fix for CVE-2013-0743

2025-02-23 16:32:48 +00:00 · 2013-02-21 10:51:18 +04:00 · 2013-02-21 10:51:18 +04:00 · 9a683c63af
commit 9a683c63af
parent b91e71f3c2
5 changed files with 37 additions and 211 deletions
--- a/.abf.yml
+++ b/.abf.yml
@ -1,2 +1,2 @@
 sources:
-  "nss-3.13.3.tar.gz": 6b8b92d3de893ae67dc04ce9a14ab5c9495dd4a6
+  "nss-3.14.tar.gz": 181b7e1e2082b581f716b449c48512983d57e9fc
--- a/nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
+++ b/nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
@ -1,186 +0,0 @@
 diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c
 --- nss-3.12.3/mozilla/security/nss/cmd/certcgi/certcgi.c	2008-02-16 01:17:40.000000000 +0000
 +++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certcgi/certcgi.c	2009-05-30 17:24:44.000000000 +0000
@@ -97,7 +97,7 @@
 error_out(char  *error_string)
 {
     printf("Content-type: text/plain\n\n");
 -    printf(error_string);
 +    printf("%s", error_string);
     fflush(stderr);
     fflush(stdout);
     exit(1);
 diff -Naur nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c
 --- nss-3.12.3/mozilla/security/nss/cmd/certutil/keystuff.c	2009-02-19 04:24:41.000000000 +0000
 +++ nss-3.12.3.tpg/mozilla/security/nss/cmd/certutil/keystuff.c	2009-05-30 17:24:44.000000000 +0000
@@ -95,7 +95,7 @@
     char meter[] = { 
       "\r|                                                            |" };
 -#define FPS fprintf(stderr, 
 +#define FPS fprintf(stderr, "%s", 
     FPS "\n");
     FPS "A random seed must be generated that will be used in the\n");
     FPS "creation of your key.  One of the easiest ways to create a\n");
 diff -Naur nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c
 --- nss-3.12.3/mozilla/security/nss/cmd/digest/digest.c	2004-10-07 04:13:50.000000000 +0000
 +++ nss-3.12.3.tpg/mozilla/security/nss/cmd/digest/digest.c	2009-05-30 17:24:44.000000000 +0000
@@ -105,7 +105,7 @@
 	    "-t type");
     fprintf(stderr, "%-20s ", "");
     for (htype = HASH_AlgNULL + 1; htype < HASH_AlgTOTAL; htype++) {
 -	fprintf(stderr, HashTypeToOID(htype)->desc);
 +	fprintf(stderr, "%s", HashTypeToOID(htype)->desc);
 	if (htype == (HASH_AlgTOTAL - 2))
 	    fprintf(stderr, " or ");
 	else if (htype != (HASH_AlgTOTAL - 1))
 diff -Naur nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c
 --- nss-3.12.3/mozilla/security/nss/cmd/signver/pk7print.c	2008-10-06 23:37:54.000000000 +0000
 +++ nss-3.12.3.tpg/mozilla/security/nss/cmd/signver/pk7print.c	2009-05-30 17:24:44.000000000 +0000
@@ -79,7 +79,7 @@
 {
     unsigned i;
 -    if (m) fprintf(out, m);
 +    if (m) fprintf(out, "%s", m);
     for (i = 0; i < data->len; i++) {
         if (i < data->len - 1) {
@@ -136,10 +136,10 @@
 {
     int rv;
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     rv = sv_PrintTime(out, &v->notBefore, "notBefore=");
     if (rv) return rv;
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintTime(out, &v->notAfter, "notAfter=");
     return rv;
 }
@@ -181,7 +181,7 @@
     int i;
     char om[100];
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     /*
      * XXX Make this smarter; look at the type field and then decode
@@ -278,16 +278,16 @@
     SEC_PKCS7Attribute *attr;
     int iv;
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &(info->version), "version=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintName(out, &(info->issuerAndSN->issuer), "issuerName=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &(info->issuerAndSN->serialNumber), 
                         "serialNumber=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAlgorithmID(out, &(info->digestAlg), "digestAlgorithm=");
     if (info->authAttr != NULL) {
@@ -304,9 +304,9 @@
     }
     /* Parse and display signature */
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAlgorithmID(out, &(info->digestEncAlg), "digestEncryptionAlgorithm=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAsHex(out, &(info->encDigest), "encryptedDigest=");
     if (info->unAuthAttr != NULL) {
@@ -326,22 +326,22 @@
 void
 sv_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
 {
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.rsa.modulus, "modulus=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.rsa.publicExponent, "exponent=");
 }
 void
 sv_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m)
 {
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.dsa.params.prime, "prime=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.dsa.params.subPrime, "subprime=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.dsa.params.base, "base=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintInteger(out, &pk->u.dsa.publicValue, "publicValue=");
 }
@@ -432,7 +432,7 @@
             oidTag = SECOID_FindOIDTag (&((*extensions)->id));
 -            fprintf(out, msg);
 +            fprintf(out, "%s", msg);
             tmpitem = &((*extensions)->value);
             if (oidTag == SEC_OID_X509_INVALID_DATE) 
                 sv_PrintInvalidDateExten (out, tmpitem,"invalidExt");
@@ -458,13 +458,13 @@
     int iv;
     char om[100];
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAlgorithmID(out, &(crl->signatureAlg), "signatureAlgorithm=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintName(out, &(crl->name), "name=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintTime(out, &(crl->lastUpdate), "lastUpdate=");
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintTime(out, &(crl->nextUpdate), "nextUpdate=");
     if (crl->entries != NULL) {
@@ -563,10 +563,10 @@
     }
     m[PORT_Strlen(m) - 5] = 0;
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAlgorithmID(out, &sd->signatureAlgorithm, "signatureAlgorithm=");
     DER_ConvertBitString(&sd->signature);
 -    fprintf(out, m);
 +    fprintf(out, "%s", m);
     sv_PrintAsHex(out, &sd->signature, "signature=");
     PORT_FreeArena(arena, PR_FALSE);
@@ -632,11 +632,11 @@
         iv = 0;
         while ((aCrl = src->crls[iv]) != NULL) {
             sprintf(om, "signedRevocationList[%d].", iv);
 -            fprintf(out, om);
 +            fprintf("%s", out, om);
             sv_PrintAlgorithmID(out, &aCrl->signatureWrap.signatureAlgorithm, 
                                 "signatureAlgorithm=");
             DER_ConvertBitString(&aCrl->signatureWrap.signature);
 -            fprintf(out, om);
 +            fprintf("%s", out, om);
             sv_PrintAsHex(out, &aCrl->signatureWrap.signature, "signature=");
             sprintf(om, "certificateRevocationList[%d].", iv);
             sv_PrintCRLInfo(out, &aCrl->crl, om);
--- a/nss-no-rpath.patch
+++ b/nss-no-rpath.patch
@ -1,14 +1,14 @@
--- mozilla/security/nss/cmd/platlibs.mk	2009-06-18 01:01:48.000000000 +0200
+--- mozilla/security/nss/cmd/platlibs.mk~	2012-07-17 11:22:42.000000000 -0400
-+++ mozilla/security/nss/cmd/platlibs.mk.oden	2009-08-31 17:16:16.000000000 +0200
+++ mozilla/security/nss/cmd/platlibs.mk	2012-10-27 13:03:47.839324389 -0400
-@@ -59,9 +59,9 @@
+@@ -18,9 +18,9 @@
- endif
+ 
- else
+ ifeq ($(OS_ARCH), Linux)
 ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:$$ORIGIN/../lib'
+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
 else
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
-+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib'
+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
 endif
 endif
 endif
--- a/nss.spec
+++ b/nss.spec
@ -4,17 +4,17 @@
 %define libname %mklibname %{name} %{major}
 %define develname %mklibname -d %{name}
 %define sdevelname %mklibname -d -s %{name}
-%define cvsver 3_13
+%define cvsver 3_14
 %define nspr_libname %mklibname nspr 4
 %define	nspr_version 4.9
 %if %mandriva_branch == Cooker
 # Cooker
-%define release %mkrel 2
+%define release %mkrel 1
 %else
 # Old distros
-%define release %mkrel 1
+%define release %mkrel 0
 %endif
 # this seems fragile, so require the exact version or later (#58754)
@ -26,7 +26,7 @@
 %{?_without_empty:   %{expand: %%global build_empty 0}}
 Name:		nss
-Version:	3.13.3
+Version:	3.14
 Release:	%{release}
 Epoch:		2
 Summary:	Netscape Security Services
@ -50,9 +50,9 @@ Source7:	verisign-class-3-secure-server-ca.der
 Source8:	http://www.icpbrasil.gov.br/certificadoACRaiz.crt
 Patch0:		nss-no-rpath.patch
 Patch1:		nss-fixrandom.patch
-Patch3:		nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
+#Patch3:		nss-3.12.7-format_not_a_string_literal_and_no_format_arguments.patch
 Patch4:		renegotiate-transitional.patch
-BuildRequires:	rootcerts >= 1:20120218.00
+BuildRequires:	rootcerts >= 1:20121229.00
 BuildRequires:	libnspr-devel >= 2:4.9.0
 BuildRequires:	libz-devel
 BuildRequires:	libsqlite3-devel >= 3.7.7.1
@ -125,7 +125,6 @@ Static libraries for doing development with Network Security Services.
 %setup -q
 %patch0 -p0
 %patch1 -p0
 %patch3 -p1
 %patch4 -p0 -b .transitional
 find . -type d -perm 0700 -exec chmod 755 {} \;
@ -268,7 +267,7 @@ popd
 %if %with lib
 export NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
 export NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
-export NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
+export NSS_VPATCH=`echo %{version} | sed 's/\([0-9]*\).\([0-9]*\).\([0-9]*\)/\3/'`
 %{__mkdir_p} %{buildroot}%{_bindir}
 cat %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
@ -358,6 +357,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %attr(0755,root,root) %{_bindir}/digest
 %attr(0755,root,root) %{_bindir}/encodeinttest
 %attr(0755,root,root) %{_bindir}/fipstest
 %attr(0755,root,root) %{_bindir}/httpserv
 %attr(0755,root,root) %{_bindir}/listsuites
 %attr(0755,root,root) %{_bindir}/lowhashtest
 %attr(0755,root,root) %{_bindir}/makepqg
 %attr(0755,root,root) %{_bindir}/mangle
 %attr(0755,root,root) %{_bindir}/modutil
@ -371,10 +373,14 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %attr(0755,root,root) %{_bindir}/p7verify
 %attr(0755,root,root) %{_bindir}/pk11mode
 %attr(0755,root,root) %{_bindir}/pk12util
 %attr(0755,root,root) %{_bindir}/pk1sign
 %attr(0755,root,root) %{_bindir}/pkix-errcodes
 %attr(0755,root,root) %{_bindir}/pp
 %attr(0755,root,root) %{_bindir}/pwdecrypt
 %attr(0755,root,root) %{_bindir}/remtest
 %attr(0755,root,root) %{_bindir}/rsaperf
 %attr(0755,root,root) %{_bindir}/sdrtest
 %attr(0755,root,root) %{_bindir}/secmodtest
 %attr(0755,root,root) %{_bindir}/selfserv
 %attr(0755,root,root) %{_bindir}/shlibsign
 %attr(0755,root,root) %{_bindir}/signtool
@ -506,6 +512,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %{_includedir}/nss/ssl.h
 %{_includedir}/nss/sslproto.h
 %{_includedir}/nss/sslt.h
 %{_includedir}/nss/utilmodt.h
 %{_includedir}/nss/utilpars.h
 %{_includedir}/nss/utilparst.h
 %{_includedir}/nss/utilrename.h
 %{_libdir}/pkgconfig/nss.pc
 %{_libdir}/libsoftokn%{major}.chk
@ -524,6 +533,9 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 %changelog
 * Fri Jan 11 2013 Ilya Porvin <ilya.porvin@rosalab.ru> 3.14-0
  apply fix patch for CVE-2013-0743
 * Thu Mar 15 2012 Oden Eriksson <oeriksson@mandriva.com> 2:3.13.3-0.1
 - 3.13.3
 - fix deps
@ -686,7 +698,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 + Revision: 360727
 - rebuilt to pickup new data from the rootcerts (20090115.00) package
-* Sun Jan 25 2009 Per Øyvind Karlsen <peroyvind@mandriva.org> 2:3.12-11mdv2009.1
+* Sun Jan 25 2009 Per Ã?yvind Karlsen <peroyvind@mandriva.org> 2:3.12-11mdv2009.1
 + Revision: 333523
 - bump..
 - increase size for string allocated by one to make room for string terminator
@ -767,7 +779,7 @@ install -m0755 libnssckbi_empty.so %{buildroot}/%{_lib}/libnssckbi_empty.so
 + Revision: 167772
 - New upstream: 3.11.9
-* Thu Feb 07 2008 Per Øyvind Karlsen <peroyvind@mandriva.org> 2:3.11.7-4mdv2008.1
+* Thu Feb 07 2008 Per Ã?yvind Karlsen <peroyvind@mandriva.org> 2:3.11.7-4mdv2008.1
 + Revision: 163760
 - really fix incorrect major
 - bump back release a bit since neither of previous ones went through :)
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -1,11 +1,11 @@
--- mozilla/security/nss/lib/ssl/sslsock.c	2011-10-22 18:45:40.000000000 +0200
+--- mozilla/security/nss/lib/ssl/sslsock.c.transitional	2011-10-22 18:45:40.000000000 +0200
-+++ mozilla/security/nss/lib/ssl/sslsock.c.oden	2011-11-05 17:45:55.672091551 +0100
+++ mozilla/security/nss/lib/ssl/sslsock.c	2011-11-10 14:17:36.000000000 +0100
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+@@ -181,7 +181,7 @@
     PR_FALSE,   /* noLocks            */
     PR_FALSE,   /* enableSessionTickets */
     PR_FALSE,   /* enableDeflate      */
 -    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: transitional) */
+    3,          /* enableRenegotiation (default: requires extension) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
     PR_TRUE     /* cbcRandomIV        */
`@ -1,2 +1,2 @@`
	`sources:`	`sources:`
	`"nss-3.13.3.tar.gz": 6b8b92d3de893ae67dc04ce9a14ab5c9495dd4a6`	`"nss-3.14.tar.gz": 181b7e1e2082b581f716b449c48512983d57e9fc`