diff options
| author | Li Wang <li.wang@windriver.com> | 2014-05-19 13:42:52 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2014-05-21 09:09:00 +0100 |
| commit | 64f817458afb005b4fd32ad7347c24779938e1da (patch) | |
| tree | ad587321bcb9449835007954eff7b5a592f85013 /meta/recipes-support/nss | |
| parent | 09f471bfd03952c617233431d7735f91a6e7f3cf (diff) | |
| download | poky-64f817458afb005b4fd32ad7347c24779938e1da.tar.gz | |
nss: CVE-2014-1492
the patch comes from:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
https://bugzilla.mozilla.org/show_bug.cgi?id=903885
changeset: 11063:709d4e597979
user: Kai Engert <kaie@kuix.de>
date: Wed Mar 05 18:38:55 2014 +0100
summary: Bug 903885, address requests to clarify comments from wtc
changeset: 11046:2ffa40a3ff55
tag: tip
user: Wan-Teh Chang <wtc@google.com>
date: Tue Feb 25 18:17:08 2014 +0100
summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie
changeset: 11045:15ea62260c21
user: Christian Heimes <sites@cheimes.de>
date: Mon Feb 24 17:50:25 2014 +0100
summary: Bug 903885, fix IDNA wildcard handling, r=kaie
(From OE-Core rev: a83a1b26704f1f3aadaa235bf38094f03b3610fd)
Signed-off-by: Li Wang <li.wang@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/nss')
| -rw-r--r-- | meta/recipes-support/nss/files/nss-CVE-2014-1492.patch | 68 | ||||
| -rw-r--r-- | meta/recipes-support/nss/nss.inc | 1 |
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch new file mode 100644 index 0000000000..1be8a17870 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch | |||
| @@ -0,0 +1,68 @@ | |||
| 1 | nss: CVE-2014-1492 | ||
| 2 | |||
| 3 | Upstream-Status: Backport | ||
| 4 | |||
| 5 | the patch comes from: | ||
| 6 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492 | ||
| 7 | https://bugzilla.mozilla.org/show_bug.cgi?id=903885 | ||
| 8 | |||
| 9 | changeset: 11063:709d4e597979 | ||
| 10 | user: Kai Engert <kaie@kuix.de> | ||
| 11 | date: Wed Mar 05 18:38:55 2014 +0100 | ||
| 12 | summary: Bug 903885, address requests to clarify comments from wtc | ||
| 13 | |||
| 14 | changeset: 11046:2ffa40a3ff55 | ||
| 15 | tag: tip | ||
| 16 | user: Wan-Teh Chang <wtc@google.com> | ||
| 17 | date: Tue Feb 25 18:17:08 2014 +0100 | ||
| 18 | summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie | ||
| 19 | |||
| 20 | changeset: 11045:15ea62260c21 | ||
| 21 | user: Christian Heimes <sites@cheimes.de> | ||
| 22 | date: Mon Feb 24 17:50:25 2014 +0100 | ||
| 23 | summary: Bug 903885, fix IDNA wildcard handling, r=kaie | ||
| 24 | |||
| 25 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
| 26 | --- | ||
| 27 | nss/lib/certdb/certdb.c | 15 +++++++++------ | ||
| 28 | 1 file changed, 9 insertions(+), 6 deletions(-) | ||
| 29 | |||
| 30 | diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c | ||
| 31 | index b7d22bd..91877b7 100644 | ||
| 32 | --- a/nss/lib/certdb/certdb.c | ||
| 33 | +++ b/nss/lib/certdb/certdb.c | ||
| 34 | @@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn) | ||
| 35 | return rv; | ||
| 36 | } | ||
| 37 | } else { | ||
| 38 | - /* New approach conforms to RFC 2818. */ | ||
| 39 | + /* New approach conforms to RFC 6125. */ | ||
| 40 | char *wildcard = PORT_Strchr(cn, '*'); | ||
| 41 | char *firstcndot = PORT_Strchr(cn, '.'); | ||
| 42 | char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; | ||
| 43 | @@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn) | ||
| 44 | /* For a cn pattern to be considered valid, the wildcard character... | ||
| 45 | * - may occur only in a DNS name with at least 3 components, and | ||
| 46 | * - may occur only as last character in the first component, and | ||
| 47 | - * - may be preceded by additional characters | ||
| 48 | + * - may be preceded by additional characters, and | ||
| 49 | + * - must not be preceded by an IDNA ACE prefix (xn--) | ||
| 50 | */ | ||
| 51 | if (wildcard && secondcndot && secondcndot[1] && firsthndot | ||
| 52 | - && firstcndot - wildcard == 1 | ||
| 53 | - && secondcndot - firstcndot > 1 | ||
| 54 | - && PORT_Strrchr(cn, '*') == wildcard | ||
| 55 | + && firstcndot - wildcard == 1 /* wildcard is last char in first component */ | ||
| 56 | + && secondcndot - firstcndot > 1 /* second component is non-empty */ | ||
| 57 | + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ | ||
| 58 | && !PORT_Strncasecmp(cn, hn, wildcard - cn) | ||
| 59 | - && !PORT_Strcasecmp(firstcndot, firsthndot)) { | ||
| 60 | + && !PORT_Strcasecmp(firstcndot, firsthndot) | ||
| 61 | + /* If hn starts with xn--, then cn must start with wildcard */ | ||
| 62 | + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { | ||
| 63 | /* valid wildcard pattern match */ | ||
| 64 | return SECSuccess; | ||
| 65 | } | ||
| 66 | -- | ||
| 67 | 1.7.9.5 | ||
| 68 | |||
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index 404deccd8a..fbe4001f0e 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc | |||
| @@ -18,6 +18,7 @@ SRC_URI = "\ | |||
| 18 | file://nss-fix-incorrect-shebang-of-perl.patch \ | 18 | file://nss-fix-incorrect-shebang-of-perl.patch \ |
| 19 | file://nss-3.15.1-fix-CVE-2013-1741.patch \ | 19 | file://nss-3.15.1-fix-CVE-2013-1741.patch \ |
| 20 | file://nss-3.15.1-fix-CVE-2013-5605.patch \ | 20 | file://nss-3.15.1-fix-CVE-2013-5605.patch \ |
| 21 | file://nss-CVE-2014-1492.patch \ | ||
| 21 | " | 22 | " |
| 22 | SRC_URI_append_class-target = "\ | 23 | SRC_URI_append_class-target = "\ |
| 23 | file://nss.pc.in \ | 24 | file://nss.pc.in \ |