nss-3.15.1: fix CVE-2013-1739

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739 (From OE-Core rev: 9b43af77d112e75fa9827a9080b7e94f41f9a116) Signed-off-by: yzhu1 <yanjun.zhu@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: yzhu1 <yanjun.zhu@windriver.com> 2014-06-18 05:41:30 -0400
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-06-24 19:54:11 +0100
commit: 953b01e1de5de8076de326008293c89be30bb3d1 (patch)
tree: c02a462044bc45878ddd5275ad22be4c3510bfc5
parent: b2aa82c4823900582a0a4b784c85e91515cc79fe (diff)
download: poky-953b01e1de5de8076de326008293c89be30bb3d1.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
new file mode 100644
index 0000000000..1a159c3934
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
@@ -0,0 +1,81 @@
+Upstream-Status: Backport
+Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
+--- a/nss/lib/ssl/ssl3con.c
+++ b/nss/lib/ssl/ssl3con.c
+@@ -10509,7 +10509,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *pla
+     /* SSLv3 padding bytes are random and cannot be checked. */
+     t = plaintext->len;
+     t -= paddingLength+overhead;
+-    /* If len >= padding_length+overhead then the MSB of t is zero. */
+    /* If len >= paddingLength+overhead then the MSB of t is zero. */
+     good = DUPLICATE_MSB_TO_ALL(~t);
+     /* SSLv3 requires that the padding is minimal. */
+     t = blockSize - (paddingLength+1);
+@@ -10742,7 +10742,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+        }
+     }
+ 
+-    good = (unsigned)-1;
+    good = ~0U;
+     minLength = crSpec->mac_size;
+     if (cipher_def->type == type_block) {
+        /* CBC records have a padding length byte at the end. */
+@@ -10756,14 +10756,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+     /* We can perform this test in variable time because the record's total
+      * length and the ciphersuite are both public knowledge. */
+     if (cText->buf->len < minLength) {
+-       SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.",
+-                SSL_GETPID(), ss->fd));
+-       /* must not hold spec lock when calling SSL3_SendAlert. */
+-       ssl_ReleaseSpecReadLock(ss);
+-       SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
+-       /* always log mac error, in case attacker can read server logs. */
+-       PORT_SetError(SSL_ERROR_BAD_MAC_READ);
+-       return SECFailure;
+       goto decrypt_loser;
+     }
+ 
+     if (cipher_def->type == type_block &&
+@@ -10831,11 +10824,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+        return SECFailure;
+     }
+ 
+    if (cipher_def->type == type_block &&
+       ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
+       goto decrypt_loser;
+    }
+
+     /* decrypt from cText buf to plaintext. */
+     rv = crSpec->decode(
+        crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
+        plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
+-    good &= SECStatusToMask(rv);
+    if (rv != SECSuccess) {
+       goto decrypt_loser;
+    }
+ 
+     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
+ 
+@@ -10843,7 +10843,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+ 
+     /* If it's a block cipher, check and strip the padding. */
+     if (cipher_def->type == type_block) {
+-       const unsigned int blockSize = cipher_def->iv_size;
+       const unsigned int blockSize = cipher_def->block_size;
+        const unsigned int macSize = crSpec->mac_size;
+ 
+        if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
+@@ -10899,10 +10899,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+     }
+ 
+     if (good == 0) {
+decrypt_loser:
+        /* must not hold spec lock when calling SSL3_SendAlert. */
+        ssl_ReleaseSpecReadLock(ss);
+ 
+-       SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
+       SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
+ 
+        if (!IS_DTLS(ss)) {
+            SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 5afd63914b..cc9e7b9cd2 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -20,6 +20,7 @@ SRC_URI = "\
    file://nss-3.15.1-fix-CVE-2013-5605.patch \
    file://nss-CVE-2014-1492.patch \
    file://nss-CVE-2013-1740.patch \
+    file://nss-3.15.1-fix-CVE-2013-1739.patch \
 "
 SRC_URI_append_class-target = "\
    file://nss.pc.in \
author	yzhu1 <yanjun.zhu@windriver.com>	2014-06-18 05:41:30 -0400
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-06-24 19:54:11 +0100
commit	953b01e1de5de8076de326008293c89be30bb3d1 (patch)
tree	c02a462044bc45878ddd5275ad22be4c3510bfc5
parent	b2aa82c4823900582a0a4b784c85e91515cc79fe (diff)
download	poky-953b01e1de5de8076de326008293c89be30bb3d1.tar.gz

diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch new file mode 100644 index 0000000000..1a159c3934 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1739.patch
@@ -0,0 +1,81 @@
		1	Upstream-Status: Backport
		2	Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
		3
		4	--- a/nss/lib/ssl/ssl3con.c
		5	+++ b/nss/lib/ssl/ssl3con.c
		6	@@ -10509,7 +10509,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *pla
		7	/* SSLv3 padding bytes are random and cannot be checked. */
		8	t = plaintext->len;
		9	t -= paddingLength+overhead;
		10	- /* If len >= padding_length+overhead then the MSB of t is zero. */
		11	+ /* If len >= paddingLength+overhead then the MSB of t is zero. */
		12	good = DUPLICATE_MSB_TO_ALL(~t);
		13	/* SSLv3 requires that the padding is minimal. */
		14	t = blockSize - (paddingLength+1);
		15	@@ -10742,7 +10742,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
		16	}
		17	}
		18
		19	- good = (unsigned)-1;
		20	+ good = ~0U;
		21	minLength = crSpec->mac_size;
		22	if (cipher_def->type == type_block) {
		23	/* CBC records have a padding length byte at the end. */
		24	@@ -10756,14 +10756,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
		25	/* We can perform this test in variable time because the record's total
		26	* length and the ciphersuite are both public knowledge. */
		27	if (cText->buf->len < minLength) {
		28	- SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.",
		29	- SSL_GETPID(), ss->fd));
		30	- /* must not hold spec lock when calling SSL3_SendAlert. */
		31	- ssl_ReleaseSpecReadLock(ss);
		32	- SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
		33	- /* always log mac error, in case attacker can read server logs. */
		34	- PORT_SetError(SSL_ERROR_BAD_MAC_READ);
		35	- return SECFailure;
		36	+ goto decrypt_loser;
		37	}
		38
		39	if (cipher_def->type == type_block &&
		40	@@ -10831,11 +10824,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
		41	return SECFailure;
		42	}
		43
		44	+ if (cipher_def->type == type_block &&
		45	+ ((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
		46	+ goto decrypt_loser;
		47	+ }
		48	+
		49	/* decrypt from cText buf to plaintext. */
		50	rv = crSpec->decode(
		51	crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
		52	plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
		53	- good &= SECStatusToMask(rv);
		54	+ if (rv != SECSuccess) {
		55	+ goto decrypt_loser;
		56	+ }
		57
		58	PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
		59
		60	@@ -10843,7 +10843,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
		61
		62	/* If it's a block cipher, check and strip the padding. */
		63	if (cipher_def->type == type_block) {
		64	- const unsigned int blockSize = cipher_def->iv_size;
		65	+ const unsigned int blockSize = cipher_def->block_size;
		66	const unsigned int macSize = crSpec->mac_size;
		67
		68	if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
		69	@@ -10899,10 +10899,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
		70	}
		71
		72	if (good == 0) {
		73	+decrypt_loser:
		74	/* must not hold spec lock when calling SSL3_SendAlert. */
		75	ssl_ReleaseSpecReadLock(ss);
		76
		77	- SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
		78	+ SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
		79
		80	if (!IS_DTLS(ss)) {
		81	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);


diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index 5afd63914b..cc9e7b9cd2 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc
@@ -20,6 +20,7 @@ SRC_URI = "\
20	file://nss-3.15.1-fix-CVE-2013-5605.patch \	20	file://nss-3.15.1-fix-CVE-2013-5605.patch \
21	file://nss-CVE-2014-1492.patch \	21	file://nss-CVE-2014-1492.patch \
22	file://nss-CVE-2013-1740.patch \	22	file://nss-CVE-2013-1740.patch \
		23	file://nss-3.15.1-fix-CVE-2013-1739.patch \
23	"	24	"
24	SRC_URI_append_class-target = "\	25	SRC_URI_append_class-target = "\
25	file://nss.pc.in \	26	file://nss.pc.in \