Hello community, here is the log from the commit of package mozilla-nss for openSUSE:11.3 checked in at Tue Nov 8 21:05:38 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/mozilla-nss/mozilla-nss.changes 2011-09-02 17:49:38.000000000 +0200 +++ 11.3/mozilla-nss/mozilla-nss.changes 2011-11-05 13:00:03.000000000 +0100 @@ -1,0 +2,18 @@ +Sat Nov 5 10:47:51 UTC 2011 - [email protected] + +- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) +- make sure NSS_NoDB_Init does not try to use wrong certificate + databases (CVE-2011-3640, bnc#726096, bmo#641052) + +------------------------------------------------------------------- +Fri Sep 30 23:27:07 UTC 2011 - [email protected] + +- Workaround qemu-arm bugs. + +------------------------------------------------------------------- +Fri Sep 9 05:44:15 UTC 2011 - [email protected] + +- explicitely distrust/override DigiNotar certs (bmo#683261) + (trustdb version 1.87) + +------------------------------------------------------------------- @@ -4 +22 @@ -- removed DigiNotar root certifiate from trusted db +- removed DigiNotar root certificate from trusted db calling whatdependson for 11.3-i586 Old: ---- nss-3.12.11-diginotar.patch New: ---- ckbi-1_88.patch nss-3.12.11_CVE-2011-3640.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.7jCHmk/_old 2011-11-08 20:54:51.000000000 +0100 +++ /var/tmp/diff_new_pack.7jCHmk/_new 2011-11-08 20:54:51.000000000 +0100 @@ -30,7 +30,7 @@ %endif License: MPLv1.1 or GPLv2+ or LGPLv2.1+ Version: 3.12.11 -Release: 1.<RELEASE4> +Release: 1.<RELEASE6> # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit @@ -56,7 +56,8 @@ Patch5: nss-no-rpath.patch Patch6: renegotiate-transitional.patch Patch9: malloc.patch -Patch10: nss-3.12.11-diginotar.patch +Patch10: ckbi-1_88.patch +Patch11: nss-3.12.11_CVE-2011-3640.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -64,7 +65,7 @@ Requires: mozilla-nss-certs BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb -%ifnarch %sparc +%ifnarch %sparc && ! 0%{?qemu_user_space_build} %define run_testsuite 1 %endif @@ -174,7 +175,8 @@ %if %suse_version > 1110 %patch9 %endif -%patch10 -p2 +%patch10 -p1 +%patch11 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt ++++++ ckbi-1_88.patch ++++++ ++++ 3930 lines (skipped) ++++++ nss-3.12.11_CVE-2011-3640.patch ++++++ Index: security/nss/lib/softoken/sftkmod.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v retrieving revision 1.7 diff -u -p -r1.7 sftkmod.c --- security/nss/lib/softoken/sftkmod.c 11 Jun 2009 06:28:07 -0000 1.7 +++ security/nss/lib/softoken/sftkmod.c 5 Nov 2011 11:55:24 -0000 @@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char * char *sep; sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR); -#ifdef WINDOWS +#ifdef _WIN32 if (!sep) { - sep = PORT_Strrchr(dirPath,'/'); + /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */ + sep = PORT_Strrchr(dirPath,'\\'); } #endif if (sep) { - *(sep)=0; + *sep = 0; + file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); + } else { + file = PR_smprintf("%s", filename); } - file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename); PORT_Free(dirPath); return file; } @@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons char *paramsValue=NULL; PRBool failed = PR_TRUE; - if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + if ((dbname != NULL) && + ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw); } moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **)); if (moduleList == NULL) return NULL; + if (dbname == NULL) { + goto return_default; + } + /* do we really want to use streams here */ fd = fopen(dbname, "r"); if (fd == NULL) goto done; @@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons moduleString = NULL; } done: - /* if we couldn't open a pkcs11 database, look for the old one */ + /* If we couldn't open a pkcs11 database, look for the old one. + * This is necessary to maintain the semantics of the transition from + * old to new DB's. If there is an old DB and not new DB, we will + * automatically use the old DB. If the DB was opened read/write, we + * create a new db and upgrade it from the old one. */ if (fd == NULL) { char *olddbname = sftk_getOldSecmodName(dbname,filename); PRStatus status; @@ -462,6 +474,8 @@ bail: PR_smprintf_free(olddbname); } } + +return_default: if (!moduleList[0]) { char * newParams; @@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp const char *filename, const char *dbname, char **moduleSpecList, PRBool rw) { - if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { + if ((dbname != NULL) && + ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, moduleSpecList, rw); } @@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co PRBool skip = PR_FALSE; PRBool found = PR_FALSE; + if (dbname == NULL) { + return SECFailure; + } + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw); } @@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const char *block = NULL; PRBool libFound = PR_FALSE; + if (dbname == NULL) { + return SECFailure; + } + if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw); } Index: security/nss/lib/softoken/sftkpars.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v retrieving revision 1.11 diff -u -p -r1.11 sftkpars.c --- security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11 +++ security/nss/lib/softoken/sftkpars.c 5 Nov 2011 11:55:24 -0000 @@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType char *value = NULL; char *save_params = param; const char *lconfigdir; + PRBool noModDB = PR_FALSE; param = sftk_argStrip(param); @@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType if (sftk_argHasFlag("flags","noModDB",save_params)) { /* there isn't a module db, don't load the legacy support */ + noModDB = PR_TRUE; *dbType = SDB_SQL; + PORT_Free(*filename); + *filename = NULL; *rw = PR_FALSE; } @@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType secmodName="pkcs11.txt"; } - if (lconfigdir) { + if (noModDB) { + value = NULL; + } else if (lconfigdir && lconfigdir[0] != '\0') { value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName); } else { value = PR_smprintf("%s",secmodName); continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
