Merge branch 'f24' into f23

2016-03-10 09:12:25 -08:00 · 2016-03-10 09:12:25 -08:00 · 45e747b60f
parent 110714f30e c30e6463f2
commit 45e747b60f
4 changed files with 14 additions and 164 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,7 +7,7 @@ PayPalEE.cert
 TestCA.ca.cert
 TestUser50.cert
 TestUser51.cert
-/nss-pem-20140125.tar.bz2
+/nss-pem-20160308.tar.bz2
 /PayPalRootCA.cert
 /PayPalICA.cert
 /nss-3.23.0.tar.gz
--- a/nss.spec
+++ b/nss.spec
@ -21,7 +21,7 @@ Name:             nss
 Version:          3.23.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.0%{?dist}
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -58,7 +58,7 @@ Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
 Source9:          setup-nsssysinit.sh
-Source12:         %{name}-pem-20140125.tar.bz2
+Source12:         %{name}-pem-20160308.tar.bz2
 Source20:         nss-config.xml
 Source21:         setup-nsssysinit.xml
 Source22:         pkcs11.txt.xml
@ -98,13 +98,6 @@ Patch55:          skip_stress_TLS_RC4_128_with_MD5.patch
 # Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch

-# As of nss-3.21 we compile NSS with -Werror.
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
-# This requires a cleanup of the PEM module as we have it here.
-# TODO: submit a patch to the interim nss-pem upstream project
-# The submission will be very different from this patch as
-# cleanup there is already in progress there.
-Patch59: pem-compile-with-Werror.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -194,7 +187,6 @@ popd
 %patch54 -p0 -b .ssl2_off
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
 %patch58 -p0 -b .1185708_3des
-%patch59 -p0 -b .compile_Werror

 #########################################################
 # Higher-level libraries and test tools need access to
@ -823,6 +815,10 @@ fi


 %changelog
+* Thu Mar 10 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
+- Update pem sources to latest from nss-pem upstream
+- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
+
 * Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
 - Rebase to NSS 3.23.0

@ -914,7 +910,7 @@ fi
 - Backing out from disabling ssl2 until the patches are fixed

 * Mon Feb 09 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
- Disable SSL2 support at build time 
+- Disable SSL2 support at build time
 - Fix syntax errors in various shell scripts
 - Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites

@ -1164,7 +1160,7 @@ fi
 - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
 - Bug 872124 - nss-3.14 breaks fedpkg new-sources
 - Fix should be considered preliminary since the patch may change upon upstream approval
- 
+
 * Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
 - Add a dummy source file for testing /preventing fedpkg breakage
 - Helps test the fedpkg new-sources and upload commands for breakage by nss updates
@ -1207,7 +1203,7 @@ fi
 * Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
 - Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
 - Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer 
+- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
 - Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix

 * Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
@ -1448,7 +1444,7 @@ fi
 * Thu Sep 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
 - Update to 3.12.8
 - Prevent disabling of nss-sysinit on package upgrade (#636787)
- Create pkcs11.txt with correct permissions regardless of umask (#636792) 
+- Create pkcs11.txt with correct permissions regardless of umask (#636792)
 - Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
 - Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)

@ -1708,7 +1704,7 @@ fi
 - fix to not clone internal objects in collect_objects().  (501118)
 - fix to not bypass initialization if module arguments are omitted. (501058)
 - fix numerous gcc warnings. (500815)
- fix to support arbitrarily long password while loading a private key. (500180) 
+- fix to support arbitrarily long password while loading a private key. (500180)
 - fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
 * Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
 - add patch for bug 502133 upstream bug 496997
@ -1836,7 +1832,7 @@ fi

 * Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
 - Fix rhbz#230545, failure to enable FIPS mode
- Fix rhbz#220542, make NSS more tolerant of resets when in the 
+- Fix rhbz#220542, make NSS more tolerant of resets when in the
  middle of prompting for a user password.

 * Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
--- a/pem-compile-with-Werror.patch
+++ b/pem-compile-with-Werror.patch
@ -1,146 +0,0 @@
-diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/ckpem.h	2015-11-13 12:07:29.219887390 -0800
-@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
- };
- typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
- 
-+/* NOTE: Discrepancy with the the way callers use of the return value as a count
-+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
-+ */
- SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
- const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
- void pem_PopulateModulusExponent(pemInternalObject *io);
-diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pinst.c	2015-11-13 12:07:29.219887390 -0800
-@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
-     char *ivstring = NULL;
-     int cipher;
- 
-    nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+    /* TODO: Fix discrepancy between our usage of the return value as
-+     * as an int (a count) and the declaration as a SECStatus. */
-+    nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-     if (nobjs <= 0) {
-         nss_ZFreeIf(objs);
-         return CKR_GENERAL_ERROR;
-@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
-         if (keyfile) {          /* add the private key */
-             SECItem **keyobjs = NULL;
-             int kobjs = 0;
-+            /* TODO: Fix discrepancy between our usage of the return value as
-+             * as an int and the declaration as a SECStatus. */
-             kobjs =
-                ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-+                (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
-                                 &ivstring, PR_FALSE);
-             if (kobjs < 1) {
-                 error = CKR_GENERAL_ERROR;
-diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/pobject.c	2015-11-13 12:07:29.220887368 -0800
-@@ -630,6 +630,11 @@ pem_DestroyInternalObject
-         if (io->u.key.ivstring)
-             free(io->u.key.ivstring);
-         break;
-+    case pemAll:
-+        /* pemAll is not used, keep the compiler happy
-+         * TODO: investigate a proper solution
-+         */
-+        return;
-     }
- 
-     if (NULL != gobj)
-@@ -1044,7 +1049,9 @@ pem_CreateObject
-     int nobjs = 0;
-     int i;
-     int objid;
-+#if 0
-     pemToken *token;
-+#endif
-     int cipher;
-     char *ivstring = NULL;
-     pemInternalObject *listObj = NULL;
-@@ -1073,7 +1080,9 @@ pem_CreateObject
-     }
-     slotID = nssCKFWSlot_GetSlotID(fwSlot);
- 
-+#if 0
-     token = (pemToken *) mdToken->etc;
-+#endif
- 
-     /*
-      * only create keys and certs.
-@@ -1114,7 +1123,11 @@ pem_CreateObject
-     }
- 
-     if (objClass == CKO_CERTIFICATE) {
-        nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-+        /* TODO: Fix discrepancy between our usage of the return value as
-+         * as an int and the declaration as a SECStatus. Typecasting as a
-+         * temporary workaround.
-+         */
-+        nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
-         if (nobjs < 1)
-             goto loser;
- 
-diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/rsawrapr.c	2015-11-13 12:07:29.220887368 -0800
-@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
-     return 0;
- }
- 
-+/* unused functions */
-+#if 0
- static SHA1Context *SHA1_CloneContext(SHA1Context * original)
- {
-     SHA1Context *clone = NULL;
-@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
- 
-     return SECSuccess;
- }
-+#endif /* unused functions */
- 
- /*
-  * Format one block of data for public/private key encryption using
-diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
--- ./nss/lib/ckfw/pem/util.c.compile_Werror	2014-01-23 06:28:18.000000000 -0800
-+++ ./nss/lib/ckfw/pem/util.c	2015-11-13 12:22:52.282196306 -0800
-@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
-     return SECFailure;
- }
- 
-int
-+/* FIX: Returns a SECStatus yet callers take result as a count */
-+SECStatus
- ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
- 		int *cipher, char **ivstring, PRBool certsonly)
- {
-@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 		    goto loser;
- 		}
-                 if ((certsonly && !key) || (!certsonly && key)) {
-+		    error = CKR_OK;
- 		    PUT_Object(der, error);
-+		    if (error != CKR_OK) {
-+			free(der);
-+			goto loser;
-+		    }
-                 } else {
-                     free(der->data);
-                     free(der);
-@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
- 	    }
- 
- 	    /* NOTE: This code path has never been tested. */
-+	    error = CKR_OK;
- 	    PUT_Object(der, error);
-+	    if (error != CKR_OK) {
-+		free(der);
-+		goto loser;
-+	    }
- 	}
- 
- 	nss_ZFreeIf(filedata.data);
--- a/2
+++ b/2
@ -3,5 +3,5 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 73bc040a0542bba387e6dd7fb9fd7d23  blank-secmod.db
 691e663ccc07b7a1eaa6f088e03bf8e2  blank-cert9.db
 2ec9e0606ba40fe65196545564b7cc2a  blank-key4.db
-b8a94e863c852e1f8b75e930e76f8640  nss-pem-20140125.tar.bz2
+4d8e770b105483e365f3327d883dd229  nss-pem-20160308.tar.bz2
 574488f97390085832299cc3b90814a8  nss-3.23.0.tar.gz