From e7ac2539cf98aa268a41b18db9728a5ca9e3ef5f Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 9 Mar 2023 10:56:24 -0800 Subject: [PATCH] Resolves: rhbz#2176627 CVE-2023-0767 nss: Mozilla: Arbitrary memory write via PKCS 12 in NSS --- cve-2023-0767.patch | 92 +++++++++++++++++++++++++++++++++++++++++++++ nss.spec | 10 ++++- 2 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 cve-2023-0767.patch diff --git a/cve-2023-0767.patch b/cve-2023-0767.patch new file mode 100644 index 0000000..fc5d4fa --- /dev/null +++ b/cve-2023-0767.patch @@ -0,0 +1,92 @@ +diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c +--- a/lib/pkcs12/p12d.c ++++ b/lib/pkcs12/p12d.c +@@ -335,35 +335,42 @@ + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + +diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h +--- a/lib/pkcs12/p12t.h ++++ b/lib/pkcs12/p12t.h +@@ -71,10 +71,11 @@ + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ +diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c +--- a/lib/pkcs12/p12tmpl.c ++++ b/lib/pkcs12/p12tmpl.c +@@ -28,16 +28,16 @@ + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + diff --git a/nss.spec b/nss.spec index bf8c1f2..0efdf0a 100644 --- a/nss.spec +++ b/nss.spec @@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 10%{?dist} +Release: 11%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -167,6 +167,9 @@ Patch65: nss-3.79-enable-POST-rerun.patch Patch66: nss-3.79-increase-pbe-cache.patch Patch67: nss-3.79-pkcs12-fix-null-password.patch Patch68: nss-3.79-fips.patch +# cve 2023-0767, remove on rebase to nss 3.88.1 or later +# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640 +Patch70: cve-2023-0767.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -944,7 +947,10 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog -* Thu Aug 11 2022 Bob Relyea - 3.79.0-11 +* Wed Mar 8 2023 Bob Relyea - 3.79.0-11 +- Fix CVE-2023-0767 + +* Thu Aug 11 2022 Bob Relyea - 3.79.0-10 - Fix QA found failures: - remove extra '+' from sslpolicy.txt file causing test error values - only use GRND_RANDOM if the kernel is in FIPS mode.