Resolves: rhbz#2176627
CVE-2023-0767 nss: Mozilla: Arbitrary memory write via PKCS 12 in NSS
This commit is contained in:
parent
725b918153
commit
e7ac2539cf
92
cve-2023-0767.patch
Normal file
92
cve-2023-0767.patch
Normal file
@ -0,0 +1,92 @@
|
||||
diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
|
||||
--- a/lib/pkcs12/p12d.c
|
||||
+++ b/lib/pkcs12/p12d.c
|
||||
@@ -335,35 +335,42 @@
|
||||
sec_PKCS12SafeContentsContext *safeContentsCtx =
|
||||
(sec_PKCS12SafeContentsContext *)arg;
|
||||
SEC_PKCS12DecoderContext *p12dcx;
|
||||
SECStatus rv;
|
||||
|
||||
- /* make sure that we are not skipping the current safeBag,
|
||||
- * and that there are no errors. If so, just return rather
|
||||
- * than continuing to process.
|
||||
- */
|
||||
- if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
|
||||
- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
|
||||
+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
|
||||
return;
|
||||
}
|
||||
p12dcx = safeContentsCtx->p12dcx;
|
||||
|
||||
+ /* make sure that there are no errors and we are not skipping the current safeBag */
|
||||
+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+
|
||||
rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
|
||||
if (rv != SECSuccess) {
|
||||
p12dcx->errorValue = PORT_GetError();
|
||||
+ p12dcx->error = PR_TRUE;
|
||||
+ goto loser;
|
||||
+ }
|
||||
+
|
||||
+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
|
||||
+ * may not get another opportunity to clean up the decoder context.
|
||||
+ */
|
||||
+ if (safeContentsCtx->skipCurrentSafeBag) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
return;
|
||||
|
||||
loser:
|
||||
- /* set the error, and finish the decoder context. because there
|
||||
+ /* Finish the decoder context. Because there
|
||||
* is not a way of returning an error message, it may be worth
|
||||
* while to do a check higher up and finish any decoding contexts
|
||||
* that are still open.
|
||||
*/
|
||||
- p12dcx->error = PR_TRUE;
|
||||
SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
|
||||
safeContentsCtx->currentSafeBagA1Dcx = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
|
||||
--- a/lib/pkcs12/p12t.h
|
||||
+++ b/lib/pkcs12/p12t.h
|
||||
@@ -71,10 +71,11 @@
|
||||
SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
|
||||
sec_PKCS12CertBag *certBag;
|
||||
sec_PKCS12CRLBag *crlBag;
|
||||
sec_PKCS12SecretBag *secretBag;
|
||||
sec_PKCS12SafeContents *safeContents;
|
||||
+ SECItem *unknownBag;
|
||||
} safeBagContent;
|
||||
|
||||
sec_PKCS12Attribute **attribs;
|
||||
|
||||
/* used locally */
|
||||
diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
|
||||
--- a/lib/pkcs12/p12tmpl.c
|
||||
+++ b/lib/pkcs12/p12tmpl.c
|
||||
@@ -28,16 +28,16 @@
|
||||
|
||||
safeBag = (sec_PKCS12SafeBag *)src_or_dest;
|
||||
|
||||
oiddata = SECOID_FindOID(&safeBag->safeBagType);
|
||||
if (oiddata == NULL) {
|
||||
- return SEC_ASN1_GET(SEC_AnyTemplate);
|
||||
+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
|
||||
}
|
||||
|
||||
switch (oiddata->offset) {
|
||||
default:
|
||||
- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
|
||||
+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
|
||||
break;
|
||||
case SEC_OID_PKCS12_V1_KEY_BAG_ID:
|
||||
theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
|
||||
break;
|
||||
case SEC_OID_PKCS12_V1_CERT_BAG_ID:
|
||||
|
10
nss.spec
10
nss.spec
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
@ -167,6 +167,9 @@ Patch65: nss-3.79-enable-POST-rerun.patch
|
||||
Patch66: nss-3.79-increase-pbe-cache.patch
|
||||
Patch67: nss-3.79-pkcs12-fix-null-password.patch
|
||||
Patch68: nss-3.79-fips.patch
|
||||
# cve 2023-0767, remove on rebase to nss 3.88.1 or later
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640
|
||||
Patch70: cve-2023-0767.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -944,7 +947,10 @@ update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
|
||||
* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
|
||||
- Fix CVE-2023-0767
|
||||
|
||||
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
|
||||
- Fix QA found failures:
|
||||
- remove extra '+' from sslpolicy.txt file causing test error values
|
||||
- only use GRND_RANDOM if the kernel is in FIPS mode.
|
||||
|
Loading…
Reference in New Issue
Block a user