From 3586aff4e7cd1a29e45d4904e86a36a028080d97 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 14 Sep 2011 12:28:24 -0700 Subject: [PATCH] - Fix attempt to free initialized pointer (#717338) - Fix leak on pem_CreateObject when given non-existing file name (#734760) - Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410) --- 0001-libnsspem-rhbz-734760.patch | 21 +++ nss.spec | 16 ++- nsspem-createobject-initialize-pointer.patch | 11 ++ nsspem-init-inform-not-thread-safe.patch | 129 +++++++++++++++++++ 4 files changed, 174 insertions(+), 3 deletions(-) create mode 100644 0001-libnsspem-rhbz-734760.patch create mode 100644 nsspem-createobject-initialize-pointer.patch create mode 100644 nsspem-init-inform-not-thread-safe.patch diff --git a/0001-libnsspem-rhbz-734760.patch b/0001-libnsspem-rhbz-734760.patch new file mode 100644 index 0000000..45b4024 --- /dev/null +++ b/0001-libnsspem-rhbz-734760.patch @@ -0,0 +1,21 @@ +diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 ./mozilla/security/nss/lib/ckfw/pem/pobject.c +--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 2011-09-10 10:21:38.819248564 -0700 ++++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:28:47.970083785 -0700 +@@ -1117,7 +1117,7 @@ pem_CreateObject + + nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); + if (nobjs < 1) +- return (NSSCKMDObject *) NULL; ++ goto loser; + + objid = -1; + /* Brute force: find the id of the key, if any, in this slot */ +@@ -1176,7 +1176,7 @@ pem_CreateObject + + nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */); + if (nobjs < 1) +- return (NSSCKMDObject *) NULL; ++ goto loser; + + certDER.len = 0; /* in case there is no equivalent cert */ + certDER.data = NULL; diff --git a/nss.spec b/nss.spec index 97bc013..5fbb281 100644 --- a/nss.spec +++ b/nss.spec @@ -6,7 +6,7 @@ Summary: Network Security Services Name: nss Version: 3.12.11 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -55,9 +55,12 @@ Patch6: nss-enable-pem.patch Patch7: nsspem-642433.patch Patch8: 0001-Bug-695011-PEM-logging.patch Patch16: nss-539183.patch -#Patch17: nss-703658.patch Patch18: nss-646045.patch Patch19: builtins-nssckbi_1_87_rtm.patch +Patch20: nsspem-createobject-initialize-pointer.patch +Patch21: 0001-libnsspem-rhbz-734760.patch +Patch22: nsspem-init-inform-not-thread-safe.patch + %description Network Security Services (NSS) is a set of libraries designed to @@ -133,9 +136,11 @@ low level services. %patch7 -p0 -b .642433 %patch8 -p1 -b .695011 %patch16 -p0 -b .539183 -#%patch17 -p0 -b .703658 %patch18 -p0 -b .646045 %patch19 -p0 -b .ckbi187 +%patch20 -p1 -b .717338 +%patch21 -p1 -b .734760 +%patch22 -p0 -b .736410 %build @@ -546,6 +551,11 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3 +- Fix attempt to free initilized pointer (#717338) +- Fix leak on pem_CreateObject when given non-existing file name (#734760) +- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410) + * Tue Sep 06 2011 Kai Engert - 3.12.11-2 - Update builtins certs to those from NSSCKBI_1_87_RTM diff --git a/nsspem-createobject-initialize-pointer.patch b/nsspem-createobject-initialize-pointer.patch new file mode 100644 index 0000000..cdfdea3 --- /dev/null +++ b/nsspem-createobject-initialize-pointer.patch @@ -0,0 +1,11 @@ +diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 ./mozilla/security/nss/lib/ckfw/pem/pobject.c +--- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 2010-11-25 10:49:27.000000000 -0800 ++++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:16:58.752726964 -0700 +@@ -1179,6 +1179,7 @@ pem_CreateObject + return (NSSCKMDObject *) NULL; + + certDER.len = 0; /* in case there is no equivalent cert */ ++ certDER.data = NULL; + + objid = -1; + for (i = 0; i < pem_nobjs; i++) { diff --git a/nsspem-init-inform-not-thread-safe.patch b/nsspem-init-inform-not-thread-safe.patch new file mode 100644 index 0000000..2df4fbe --- /dev/null +++ b/nsspem-init-inform-not-thread-safe.patch @@ -0,0 +1,129 @@ +--- mozilla/security/nss/lib/ckfw/pem/pinst.c.736410 2010-11-25 11:51:52.000000000 -0800 ++++ mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-09-13 16:59:49.325215540 -0700 +@@ -364,39 +364,37 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla + size += PEM_ITEM_CHUNK; + } + gobj[count] = io; + count++; + pem_nobjs++; + + io->refCount ++; + return io; + } + + CK_RV + AddCertificate(char *certfile, char *keyfile, PRBool cacert, + CK_SLOT_ID slotID) + { + pemInternalObject *o; +- SECItem certDER; + CK_RV error = 0; + int objid, i; + int nobjs = 0; + SECItem **objs = NULL; + char *ivstring = NULL; + int cipher; + +- certDER.data = NULL; + nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); + if (nobjs <= 0) { + nss_ZFreeIf(objs); + return CKR_GENERAL_ERROR; + } + + /* For now load as many certs as are in the file for CAs only */ + if (cacert) { + for (i = 0; i < nobjs; i++) { + char nickname[1024]; + objid = pem_nobjs + 1; + + snprintf(nickname, 1024, "%s - %d", certfile, i); + + o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL, +@@ -456,72 +454,76 @@ AddCertificate(char *certfile, char *key + loser: + nss_ZFreeIf(objs); + nss_ZFreeIf(o); + return error; + } + + CK_RV + pem_Initialize + ( + NSSCKMDInstance * mdInstance, + NSSCKFWInstance * fwInstance, + NSSUTF8 * configurationData + ) + { + CK_RV rv; +- /* parse the initialization string and initialize CRLInstances */ ++ /* parse the initialization string */ + char **certstrings = NULL; ++ char *modparms = NULL; + PRInt32 numcerts = 0; + PRBool status, error = PR_FALSE; + int i; ++ CK_C_INITIALIZE_ARGS_PTR modArgs = NULL; ++ ++ if (!fwInstance) return CKR_ARGUMENTS_BAD; ++ ++ modArgs = NSSCKFWInstance_GetInitArgs(fwInstance); ++ if (modArgs && ++ ((modArgs->flags & CKF_OS_LOCKING_OK) || (modArgs->CreateMutex != 0))) { ++ return CKR_CANT_LOCK; ++ } + + if (pemInitialized) { + return CKR_OK; + } ++ + RNG_RNGInit(); + + open_log(); + + plog("pem_Initialize\n"); + +- unsigned char *modparms = NULL; +- if (!fwInstance) { +- return CKR_ARGUMENTS_BAD; +- } +- +- CK_C_INITIALIZE_ARGS_PTR modArgs = +- NSSCKFWInstance_GetInitArgs(fwInstance); + if (!modArgs || !modArgs->LibraryParameters) { + goto done; + } +- modparms = (unsigned char *) modArgs->LibraryParameters; ++ modparms = (char *) modArgs->LibraryParameters; + plog("Initialized with %s\n", modparms); + + /* + * The initialization string format is a space-delimited file of + * pairs of paths which are delimited by a semi-colon. The first + * entry of the pair is the path to the certificate file. The + * second is the path to the key file. + * + * CA certificates do not need the semi-colon. + * + * Example: + * /etc/certs/server.pem;/etc/certs/server.key /etc/certs/ca.pem + * + */ + status = +- pem_ParseString((const char *) modparms, ' ', &numcerts, ++ pem_ParseString(modparms, ' ', &numcerts, + &certstrings); + if (status == PR_FALSE) { + return CKR_ARGUMENTS_BAD; + } + + for (i = 0; i < numcerts && error != PR_TRUE; i++) { + char *cert = certstrings[i]; + PRInt32 attrcount = 0; + char **certattrs = NULL; + status = pem_ParseString(cert, ';', &attrcount, &certattrs); + if (status == PR_FALSE) { + error = PR_TRUE; + break; + } +