From 9a683c63af69d620ecbc9b693afaa55fbc11a9f1 Mon Sep 17 00:00:00 2001 From: Ilya Porvin Date: Thu, 21 Feb 2013 10:51:18 +0400 Subject: [PATCH] fix for CVE-2013-0743 --- .abf.yml | 2 +- ...ring_literal_and_no_format_arguments.patch | 186 ------------------ nss-no-rpath.patch | 20 +- nss.spec | 32 ++- renegotiate-transitional.patch | 8 +- 5 files changed, 37 insertions(+), 211 deletions(-) delete mode 100644 nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch diff --git a/.abf.yml b/.abf.yml index 6c25166..1139a83 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,2 +1,2 @@ sources: - "nss-3.13.3.tar.gz": 6b8b92d3de893ae67dc04ce9a14ab5c9495dd4a6 + "nss-3.14.tar.gz": 181b7e1e2082b581f716b449c48512983d57e9fc diff --git a/nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch b/nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch deleted file mode 100644 index 3e2cfa6..0000000 --- a/nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch +++ /dev/null @@ -1,186 +0,0 @@ -diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c ---- nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c 2008-02-16 01:17:40.000000000 +0000 -+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c 2009-05-30 17:24:44.000000000 +0000 -@@ -97,7 +97,7 @@ - error_out(char *error_string) - { - printf("Content-type: text/plain\n\n"); -- printf(error_string); -+ printf("%s", error_string); - fflush(stderr); - fflush(stdout); - exit(1); -diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c ---- nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c 2009-02-19 04:24:41.000000000 +0000 -+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c 2009-05-30 17:24:44.000000000 +0000 -@@ -95,7 +95,7 @@ - char meter[] = { - "\r| |" }; - --#define FPS fprintf(stderr, -+#define FPS fprintf(stderr, "%s", - FPS "\n"); - FPS "A random seed must be generated that will be used in the\n"); - FPS "creation of your key. One of the easiest ways to create a\n"); -diff -Naur nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c ---- nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c 2004-10-07 04:13:50.000000000 +0000 -+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c 2009-05-30 17:24:44.000000000 +0000 -@@ -105,7 +105,7 @@ - "-t type"); - fprintf(stderr, "%-20s ", ""); - for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) { -- fprintf(stderr, HashTypeToOID(htype)->desc); -+ fprintf(stderr, "%s", HashTypeToOID(htype)->desc); - if (htype == (HASH_AlgTOTAL - 2)) - fprintf(stderr, " or "); - else if (htype != (HASH_AlgTOTAL - 1)) -diff -Naur nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c ---- nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c 2008-10-06 23:37:54.000000000 +0000 -+++ nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c 2009-05-30 17:24:44.000000000 +0000 -@@ -79,7 +79,7 @@ - { - unsigned i; - -- if (m) fprintf(out, m); -+ if (m) fprintf(out, "%s", m); - - for (i = 0; i < data->len; i++) { - if (i < data->len - 1) { -@@ -136,10 +136,10 @@ - { - int rv; - -- fprintf(out, m); -+ fprintf(out, "%s", m); - rv = sv_PrintTime(out, &v->notBefore, "notBefore="); - if (rv) return rv; -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintTime(out, &v->notAfter, "notAfter="); - return rv; - } -@@ -181,7 +181,7 @@ - int i; - char om[100]; - -- fprintf(out, m); -+ fprintf(out, "%s", m); - - /* - * XXX Make this smarter; look at the type field and then decode -@@ -278,16 +278,16 @@ - SEC_PKCS7Attribute *attr; - int iv; - -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &(info->version), "version="); - -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), - "serialNumber="); - -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm="); - - if (info->authAttr != NULL) { -@@ -304,9 +304,9 @@ - } - - /* Parse and display signature */ -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest="); - - if (info->unAuthAttr != NULL) { -@@ -326,22 +326,22 @@ - void - sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m) - { -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent="); - } - - void - sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m) - { -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.dsa.params.base, "base="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue="); - } - -@@ -432,7 +432,7 @@ - - oidTag = SECOID_FindOIDTag (&((*extensions)->id)); - -- fprintf(out, msg); -+ fprintf(out, "%s", msg); - tmpitem = &((*extensions)->value); - if (oidTag == SEC_OID_X509_INVALID_DATE) - sv_PrintInvalidDateExten (out, tmpitem,"invalidExt"); -@@ -458,13 +458,13 @@ - int iv; - char om[100]; - -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintName(out, &(crl->name), "name="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate="); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate="); - - if (crl->entries != NULL) { -@@ -563,10 +563,10 @@ - } - - m[PORT_Strlen(m) - 5] = 0; -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm="); - DER_ConvertBitString(&sd->signature); -- fprintf(out, m); -+ fprintf(out, "%s", m); - sv_PrintAsHex(out, &sd->signature, "signature="); - - PORT_FreeArena(arena, PR_FALSE); -@@ -632,11 +632,11 @@ - iv = 0; - while ((aCrl = src->crls[iv]) != NULL) { - sprintf(om, "signedRevocationList[%d].", iv); -- fprintf(out, om); -+ fprintf("%s", out, om); - sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, - "signatureAlgorithm="); - DER_ConvertBitString(&aCrl->signatureWrap.signature); -- fprintf(out, om); -+ fprintf("%s", out, om); - sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature="); - sprintf(om, "certificateRevocationList[%d].", iv); - sv_PrintCRLInfo(out, &aCrl->crl, om); diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch index 0e86998..92faf2b 100644 --- a/nss-no-rpath.patch +++ b/nss-no-rpath.patch @@ -1,14 +1,14 @@ ---- mozilla/security/nss/cmd/platlibs.mk 2009-06-18 01:01:48.000000000 +0200 -+++ mozilla/security/nss/cmd/platlibs.mk.oden 2009-08-31 17:16:16.000000000 +0200 -@@ -59,9 +59,9 @@ - endif - else +--- mozilla/security/nss/cmd/platlibs.mk~ 2012-07-17 11:22:42.000000000 -0400 ++++ mozilla/security/nss/cmd/platlibs.mk 2012-10-27 13:03:47.839324389 -0400 +@@ -18,9 +18,9 @@ + + ifeq ($(OS_ARCH), Linux) ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib' +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' else --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib' - endif +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif endif + diff --git a/nss.spec b/nss.spec index 775e12b..f21f517 100644 --- a/nss.spec +++ b/nss.spec @@ -4,17 +4,17 @@ %define libname %mklibname %{name} %{major} %define develname %mklibname -d %{name} %define sdevelname %mklibname -d -s %{name} -%define cvsver 3_13 +%define cvsver 3_14 %define nspr_libname %mklibname nspr 4 %define nspr_version 4.9 %if %mandriva_branch == Cooker # Cooker -%define release %mkrel 2 +%define release %mkrel 1 %else # Old distros -%define release %mkrel 1 +%define release %mkrel 0 %endif # this seems fragile, so require the exact version or later (#58754) @@ -26,7 +26,7 @@ %{?_without_empty: %{expand: %%global build_empty 0}} Name: nss -Version: 3.13.3 +Version: 3.14 Release: %{release} Epoch: 2 Summary: Netscape Security Services @@ -50,9 +50,9 @@ Source7: verisign-class-3-secure-server-ca.der Source8: http://www.icpbrasil.gov.br/certificadoACRaiz.crt Patch0: nss-no-rpath.patch Patch1: nss-fixrandom.patch -Patch3: nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch +#Patch3: nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch Patch4: renegotiate-transitional.patch -BuildRequires: rootcerts >= 1:20120218.00 +BuildRequires: rootcerts >= 1:20121229.00 BuildRequires: libnspr-devel >= 2:4.9.0 BuildRequires: libz-devel BuildRequires: libsqlite3-devel >= 3.7.7.1 @@ -125,7 +125,6 @@ Static libraries for doing development with Network Security Services. %setup -q %patch0 -p0 %patch1 -p0 -%patch3 -p1 %patch4 -p0 -b .transitional find . -type d -perm 0700 -exec chmod 755 {} \; @@ -268,7 +267,7 @@ popd %if %with lib export NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` export NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` -export NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` +export NSS_VPATCH=`echo %{version} | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'` %{__mkdir_p} %{buildroot}%{_bindir} cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ @@ -358,6 +357,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so %attr(0755,root,root) %{_bindir}/digest %attr(0755,root,root) %{_bindir}/encodeinttest %attr(0755,root,root) %{_bindir}/fipstest +%attr(0755,root,root) %{_bindir}/httpserv +%attr(0755,root,root) %{_bindir}/listsuites +%attr(0755,root,root) %{_bindir}/lowhashtest %attr(0755,root,root) %{_bindir}/makepqg %attr(0755,root,root) %{_bindir}/mangle %attr(0755,root,root) %{_bindir}/modutil @@ -371,10 +373,14 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so %attr(0755,root,root) %{_bindir}/p7verify %attr(0755,root,root) %{_bindir}/pk11mode %attr(0755,root,root) %{_bindir}/pk12util +%attr(0755,root,root) %{_bindir}/pk1sign +%attr(0755,root,root) %{_bindir}/pkix-errcodes %attr(0755,root,root) %{_bindir}/pp +%attr(0755,root,root) %{_bindir}/pwdecrypt %attr(0755,root,root) %{_bindir}/remtest %attr(0755,root,root) %{_bindir}/rsaperf %attr(0755,root,root) %{_bindir}/sdrtest +%attr(0755,root,root) %{_bindir}/secmodtest %attr(0755,root,root) %{_bindir}/selfserv %attr(0755,root,root) %{_bindir}/shlibsign %attr(0755,root,root) %{_bindir}/signtool @@ -506,6 +512,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so %{_includedir}/nss/ssl.h %{_includedir}/nss/sslproto.h %{_includedir}/nss/sslt.h +%{_includedir}/nss/utilmodt.h +%{_includedir}/nss/utilpars.h +%{_includedir}/nss/utilparst.h %{_includedir}/nss/utilrename.h %{_libdir}/pkgconfig/nss.pc %{_libdir}/libsoftokn%{major}.chk @@ -524,6 +533,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so %changelog +* Fri Jan 11 2013 Ilya Porvin 3.14-0 + apply fix patch for CVE-2013-0743 + * Thu Mar 15 2012 Oden Eriksson 2:3.13.3-0.1 - 3.13.3 - fix deps @@ -686,7 +698,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so + Revision: 360727 - rebuilt to pickup new data from the rootcerts (20090115.00) package -* Sun Jan 25 2009 Per Øyvind Karlsen 2:3.12-11mdv2009.1 +* Sun Jan 25 2009 Per �yvind Karlsen 2:3.12-11mdv2009.1 + Revision: 333523 - bump.. - increase size for string allocated by one to make room for string terminator @@ -767,7 +779,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so + Revision: 167772 - New upstream: 3.11.9 -* Thu Feb 07 2008 Per Øyvind Karlsen 2:3.11.7-4mdv2008.1 +* Thu Feb 07 2008 Per �yvind Karlsen 2:3.11.7-4mdv2008.1 + Revision: 163760 - really fix incorrect major - bump back release a bit since neither of previous ones went through :) diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index b1a940b..4826c48 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,11 +1,11 @@ ---- mozilla/security/nss/lib/ssl/sslsock.c 2011-10-22 18:45:40.000000000 +0200 -+++ mozilla/security/nss/lib/ssl/sslsock.c.oden 2011-11-05 17:45:55.672091551 +0100 -@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = { +--- mozilla/security/nss/lib/ssl/sslsock.c.transitional 2011-10-22 18:45:40.000000000 +0200 ++++ mozilla/security/nss/lib/ssl/sslsock.c 2011-11-10 14:17:36.000000000 +0100 +@@ -181,7 +181,7 @@ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ ++ 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE /* cbcRandomIV */