Commit 2d601a75 authored by Raine Makelainen's avatar Raine Makelainen

Update to 3.34. Fixes JB#36180

Fixes CVE-2017-7805, CVE-2017-5461, CVE-2016-1938, and CVE-2015-7575
parent ab6de8f6
Index: nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c
Index: nss-3.34/nss/lib/ckfw/pem/ckpemver.c
===================================================================
--- nss-3.20.1.orig/nss/lib/ckfw/pem/ckpemver.c
+++ nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c
--- nss-3.34.orig/nss/lib/ckfw/pem/ckpemver.c
+++ nss-3.34/nss/lib/ckfw/pem/ckpemver.c
@@ -53,7 +53,7 @@
*/
const char __nss_ckpem_rcsid[] = "$Header: NSS Access to Flat Files in PEM format"
......
--- nss/lib/ckfw/pem/pobject.c.orig 2014-01-23 16:28:18.000000000 +0200
+++ nss/lib/ckfw/pem/pobject.c 2017-11-23 10:27:54.223998464 +0200
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
if (io->u.key.ivstring)
free(io->u.key.ivstring);
break;
+ case pemAll:
+ /* pemAll is not used, keep the compiler happy
+ * TODO: investigate a proper solution
+ */
+ return;
}
if (NULL != gobj)
@@ -1044,7 +1049,9 @@ pem_CreateObject
int nobjs = 0;
int i;
int objid;
+#if 0
pemToken *token;
+#endif
int cipher;
char *ivstring = NULL;
pemInternalObject *listObj = NULL;
@@ -1073,7 +1080,9 @@ pem_CreateObject
}
slotID = nssCKFWSlot_GetSlotID(fwSlot);
+#if 0
token = (pemToken *) mdToken->etc;
+#endif
/*
* only create keys and certs.
diff -up ./nss/lib/sysinit/nsssysinit.c.603313 ./nss/lib/sysinit/nsssysinit.c
--- ./nss/lib/sysinit/nsssysinit.c.603313 2010-10-15 13:57:42.719738316 -0700
+++ ./nss/lib/sysinit/nsssysinit.c 2010-10-15 14:07:51.704637349 -0700
@@ -263,16 +263,26 @@ get_list(char *filename, char *stripped_
--- ./nss/lib/sysinit/nsssysinit.c.603313 2017-11-14 10:01:25.000000000 +0200
+++ ./nss/lib/sysinit/nsssysinit.c 2017-11-22 16:28:56.324234787 +0200
@@ -231,6 +231,17 @@ get_list(char *filename, char *stripped_
sysdb = getSystemDB();
userdb = getUserDB();
- /* Don't open root's user DB */
+ /* return a list of databases to open. First the system database */
+ if (sysdb) {
+ const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
+ module_list[next++] = PR_smprintf(
+ "library= "
+ "module=\"NSS system database\" "
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+ "NSS=\"trustOrder=80 %sflags=internal,critical\"",
+ module_list[next++] = PR_smprintf(
+ "library= "
+ "module=\"NSS system database\" "
+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
+ "NSS=\"trustOrder=80 %sflags=internal,critical\"",
+ sysdb, readonly, nssflags);
+ }
+
+ /* Next the user database, but not for root. */
/* Don't open root's user DB */
if (userdb != NULL && !userIsRoot()) {
- /* return a list of databases to open. First the user Database */
module_list[next++] = PR_smprintf(
"library= "
"module=\"NSS User database\" "
"parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" "
- "NSS=\"trustOrder=75 %sflags=internal%s\"",
- userdb, stripped_parameters, nssflags,
- isFIPS ? ",FIPS" : "");
+ "NSS=\"trustOrder=75 %sflags=internal%s\"",
+ userdb, stripped_parameters, nssflags,
+ isFIPS ? ",FIPS" : "");
/* return a list of databases to open. First the user Database */
@@ -252,17 +263,6 @@ get_list(char *filename, char *stripped_
userdb, stripped_parameters);
}
/* now open the user's defined PKCS #11 modules */
/* skip the local user DB entry */
@@ -283,17 +293,7 @@ get_list(char *filename, char *stripped_
"module=\"NSS User database\" "
"parameters=\"configdir='sql:%s' %s\" "
"NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"",
- userdb, stripped_parameters);
- }
-
- /* now the system database (always read only unless it's root) */
- if (sysdb) {
- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS system database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
- "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags);
+ userdb, stripped_parameters);
}
- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly";
- module_list[next++] = PR_smprintf(
- "library= "
- "module=\"NSS system database\" "
- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" "
- "NSS=\"trustOrder=80 %sflags=internal,critical\"",
- sysdb, readonly, nssflags);
- }
-
/* that was the last module */
module_list[next] = 0;
* Wed Nov 22 2017 Raine Mäkeläinen <raine.makelainen@jollamobile.com> - 3.34.0
- Update to 3.34.0
- Fixes CVE-2017-7805, CVE-2017-5461, CVE-2016-1938, and CVE-2015-7575. Fixes JB#36180
* Wed Nov 04 2015 Pasi Sjöholm <pasi.sjoholm@jollamobile.com> - 3.20.1
- Update to 3.20.1
- Fixes CVE-2015-7181 and CVE-2015-7182. Contributes to MER#1407
......
%define nspr_version 4.10.8
%define nspr_version 4.17
%define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
Summary: Network Security Services
Name: nss
Version: 3.20.1
Version: 3.34
Release: 1
License: MPLv2
URL: http://www.mozilla.org/projects/security/pki/nss/
......@@ -37,6 +37,7 @@ Patch2: nss-nolocalsql.patch
Patch6: nss-enable-pem.patch
Patch8: nss-sysinit-userdb-first.patch
Patch9: nss-3.13.3-notimestamps.patch
Patch10: nss-pem-pobject-fix.patch
%description
Network Security Services (NSS) is a set of libraries designed to
......@@ -129,8 +130,9 @@ low level services.
%patch1 -p0
%patch2 -p0
%patch6 -p0 -b .libpem
%patch8 -p0 -b .rh603313
%patch8 -p0
%patch9 -p1 -b .timestamping
%patch10 -p0
%build
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment