1 files changed, 48 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
new file mode 100644
index 0000000000..f30475b16b
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
@@ -0,0 +1,48 @@
+nss: CVE-2013-5606
+Upstream-Status: Backport
+the patch comes from:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
+https://bugzilla.mozilla.org/show_bug.cgi?id=910438
+http://hg.mozilla.org/projects/nss/rev/d29898e0981c
+The CERT_VerifyCert function in lib/certhigh/certvfy.c in
+Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
+an unexpected return value for an incompatible key-usage certificate
+when the CERTVerifyLog argument is valid, which might allow remote
+attackers to bypass intended access restrictions via a crafted certificate.
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/certhigh/certvfy.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
+index f364ceb..f450205 100644
+--- a/nss/lib/certhigh/certvfy.c
+++ b/nss/lib/certhigh/certvfy.c
+@@ -1312,7 +1312,7 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+        PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
+        LOG_ERROR_OR_EXIT(log,cert,0,flags);
+     } else if (trusted) {
+-       goto winner;
+       goto done;
+     }
+ 
+ 
+@@ -1340,7 +1340,10 @@ CERT_VerifyCert(CERTCertDBHandle *handle, CERTCertificate *cert,
+        }
+     }
+ 
+-winner:
+done:
+    if (log && log->head) {
+        return SECFailure;
+    }
+     return(SECSuccess);
+ 
+ loser:
+-- 
+1.7.9.5

diff --git a/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch new file mode 100644 index 0000000000..f30475b16b --- /dev/null +++ b/meta/recipes-support/nss/files/nss-CVE-2013-5606.patch
@@ -0,0 +1,48 @@
	1	nss: CVE-2013-5606
	2
	3	Upstream-Status: Backport
	4
	5	the patch comes from:
	6	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5606
	7	https://bugzilla.mozilla.org/show_bug.cgi?id=910438
	8	http://hg.mozilla.org/projects/nss/rev/d29898e0981c
	9
	10	The CERT_VerifyCert function in lib/certhigh/certvfy.c in
	11	Mozilla Network Security Services (NSS) 3.15 before 3.15.3 provides
	12	an unexpected return value for an incompatible key-usage certificate
	13	when the CERTVerifyLog argument is valid, which might allow remote
	14	attackers to bypass intended access restrictions via a crafted certificate.
	15
	16	Signed-off-by: Li Wang <li.wang@windriver.com>
	17	---
	18	nss/lib/certhigh/certvfy.c \| 7 +++++--
	19	1 file changed, 5 insertions(+), 2 deletions(-)
	20
	21	diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
	22	index f364ceb..f450205 100644
	23	--- a/nss/lib/certhigh/certvfy.c
	24	+++ b/nss/lib/certhigh/certvfy.c
	25	@@ -1312,7 +1312,7 @@ CERT_VerifyCert(CERTCertDBHandle handle, CERTCertificate cert,
	26	PORT_SetError(SEC_ERROR_UNTRUSTED_CERT);
	27	LOG_ERROR_OR_EXIT(log,cert,0,flags);
	28	} else if (trusted) {
	29	- goto winner;
	30	+ goto done;
	31	}
	32
	33
	34	@@ -1340,7 +1340,10 @@ CERT_VerifyCert(CERTCertDBHandle handle, CERTCertificate cert,
	35	}
	36	}
	37
	38	-winner:
	39	+done:
	40	+ if (log && log->head) {
	41	+ return SECFailure;
	42	+ }
	43	return(SECSuccess);
	44
	45	loser:
	46	--
	47	1.7.9.5
	48