2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
new file mode 100644
index 0000000000..d6434dfe23
--- /dev/null
+++ b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
@@ -0,0 +1,41 @@
+nss: CVE-2014-1544
+the patch comes from:
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
+https://hg.mozilla.org/projects/nss/rev/204f22c527f8
+author  Robert Relyea <rrelyea@redhat.com>
+https://bugzilla.mozilla.org/show_bug.cgi?id=963150
+Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
+to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
+freeing the CERTCertificate associated with the NSSCertificate. r=wtc.
+Upstream-Status: Pending
+Signed-off-by: Li Wang <li.wang@windriver.com>
+---
+ nss/lib/pk11wrap/pk11cert.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c
+index 39168b9..3f3edb1 100644
+--- a/nss/lib/pk11wrap/pk11cert.c
+++ b/nss/lib/pk11wrap/pk11cert.c
+@@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert,
+      * CERTCertificate, and finish
+      */
+     nssPKIObject_AddInstance(&c->object, certobj);
+    /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
+     * replace 'c' by a different value. So we add a reference to 'c' to
+     * prevent 'c' from being destroyed. */
+    nssCertificate_AddRef(c);
+     nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
+    /* XXX should we pass the original value of 'c' to
+     * STAN_ForceCERTCertificateUpdate? */
+     (void)STAN_ForceCERTCertificateUpdate(c);
+    nssCertificate_Destroy(c);
+     SECITEM_FreeItem(keyID,PR_TRUE);
+     return SECSuccess;
+ loser:
+-- 
+1.7.9.5
diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc
index 69f98b58cd..d706c43cab 100644
--- a/meta/recipes-support/nss/nss.inc
+++ b/meta/recipes-support/nss/nss.inc
@@ -22,6 +22,7 @@ SRC_URI = "\
    file://nss-CVE-2013-1740.patch \
    file://nss-3.15.1-fix-CVE-2013-1739.patch \
    file://nss-CVE-2013-5606.patch \
+    file://nss-CVE-2014-1544.patch \
 "
 SRC_URI_append_class-target = "\
    file://nss.pc.in \

diff --git a/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch new file mode 100644 index 0000000000..d6434dfe23 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-CVE-2014-1544.patch
@@ -0,0 +1,41 @@
		1	nss: CVE-2014-1544
		2
		3	the patch comes from:
		4	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544
		5	https://hg.mozilla.org/projects/nss/rev/204f22c527f8
		6
		7	author Robert Relyea <rrelyea@redhat.com>
		8	https://bugzilla.mozilla.org/show_bug.cgi?id=963150
		9	Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls
		10	to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from
		11	freeing the CERTCertificate associated with the NSSCertificate. r=wtc.
		12
		13	Upstream-Status: Pending
		14	Signed-off-by: Li Wang <li.wang@windriver.com>
		15	---
		16	nss/lib/pk11wrap/pk11cert.c \| 7 +++++++
		17	1 file changed, 7 insertions(+)
		18
		19	diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c
		20	index 39168b9..3f3edb1 100644
		21	--- a/nss/lib/pk11wrap/pk11cert.c
		22	+++ b/nss/lib/pk11wrap/pk11cert.c
		23	@@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo slot, CERTCertificate cert,
		24	* CERTCertificate, and finish
		25	*/
		26	nssPKIObject_AddInstance(&c->object, certobj);
		27	+ /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and
		28	+ * replace 'c' by a different value. So we add a reference to 'c' to
		29	+ * prevent 'c' from being destroyed. */
		30	+ nssCertificate_AddRef(c);
		31	nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1);
		32	+ /* XXX should we pass the original value of 'c' to
		33	+ * STAN_ForceCERTCertificateUpdate? */
		34	(void)STAN_ForceCERTCertificateUpdate(c);
		35	+ nssCertificate_Destroy(c);
		36	SECITEM_FreeItem(keyID,PR_TRUE);
		37	return SECSuccess;
		38	loser:
		39	--
		40	1.7.9.5
		41


diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index 69f98b58cd..d706c43cab 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc
@@ -22,6 +22,7 @@ SRC_URI = "\
22	file://nss-CVE-2013-1740.patch \	22	file://nss-CVE-2013-1740.patch \
23	file://nss-3.15.1-fix-CVE-2013-1739.patch \	23	file://nss-3.15.1-fix-CVE-2013-1739.patch \
24	file://nss-CVE-2013-5606.patch \	24	file://nss-CVE-2013-5606.patch \
		25	file://nss-CVE-2014-1544.patch \
25	"	26	"
26	SRC_URI_append_class-target = "\	27	SRC_URI_append_class-target = "\
27	file://nss.pc.in \	28	file://nss.pc.in \