nss: CVE-2014-1544 the patch comes from: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1544 https://hg.mozilla.org/projects/nss/rev/204f22c527f8 author Robert Relyea https://bugzilla.mozilla.org/show_bug.cgi?id=963150 Bug 963150: Add nssCertificate_AddRef and nssCertificate_Destroy calls to PK11_ImportCert to prevent nssTrustDomain_AddCertsToCache from freeing the CERTCertificate associated with the NSSCertificate. r=wtc. Upstream-Status: Pending Signed-off-by: Li Wang --- nss/lib/pk11wrap/pk11cert.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nss/lib/pk11wrap/pk11cert.c b/nss/lib/pk11wrap/pk11cert.c index 39168b9..3f3edb1 100644 --- a/nss/lib/pk11wrap/pk11cert.c +++ b/nss/lib/pk11wrap/pk11cert.c @@ -981,8 +981,15 @@ PK11_ImportCert(PK11SlotInfo *slot, CERTCertificate *cert, * CERTCertificate, and finish */ nssPKIObject_AddInstance(&c->object, certobj); + /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and + * replace 'c' by a different value. So we add a reference to 'c' to + * prevent 'c' from being destroyed. */ + nssCertificate_AddRef(c); nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); + /* XXX should we pass the original value of 'c' to + * STAN_ForceCERTCertificateUpdate? */ (void)STAN_ForceCERTCertificateUpdate(c); + nssCertificate_Destroy(c); SECITEM_FreeItem(keyID,PR_TRUE); return SECSuccess; loser: -- 1.7.9.5