From a9f44e8e59955f29e830a470e03c03f1282ecb43 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 16 Jun 2022 14:22:48 -0700 Subject: [PATCH] bug#2097663 Fix crash when getting client cert and there is none in the database. --- nss-3.79-fix-client-cert-crash.patch | 23 +++++++++++++++++++++++ nss.spec | 8 ++++++-- 2 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 nss-3.79-fix-client-cert-crash.patch diff --git a/nss-3.79-fix-client-cert-crash.patch b/nss-3.79-fix-client-cert-crash.patch new file mode 100644 index 0000000..5f80fdc --- /dev/null +++ b/nss-3.79-fix-client-cert-crash.patch @@ -0,0 +1,23 @@ +diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c +--- a/lib/ssl/authcert.c ++++ b/lib/ssl/authcert.c +@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg, + pw_arg); + } else { + int nnames = 0; + char **names = ssl_DistNamesToStrings(caNames, &nnames); + rv = CERT_FilterCertListByCANames(certList, nnames, names, + certUsageSSLClient); + ssl_FreeDistNamesStrings(names, nnames); + } +- if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { ++ if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) { + CERT_DestroyCertList(certList); + certList = NULL; + } + } + if (certList == NULL) { + /* no user certs meeting the nickname/usage requirements found */ + return SECFailure; + } + diff --git a/nss.spec b/nss.spec index aea1df7..99632c1 100644 --- a/nss.spec +++ b/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 1 +%global baserelease 2 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -131,6 +131,9 @@ Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch +# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 +Patch50: nss-3.79-fix-client-cert-crash.patch + Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1087,6 +1090,7 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jun 16 2022 Bob Relyea - 3.79.0-2 * Tue May 31 2022 Bob Relyea - 3.79.0-1 - Update to NSS 3.79 - Update to NSPR 4.34 @@ -1178,7 +1182,7 @@ update-crypto-policies &> /dev/null || : - Consolidate NSPR package with this package * Mon Oct 26 2020 Bob Relyea - 3.58.0-4 -- fix pkix ocsp to tolerate OCSP checking on intermediates +- fix pkix ocsp to tolerate OCSP checking on intermediates when the root is signed by sha1 and sha1 is disabled by policy