Resolves: #1444860 - nss: do not leak PKCS #11 slot while loading a key

2017-04-25 18:31:45 +02:00 · 2017-04-25 18:31:45 +02:00 · 1e77c47734
commit 1e77c47734
parent 0f99fceebe
2 changed files with 50 additions and 1 deletions
--- a/0001-curl-7.54.0-nss-pem-slot-leak.patch
+++ b/0001-curl-7.54.0-nss-pem-slot-leak.patch
@ -0,0 +1,42 @@
+From ba1da47aa5080a73742ca9bc7c22ce2a703a3925 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 24 Apr 2017 15:01:04 +0200
+Subject: [PATCH] nss: do not leak PKCS #11 slot while loading a key
+
+It could prevent nss-pem from being unloaded later on.
+
+Bug: https://bugzilla.redhat.com/1444860
+
+Upstream-commit: c8ea86f377a2f341db635ec96f99314023b5a8f3
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 89a16d3..099f364 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -581,7 +581,7 @@ fail:
+ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
+                              char *key_file)
+ {
+-  PK11SlotInfo *slot;
+  PK11SlotInfo *slot, *tmp;
+   SECStatus status;
+   CURLcode result;
+   struct ssl_connect_data *ssl = conn->ssl;
+@@ -600,7 +600,9 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
+     return CURLE_SSL_CERTPROBLEM;
+ 
+   /* This will force the token to be seen as re-inserted */
+-  SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
+  tmp = SECMOD_WaitForAnyTokenEvent(mod, 0, 0);
+  if(tmp)
+    PK11_FreeSlot(tmp);
+   PK11_IsPresent(slot);
+ 
+   status = PK11_Authenticate(slot, PR_TRUE, SSL_SET_OPTION(key_passwd));
+-- 
+2.9.3
+
--- a/curl.spec
+++ b/curl.spec
@ -1,11 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.54.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: https://curl.haxx.se/download/%{name}-%{version}.tar.lzma

+# nss: do not leak PKCS #11 slot while loading a key (#1444860)
+Patch1:   0001-curl-7.54.0-nss-pem-slot-leak.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -138,6 +141,7 @@ be installed.
 %setup -q

 # upstream patches
+%patch1 -p1

 # Fedora patches
 %patch101 -p1
@ -297,6 +301,9 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 %{_libdir}/libcurl.so.[0-9].[0-9].[0-9].minimal

 %changelog
+* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
+- nss: do not leak PKCS #11 slot while loading a key (#1444860)
+
 * Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
 - new upstream release (fixes CVE-2017-7468)