs(fwInstance);
|
||||||
|
if (!modArgs || !modArgs->LibraryParameters) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
- modparms = (unsigned char *) modArgs->LibraryParameters;
|
||||||
|
+ modparms = (char *) modArgs->LibraryParameters;
|
||||||
|
plog("Initialized with %s\n", modparms);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The initialization string format is a space-delimited file of
|
||||||
|
* pairs of paths which are delimited by a semi-colon. The first
|
||||||
|
* entry of the pair is the path to the certificate file. The
|
||||||
|
* second is the path to the key file.
|
||||||
|
*
|
||||||
|
* CA certificates do not need the semi-colon.
|
||||||
|
*
|
||||||
|
* Example:
|
||||||
|
* /etc/certs/server.pem;/etc/certs/server.key /etc/certs/ca.pem
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
status =
|
||||||
|
- pem_ParseString((const char *) modparms, ' ', &numcerts,
|
||||||
|
+ pem_ParseString(modparms, ' ', &numcerts,
|
||||||
|
&certstrings);
|
||||||
|
if (status == PR_FALSE) {
|
||||||
|
return CKR_ARGUMENTS_BAD;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < numcerts && error != PR_TRUE; i++) {
|
||||||
|
char *cert = certstrings[i];
|
||||||
|
PRInt32 attrcount = 0;
|
||||||
|
char **certattrs = NULL;
|
||||||
|
status = pem_ParseString(cert, ';', &attrcount, &certattrs);
|
||||||
|
if (status == PR_FALSE) {
|
||||||
|
error = PR_TRUE;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user