Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2013-04-05 09:29:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2013-03-01 10:52:37.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2013-04-05 09:29:13.000000000 +0200 @@ -1,0 +2,9 @@ +Sun Mar 24 20:07:59 UTC 2013 - [email protected] + +- disable tests with expired certificates + (nss-disable-expired-testcerts.patch) +- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from + mozilla tree to fulfill Firefox 21 requirements + (bug-834091.patch; bmo#834091) + +------------------------------------------------------------------- @@ -27,0 +37,2 @@ + * MFSA 2013-40/CVE-2013-0791 (bmo#629816) + Out-of-bounds array read in CERT_DecodeCertPackage New: ---- bug-834091.patch nss-disable-expired-testcerts.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.K7nq9L/_old 2013-04-05 09:29:16.000000000 +0200 +++ /var/tmp/diff_new_pack.K7nq9L/_new 2013-04-05 09:29:16.000000000 +0200 @@ -55,6 +55,8 @@ Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch +Patch9: nss-disable-expired-testcerts.patch +Patch10: bug-834091.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -170,6 +172,8 @@ %endif %patch7 %patch8 +%patch9 +%patch10 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt ++++++ bug-834091.patch ++++++ Index: security/nss/lib/pkcs7/p7decode.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v retrieving revision 1.31 diff -u -8 -p -r1.31 p7decode.c --- security/nss/lib/pkcs7/p7decode.c 12 Dec 2012 19:25:36 -0000 1.31 +++ security/nss/lib/pkcs7/p7decode.c 25 Jan 2013 23:22:54 -0000 @@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten * there should be NO authenticatedAttributes (signerinfo->authAttr should * be NULL). */ static PRBool sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, - PRBool keepcerts) + PRBool keepcerts, + PRTime atTime) { SECAlgorithmID **digestalgs, *bulkid; const SECItem *digest; SECItem **digests; SECItem **rawcerts; CERTSignedCrl **crls; SEC_PKCS7SignerInfo **signerinfos, *signerinfo; CERTCertificate *cert, **certs; @@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont CERTCertDBHandle *certdb, *defaultdb; SECOidTag encTag,digestTag; HASH_HashType found_type; int i, certcount; SECKEYPublicKey *publickey; SECItem *content_type; PK11SymKey *sigkey; SECItem *encoded_stime; - int64 stime; + PRTime stime; + PRTime verificationTime; SECStatus rv; /* * Everything needed in order to "goto done" safely. */ goodsig = PR_FALSE; certcount = 0; cert = NULL; @@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont /* * XXX This uses the signing time, if available. Additionally, we * might want to, if there is no signing time, get the message time * from the mail header itself, and use that. That would require * a change to our interface though, and for S/MIME callers to pass * in a time (and for non-S/MIME callers to pass in nothing, or * maybe make them pass in the current time, always?). */ + verificationTime = atTime ? atTime + : (encoded_stime ? stime : PR_Now()); if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, - encoded_stime != NULL ? stime : PR_Now(), + verificationTime, cinfo->pwfn_arg, NULL) != SECSuccess) { /* * XXX Give the user an option to check the signature anyway? * If we want to do this, need to give a way to leave and display * some dialog and get the answer and come back through (or do * the rest of what we do below elsewhere, maybe by putting it * in a function that we call below and could call from a dialog @@ -1752,17 +1756,17 @@ done: * into our local database. */ PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, PRBool keepcerts) { return sec_pkcs7_verify_signature (cinfo, certusage, - NULL, HASH_AlgNULL, keepcerts); + NULL, HASH_AlgNULL, keepcerts, 0); } /* * SEC_PKCS7VerifyDetachedSignature * Look at a PKCS7 contentInfo and check if the signature matches * a passed-in digest (calculated, supposedly, from detached contents). * The verification checks that the signing cert is valid and trusted * for the purpose specified by "certusage". @@ -1774,19 +1778,44 @@ PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, PRBool keepcerts) { return sec_pkcs7_verify_signature (cinfo, certusage, detached_digest, digest_type, - keepcerts); + keepcerts, 0); } +/* + * SEC_PKCS7VerifyDetachedSignatureAtTime + * Look at a PKCS7 contentInfo and check if the signature matches + * a passed-in digest (calculated, supposedly, from detached contents). + * The verification checks that the signing cert is valid and trusted + * for the purpose specified by "certusage" at time "atTime" + * if "atTime" is non-zero, or at the current time (as returned by + * PR_Now) otherwise. + */ +PRBool +SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts, + PRTime atTime) +{ + if (!atTime) { + atTime = PR_Now(); + } + + return sec_pkcs7_verify_signature (cinfo, certusage, + detached_digest, digest_type, + keepcerts, atTime); +} /* * Return the asked-for portion of the name of the signer of a PKCS7 * signed object. * * Returns a pointer to allocated memory, which must be freed. * A NULL return value is an error. */ @@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7 */ if (signercert == NULL) { /* * The cert usage does not matter in this case, because we do not * actually care about the verification itself, but we have to pick * some valid usage to pass in. */ (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, - NULL, HASH_AlgNULL, PR_FALSE); + NULL, HASH_AlgNULL, PR_FALSE, 0); signercert = signerinfos[0]->cert; if (signercert == NULL) return NULL; } switch (selector) { case sec_common_name: container = CERT_GetCommonName (&signercert->subject); Index: security/nss/lib/pkcs7/secpkcs7.h =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v retrieving revision 1.10 diff -u -8 -p -r1.10 secpkcs7.h --- security/nss/lib/pkcs7/secpkcs7.h 27 Nov 2012 22:48:08 -0000 1.10 +++ security/nss/lib/pkcs7/secpkcs7.h 25 Jan 2013 23:22:54 -0000 @@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S * into our local database. */ extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, PRBool keepcerts); + +/* + * SEC_PKCS7VerifyDetachedSignatureAtTime + * Look at a PKCS7 contentInfo and check if the signature matches + * a passed-in digest (calculated, supposedly, from detached contents). + * The verification checks that the signing cert is valid and trusted + * for the purpose specified by "certusage" at time "atTime" + * if "atTime" is non-zero, or at the current time (as returned by + * PR_Now) otherwise. + */ +extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts, + PRTime atTime); + /* * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress * The passed-in contentInfo is espected to be Signed, and these * functions return the specified portion of the full signer name. * * Returns a pointer to allocated memory, which must be freed. * A NULL return value is an error. */ Index: security/nss/lib/smime/smime.def =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v retrieving revision 1.39 diff -u -8 -p -r1.39 smime.def --- security/nss/lib/smime/smime.def 25 Apr 2012 14:50:09 -0000 1.39 +++ security/nss/lib/smime/smime.def 25 Jan 2013 23:22:54 -0000 @@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa ;+ *; ;+}; ;+NSS_3.13 { # NSS 3.13 release ;+ global: NSSSMIME_GetVersion; ;+ local: ;+ *; ;+}; +;+NSS_3.14.3 { # NSS 3.14.3 release +;+ global: +SEC_PKCS7VerifyDetachedSignatureAtTime; +;+ local: +;+ *; +;+}; ++++++ nss-disable-expired-testcerts.patch ++++++ Index: security/nss/tests/chains/scenarios/realcerts.cfg =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg,v retrieving revision 1.4 diff -u -r1.4 realcerts.cfg --- security/nss/tests/chains/scenarios/realcerts.cfg 20 Mar 2012 14:47:29 -0000 1.4 +++ security/nss/tests/chains/scenarios/realcerts.cfg 3 Apr 2013 07:39:49 -0000 @@ -14,15 +14,15 @@ import PayPalEE:x: import BrAirWaysBadSig:x: -verify TestUser50:x - result pass +#verify TestUser50:x +# result pass -verify TestUser51:x - result pass +#verify TestUser51:x +# result pass -verify PayPalEE:x - policy OID.2.16.840.1.113733.1.7.23.6 - result pass +#verify PayPalEE:x +# policy OID.2.16.840.1.113733.1.7.23.6 +# result pass verify BrAirWaysBadSig:x result fail -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
