summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/nss
diff options
context:
space:
mode:
authorLi Wang <li.wang@windriver.com>2014-05-19 13:42:52 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2014-05-21 09:09:00 +0100
commit64f817458afb005b4fd32ad7347c24779938e1da (patch)
treead587321bcb9449835007954eff7b5a592f85013 /meta/recipes-support/nss
parent09f471bfd03952c617233431d7735f91a6e7f3cf (diff)
downloadpoky-64f817458afb005b4fd32ad7347c24779938e1da.tar.gz
nss: CVE-2014-1492
the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492 https://bugzilla.mozilla.org/show_bug.cgi?id=903885 changeset: 11063:709d4e597979 user: Kai Engert <kaie@kuix.de> date: Wed Mar 05 18:38:55 2014 +0100 summary: Bug 903885, address requests to clarify comments from wtc changeset: 11046:2ffa40a3ff55 tag: tip user: Wan-Teh Chang <wtc@google.com> date: Tue Feb 25 18:17:08 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie changeset: 11045:15ea62260c21 user: Christian Heimes <sites@cheimes.de> date: Mon Feb 24 17:50:25 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling, r=kaie (From OE-Core rev: a83a1b26704f1f3aadaa235bf38094f03b3610fd) Signed-off-by: Li Wang <li.wang@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-support/nss')
-rw-r--r--meta/recipes-support/nss/files/nss-CVE-2014-1492.patch68
-rw-r--r--meta/recipes-support/nss/nss.inc1
2 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
new file mode 100644
index 0000000000..1be8a17870
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2014-1492.patch
@@ -0,0 +1,68 @@
1nss: CVE-2014-1492
2
3Upstream-Status: Backport
4
5the patch comes from:
6http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492
7https://bugzilla.mozilla.org/show_bug.cgi?id=903885
8
9changeset: 11063:709d4e597979
10user: Kai Engert <kaie@kuix.de>
11date: Wed Mar 05 18:38:55 2014 +0100
12summary: Bug 903885, address requests to clarify comments from wtc
13
14changeset: 11046:2ffa40a3ff55
15tag: tip
16user: Wan-Teh Chang <wtc@google.com>
17date: Tue Feb 25 18:17:08 2014 +0100
18summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie
19
20changeset: 11045:15ea62260c21
21user: Christian Heimes <sites@cheimes.de>
22date: Mon Feb 24 17:50:25 2014 +0100
23summary: Bug 903885, fix IDNA wildcard handling, r=kaie
24
25Signed-off-by: Li Wang <li.wang@windriver.com>
26---
27 nss/lib/certdb/certdb.c | 15 +++++++++------
28 1 file changed, 9 insertions(+), 6 deletions(-)
29
30diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c
31index b7d22bd..91877b7 100644
32--- a/nss/lib/certdb/certdb.c
33+++ b/nss/lib/certdb/certdb.c
34@@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn)
35 return rv;
36 }
37 } else {
38- /* New approach conforms to RFC 2818. */
39+ /* New approach conforms to RFC 6125. */
40 char *wildcard = PORT_Strchr(cn, '*');
41 char *firstcndot = PORT_Strchr(cn, '.');
42 char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL;
43@@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn)
44 /* For a cn pattern to be considered valid, the wildcard character...
45 * - may occur only in a DNS name with at least 3 components, and
46 * - may occur only as last character in the first component, and
47- * - may be preceded by additional characters
48+ * - may be preceded by additional characters, and
49+ * - must not be preceded by an IDNA ACE prefix (xn--)
50 */
51 if (wildcard && secondcndot && secondcndot[1] && firsthndot
52- && firstcndot - wildcard == 1
53- && secondcndot - firstcndot > 1
54- && PORT_Strrchr(cn, '*') == wildcard
55+ && firstcndot - wildcard == 1 /* wildcard is last char in first component */
56+ && secondcndot - firstcndot > 1 /* second component is non-empty */
57+ && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
58 && !PORT_Strncasecmp(cn, hn, wildcard - cn)
59- && !PORT_Strcasecmp(firstcndot, firsthndot)) {
60+ && !PORT_Strcasecmp(firstcndot, firsthndot)
61+ /* If hn starts with xn--, then cn must start with wildcard */
62+ && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
63 /* valid wildcard pattern match */
64 return SECSuccess;
65 }
66--
671.7.9.5
68
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 404deccd8a..fbe4001f0e 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -18,6 +18,7 @@ SRC_URI = "\
18 file://nss-fix-incorrect-shebang-of-perl.patch \ 18 file://nss-fix-incorrect-shebang-of-perl.patch \
19 file://nss-3.15.1-fix-CVE-2013-1741.patch \ 19 file://nss-3.15.1-fix-CVE-2013-1741.patch \
20 file://nss-3.15.1-fix-CVE-2013-5605.patch \ 20 file://nss-3.15.1-fix-CVE-2013-5605.patch \
21 file://nss-CVE-2014-1492.patch \
21" 22"
22SRC_URI_append_class-target = "\ 23SRC_URI_append_class-target = "\
23 file://nss.pc.in \ 24 file://nss.pc.in \