fix for CVE-2013-0743

.abf.yml

@@ -1,2 +1,2 @@
 sources:
-  "nss-3.13.3.tar.gz": 6b8b92d3de893ae67dc04ce9a14ab5c9495dd4a6
+  "nss-3.14.tar.gz": 181b7e1e2082b581f716b449c48512983d57e9fc

nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch

@@ -1,186 +0,0 @@
-diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c
---- nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c	2008-02-16 01:17:40.000000000 +0000
-+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c	2009-05-30 17:24:44.000000000 +0000
-@@ -97,7 +97,7 @@
- error_out(char  *error_string)
- {
-     printf("Content-type: text/plain\n\n");
--    printf(error_string);
-+    printf("%s", error_string);
-     fflush(stderr);
-     fflush(stdout);
-     exit(1);
-diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c
---- nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c	2009-02-19 04:24:41.000000000 +0000
-+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c	2009-05-30 17:24:44.000000000 +0000
-@@ -95,7 +95,7 @@
-     char meter[] = { 
-       "\r|                                                            |" };
- 
--#define FPS fprintf(stderr, 
-+#define FPS fprintf(stderr, "%s", 
-     FPS "\n");
-     FPS "A random seed must be generated that will be used in the\n");
-     FPS "creation of your key.  One of the easiest ways to create a\n");
-diff -Naur nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c
---- nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c	2004-10-07 04:13:50.000000000 +0000
-+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c	2009-05-30 17:24:44.000000000 +0000
-@@ -105,7 +105,7 @@
- 	    "-t type");
-     fprintf(stderr, "%-20s ", "");
-     for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
--	fprintf(stderr, HashTypeToOID(htype)->desc);
-+	fprintf(stderr, "%s", HashTypeToOID(htype)->desc);
- 	if (htype == (HASH_AlgTOTAL - 2))
- 	    fprintf(stderr, " or ");
- 	else if (htype != (HASH_AlgTOTAL - 1))
-diff -Naur nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c
---- nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c	2008-10-06 23:37:54.000000000 +0000
-+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c	2009-05-30 17:24:44.000000000 +0000
-@@ -79,7 +79,7 @@
- {
-     unsigned i;
- 
--    if (m) fprintf(out, m);
-+    if (m) fprintf(out, "%s", m);
-     
-     for (i = 0; i < data->len; i++) {
-         if (i < data->len - 1) {
-@@ -136,10 +136,10 @@
- {
-     int rv;
- 
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     rv = sv_PrintTime(out, &v->notBefore, "notBefore=");
-     if (rv) return rv;
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintTime(out, &v->notAfter, "notAfter=");
-     return rv;
- }
-@@ -181,7 +181,7 @@
-     int i;
-     char om[100];
- 
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
- 
-     /*
-      * XXX Make this smarter; look at the type field and then decode
-@@ -278,16 +278,16 @@
-     SEC_PKCS7Attribute *attr;
-     int iv;
-     
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &(info->version), "version=");
- 
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
-                         "serialNumber=");
-   
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm=");
-     
-     if (info->authAttr != NULL) {
-@@ -304,9 +304,9 @@
-     }
-     
-     /* Parse and display signature */
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest=");
-     
-     if (info->unAuthAttr != NULL) {
-@@ -326,22 +326,22 @@
- void
- sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
- {
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent=");
- }
- 
- void
- sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
- {
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.dsa.params.base, "base=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue=");
- }
- 
-@@ -432,7 +432,7 @@
- 
-             oidTag = SECOID_FindOIDTag (&((*extensions)->id));
- 
--            fprintf(out, msg);
-+            fprintf(out, "%s", msg);
-             tmpitem = &((*extensions)->value);
-             if (oidTag == SEC_OID_X509_INVALID_DATE) 
-                 sv_PrintInvalidDateExten (out, tmpitem,"invalidExt");
-@@ -458,13 +458,13 @@
-     int iv;
-     char om[100];
-     
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintName(out, &(crl->name), "name=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate=");
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate=");
-     
-     if (crl->entries != NULL) {
-@@ -563,10 +563,10 @@
-     }
- 
-     m[PORT_Strlen(m) - 5] = 0;
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
-     DER_ConvertBitString(&sd->signature);
--    fprintf(out, m);
-+    fprintf(out, "%s", m);
-     sv_PrintAsHex(out, &sd->signature, "signature=");
- 
-     PORT_FreeArena(arena, PR_FALSE);
-@@ -632,11 +632,11 @@
-         iv = 0;
-         while ((aCrl = src->crls[iv]) != NULL) {
-             sprintf(om, "signedRevocationList[%d].", iv);
--            fprintf(out, om);
-+            fprintf("%s", out, om);
-             sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
-                                 "signatureAlgorithm=");
-             DER_ConvertBitString(&aCrl->signatureWrap.signature);
--            fprintf(out, om);
-+            fprintf("%s", out, om);
-             sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature=");
-             sprintf(om, "certificateRevocationList[%d].", iv);
-             sv_PrintCRLInfo(out, &aCrl->crl, om);

nss-no-rpath.patch

@@ -1,14 +1,14 @@
---- mozilla/security/nss/cmd/platlibs.mk	2009-06-18 01:01:48.000000000 +0200
-+++ mozilla/security/nss/cmd/platlibs.mk.oden	2009-08-31 17:16:16.000000000 +0200
-@@ -59,9 +59,9 @@
- endif
- else
+--- mozilla/security/nss/cmd/platlibs.mk~	2012-07-17 11:22:42.000000000 -0400
++++ mozilla/security/nss/cmd/platlibs.mk	2012-10-27 13:03:47.839324389 -0400
+@@ -18,9 +18,9 @@
+ 
+ ifeq ($(OS_ARCH), Linux)
  ifeq ($(USE_64), 1)
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
  else
--EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
- endif
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
  endif
  endif
+ 

nss.spec

@@ -4,17 +4,17 @@
 %define libname %mklibname %{name} %{major}
 %define develname %mklibname -d %{name}
 %define sdevelname %mklibname -d -s %{name}
-%define cvsver 3_13
+%define cvsver 3_14
 
 %define nspr_libname %mklibname nspr 4
 %define	nspr_version 4.9
 
 %if %mandriva_branch == Cooker
 # Cooker
-%define release %mkrel 2
+%define release %mkrel 1
 %else
 # Old distros
-%define release %mkrel 1
+%define release %mkrel 0
 %endif
 
 # this seems fragile, so require the exact version or later (#58754)
@@ -26,7 +26,7 @@
 %{?_without_empty:   %{expand: %%global build_empty 0}}
 
 Name:		nss
-Version:	3.13.3
+Version:	3.14
 Release:	%{release}
 Epoch:		2
 Summary:	Netscape Security Services
@@ -50,9 +50,9 @@ Source7:	verisign-class-3-secure-server-ca.der
 Source8:	http://www.icpbrasil.gov.br/certificadoACRaiz.crt
 Patch0:		nss-no-rpath.patch
 Patch1:		nss-fixrandom.patch
-Patch3:		nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
+#Patch3:		nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
 Patch4:		renegotiate-transitional.patch
-BuildRequires:	rootcerts >= 1:20120218.00
+BuildRequires:	rootcerts >= 1:20121229.00
 BuildRequires:	libnspr-devel >= 2:4.9.0
 BuildRequires:	libz-devel
 BuildRequires:	libsqlite3-devel >= 3.7.7.1
@@ -125,7 +125,6 @@ Static libraries for doing development with Network Security Services.
 %setup -q
 %patch0 -p0
 %patch1 -p0
-%patch3 -p1
 %patch4 -p0 -b .transitional
 
 find . -type d -perm 0700 -exec chmod 755 {} \;
@@ -268,7 +267,7 @@ popd
 %if %with lib
 export NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
 export NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
-export NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+export NSS_VPATCH=`echo %{version} | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`
 
 %{__mkdir_p} %{buildroot}%{_bindir}
 cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
@@ -358,6 +357,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %attr(0755,root,root) %{_bindir}/digest
 %attr(0755,root,root) %{_bindir}/encodeinttest
 %attr(0755,root,root) %{_bindir}/fipstest
+%attr(0755,root,root) %{_bindir}/httpserv
+%attr(0755,root,root) %{_bindir}/listsuites
+%attr(0755,root,root) %{_bindir}/lowhashtest
 %attr(0755,root,root) %{_bindir}/makepqg
 %attr(0755,root,root) %{_bindir}/mangle
 %attr(0755,root,root) %{_bindir}/modutil
@@ -371,10 +373,14 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %attr(0755,root,root) %{_bindir}/p7verify
 %attr(0755,root,root) %{_bindir}/pk11mode
 %attr(0755,root,root) %{_bindir}/pk12util
+%attr(0755,root,root) %{_bindir}/pk1sign
+%attr(0755,root,root) %{_bindir}/pkix-errcodes
 %attr(0755,root,root) %{_bindir}/pp
+%attr(0755,root,root) %{_bindir}/pwdecrypt
 %attr(0755,root,root) %{_bindir}/remtest
 %attr(0755,root,root) %{_bindir}/rsaperf
 %attr(0755,root,root) %{_bindir}/sdrtest
+%attr(0755,root,root) %{_bindir}/secmodtest
 %attr(0755,root,root) %{_bindir}/selfserv
 %attr(0755,root,root) %{_bindir}/shlibsign
 %attr(0755,root,root) %{_bindir}/signtool
@@ -506,6 +512,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %{_includedir}/nss/ssl.h
 %{_includedir}/nss/sslproto.h
 %{_includedir}/nss/sslt.h
+%{_includedir}/nss/utilmodt.h
+%{_includedir}/nss/utilpars.h
+%{_includedir}/nss/utilparst.h
 %{_includedir}/nss/utilrename.h
 %{_libdir}/pkgconfig/nss.pc
 %{_libdir}/libsoftokn%{major}.chk
@@ -524,6 +533,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 
 
 %changelog
+* Fri Jan 11 2013 Ilya Porvin <ilya.porvin@rosalab.ru> 3.14-0
+  apply fix patch for CVE-2013-0743
+
 * Thu Mar 15 2012 Oden Eriksson <oeriksson@mandriva.com> 2:3.13.3-0.1
 - 3.13.3
 - fix deps
@@ -686,7 +698,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 + Revision: 360727
 - rebuilt to pickup new data from the rootcerts (20090115.00) package
 
-* Sun Jan 25 2009 Per Øyvind Karlsen <peroyvind@mandriva.org> 2:3.12-11mdv2009.1
+* Sun Jan 25 2009 Per Ã?yvind Karlsen <peroyvind@mandriva.org> 2:3.12-11mdv2009.1
 + Revision: 333523
 - bump..
 - increase size for string allocated by one to make room for string terminator
@@ -767,7 +779,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 + Revision: 167772
 - New upstream: 3.11.9
 
-* Thu Feb 07 2008 Per Øyvind Karlsen <peroyvind@mandriva.org> 2:3.11.7-4mdv2008.1
+* Thu Feb 07 2008 Per Ã?yvind Karlsen <peroyvind@mandriva.org> 2:3.11.7-4mdv2008.1
 + Revision: 163760
 - really fix incorrect major
 - bump back release a bit since neither of previous ones went through :)

renegotiate-transitional.patch

@@ -1,11 +1,11 @@
---- mozilla/security/nss/lib/ssl/sslsock.c	2011-10-22 18:45:40.000000000 +0200
-+++ mozilla/security/nss/lib/ssl/sslsock.c.oden	2011-11-05 17:45:55.672091551 +0100
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+--- mozilla/security/nss/lib/ssl/sslsock.c.transitional	2011-10-22 18:45:40.000000000 +0200
++++ mozilla/security/nss/lib/ssl/sslsock.c	2011-11-10 14:17:36.000000000 +0100
+@@ -181,7 +181,7 @@
      PR_FALSE,   /* noLocks            */
      PR_FALSE,   /* enableSessionTickets */
      PR_FALSE,   /* enableDeflate      */
 -    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: transitional) */
++    3,          /* enableRenegotiation (default: requires extension) */
      PR_FALSE,   /* requireSafeNegotiation */
      PR_FALSE,   /* enableFalseStart   */
      PR_TRUE     /* cbcRandomIV        */