Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2013-11-20 10:48:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2013-09-29 17:50:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new/mozilla-nss.changes 2013-11-20 10:48:48.000000000 +0100 @@ -1,0 +2,11 @@ +Mon Nov 11 22:11:57 UTC 2013 - [email protected] + +- update to 3.15.3 (bnc#850148) + * CERT_VerifyCert returns SECSuccess (saying certificate is good) + even for bad certificates, when the CERTVerifyLog log parameter + is given (bmo#910438) + * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello + (bmo#919677) + * fix CVE-2013-5605 + +------------------------------------------------------------------- Old: ---- nss-3.15.2.tar.gz New: ---- nss-3.15.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.QbG10d/_old 2013-11-20 10:48:49.000000000 +0100 +++ /var/tmp/diff_new_pack.QbG10d/_new 2013-11-20 10:48:49.000000000 +0100 @@ -25,7 +25,7 @@ BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.15.2 +Version: 3.15.3 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -# hg clone https://hg.mozilla.org/projects/nss; hg up NSS_3_15_1_RTM -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_2_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.15.3 ; cd nss-3.15.3 ; hg up NSS_3_15_3_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_3_RTM/src/nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc @@ -75,8 +75,8 @@ %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server -applications. Applications built with NSS can support SSL v2 and v3, -TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. @@ -95,11 +95,10 @@ %description devel Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server -applications. Applications built with NSS can support SSL v2 and v3, -TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. - %package tools Summary: Tools for developing, debugging, and managing applications that use NSS Group: System/Management @@ -130,8 +129,8 @@ %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server -applications. Applications built with NSS can support SSL v2 and v3, -TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This package installs the freebl library from NSS. @@ -145,8 +144,8 @@ %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server -applications. Applications built with NSS can support SSL v2 and v3, -TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Network Security Services Softoken Cryptographic Module ++++++ nss-3.15.2.tar.gz -> nss-3.15.3.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/.hg_archival.txt new/nss-3.15.3/nss/.hg_archival.txt --- old/nss-3.15.2/nss/.hg_archival.txt 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/.hg_archival.txt 2013-11-09 18:23:30.000000000 +0100 @@ -1,4 +1,4 @@ repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f -node: d7713e6888f1306b8f4e8afe6e5f897360007362 -branch: default -tag: NSS_3_15_2_RTM +node: d203c95e5c72425ab115b8e4067f7aa4f28339e0 +branch: NSS_3_15_3_RELEASE_BRANCH +tag: NSS_3_15_3_RTM diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/certhigh/certvfy.c new/nss-3.15.3/nss/lib/certhigh/certvfy.c --- old/nss-3.15.2/nss/lib/certhigh/certvfy.c 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/certhigh/certvfy.c 2013-11-09 18:23:30.000000000 +0100 @@ -1312,7 +1312,7 @@ PORT_SetError(SEC_ERROR_UNTRUSTED_CERT); LOG_ERROR_OR_EXIT(log,cert,0,flags); } else if (trusted) { - goto winner; + goto done; } @@ -1340,7 +1340,10 @@ } } -winner: +done: + if (log && log->head) { + return SECFailure; + } return(SECSuccess); loser: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/nss/nss.h new/nss-3.15.3/nss/lib/nss/nss.h --- old/nss-3.15.2/nss/lib/nss/nss.h 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/nss/nss.h 2013-11-09 18:23:30.000000000 +0100 @@ -33,10 +33,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define NSS_VERSION "3.15.2" _NSS_ECC_STRING _NSS_CUSTOMIZED +#define NSS_VERSION "3.15.3" _NSS_ECC_STRING _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 15 -#define NSS_VPATCH 2 +#define NSS_VPATCH 3 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/softoken/softkver.h new/nss-3.15.3/nss/lib/softoken/softkver.h --- old/nss-3.15.2/nss/lib/softoken/softkver.h 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/softoken/softkver.h 2013-11-09 18:23:30.000000000 +0100 @@ -25,10 +25,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]" */ -#define SOFTOKEN_VERSION "3.15.2" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.15.3" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 15 -#define SOFTOKEN_VPATCH 2 +#define SOFTOKEN_VPATCH 3 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/ssl/ssl3con.c new/nss-3.15.3/nss/lib/ssl/ssl3con.c --- old/nss-3.15.2/nss/lib/ssl/ssl3con.c 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/ssl/ssl3con.c 2013-11-09 18:23:30.000000000 +0100 @@ -110,31 +110,31 @@ { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #ifdef NSS_ENABLE_ECC - { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, #endif /* NSS_ENABLE_ECC */ { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, @@ -593,8 +593,9 @@ } static PRBool -ssl3_CipherSuiteAllowedForVersion(ssl3CipherSuite cipherSuite, - SSL3ProtocolVersion version) +ssl3_CipherSuiteAllowedForVersionRange( + ssl3CipherSuite cipherSuite, + const SSLVersionRange *vrange) { switch (cipherSuite) { /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or @@ -611,7 +612,7 @@ * SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5: never implemented * SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA: never implemented */ - return version <= SSL_LIBRARY_VERSION_TLS_1_0; + return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0; case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: case TLS_RSA_WITH_AES_256_CBC_SHA256: case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: @@ -623,7 +624,7 @@ case TLS_RSA_WITH_AES_128_CBC_SHA256: case TLS_RSA_WITH_AES_128_GCM_SHA256: case TLS_RSA_WITH_NULL_SHA256: - return version >= SSL_LIBRARY_VERSION_TLS_1_2; + return vrange->max >= SSL_LIBRARY_VERSION_TLS_1_2; default: return PR_TRUE; } @@ -766,7 +767,8 @@ } -/* return PR_TRUE if suite matches policy and enabled state */ +/* return PR_TRUE if suite matches policy, enabled state and is applicable to + * the given version range. */ /* It would be a REALLY BAD THING (tm) if we ever permitted the use ** of a cipher that was NOT_ALLOWED. So, if this is ever called with ** policy == SSL_NOT_ALLOWED, report no match. @@ -774,7 +776,8 @@ /* adjust suite enabled to the availability of a token that can do the * cipher suite. */ static PRBool -config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled) +config_match(ssl3CipherSuiteCfg *suite, int policy, PRBool enabled, + const SSLVersionRange *vrange) { PORT_Assert(policy != SSL_NOT_ALLOWED && enabled != PR_FALSE); if (policy == SSL_NOT_ALLOWED || !enabled) @@ -782,10 +785,13 @@ return (PRBool)(suite->enabled && suite->isPresent && suite->policy != SSL_NOT_ALLOWED && - suite->policy <= policy); + suite->policy <= policy && + ssl3_CipherSuiteAllowedForVersionRange( + suite->cipher_suite, vrange)); } -/* return number of cipher suites that match policy and enabled state */ +/* return number of cipher suites that match policy, enabled state and are + * applicable for the configured protocol version range. */ /* called from ssl3_SendClientHello and ssl3_ConstructV2CipherSpecsHack */ static int count_cipher_suites(sslSocket *ss, int policy, PRBool enabled) @@ -796,7 +802,7 @@ return 0; } for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { - if (config_match(&ss->cipherSuites[i], policy, enabled)) + if (config_match(&ss->cipherSuites[i], policy, enabled, &ss->vrange)) count++; } if (count <= 0) { @@ -813,6 +819,11 @@ Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen, const unsigned char *input, int inputLen) { + if (inputLen > maxOutputLen) { + *outputLen = 0; /* Match PK11_CipherOp in setting outputLen */ + PORT_SetError(SEC_ERROR_OUTPUT_LEN); + return SECFailure; + } *outputLen = inputLen; if (input != output) PORT_Memcpy(output, input, inputLen); @@ -5089,7 +5100,7 @@ } for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; - if (config_match(suite, ss->ssl3.policy, PR_TRUE)) { + if (config_match(suite, ss->ssl3.policy, PR_TRUE, &ss->vrange)) { actual_count++; if (actual_count > num_suites) { /* set error card removal/insertion error */ @@ -6124,15 +6135,19 @@ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; if (temp == suite->cipher_suite) { - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) { + SSLVersionRange vrange = {ss->version, ss->version}; + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { + /* config_match already checks whether the cipher suite is + * acceptable for the version, but the check is repeated here + * in order to give a more precise error code. */ + if (!ssl3_CipherSuiteAllowedForVersionRange(temp, &vrange)) { + desc = handshake_failure; + errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; + goto alert_loser; + } + break; /* failure */ } - if (!ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, - ss->version)) { - desc = handshake_failure; - errCode = SSL_ERROR_CIPHER_DISALLOWED_FOR_VERSION; - goto alert_loser; - } suite_found = PR_TRUE; break; /* success */ @@ -7521,6 +7536,9 @@ */ if (sid) do { ssl3CipherSuiteCfg *suite; +#ifdef PARANOID + SSLVersionRange vrange = {ss->version, ss->version}; +#endif /* Check that the cached compression method is still enabled. */ if (!compressionEnabled(ss, sid->u.ssl3.compression)) @@ -7549,7 +7567,7 @@ * The product policy won't change during the process lifetime. * Implemented ("isPresent") shouldn't change for servers. */ - if (!config_match(suite, ss->ssl3.policy, PR_TRUE)) + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) break; #else if (!suite->enabled) @@ -7597,9 +7615,8 @@ */ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || - !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, - ss->version)) { + SSLVersionRange vrange = {ss->version, ss->version}; + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { continue; } for (i = 0; i + 1 < suites.len; i += 2) { @@ -8131,9 +8148,8 @@ */ for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j]; - if (!config_match(suite, ss->ssl3.policy, PR_TRUE) || - !ssl3_CipherSuiteAllowedForVersion(suite->cipher_suite, - ss->version)) { + SSLVersionRange vrange = {ss->version, ss->version}; + if (!config_match(suite, ss->ssl3.policy, PR_TRUE, &vrange)) { continue; } for (i = 0; i+2 < suite_length; i += 3) { @@ -11569,7 +11585,7 @@ /* ssl3_config_match_init was called by the caller of this function. */ for (i = 0; i < ssl_V3_SUITES_IMPLEMENTED; i++) { ssl3CipherSuiteCfg *suite = &ss->cipherSuites[i]; - if (config_match(suite, SSL_ALLOWED, PR_TRUE)) { + if (config_match(suite, SSL_ALLOWED, PR_TRUE, &ss->vrange)) { if (cs != NULL) { *cs++ = 0x00; *cs++ = (suite->cipher_suite >> 8) & 0xFF; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/ssl/sslenum.c new/nss-3.15.3/nss/lib/ssl/sslenum.c --- old/nss-3.15.2/nss/lib/ssl/sslenum.c 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/ssl/sslenum.c 2013-11-09 18:23:30.000000000 +0100 @@ -57,31 +57,31 @@ /* 128-bit */ #ifdef NSS_ENABLE_ECC - TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, #endif /* NSS_ENABLE_ECC */ TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, - TLS_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, #ifdef NSS_ENABLE_ECC - TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, #endif /* NSS_ENABLE_ECC */ TLS_RSA_WITH_SEED_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, - SSL_RSA_WITH_RC4_128_SHA, - SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, + SSL_RSA_WITH_RC4_128_SHA, + SSL_RSA_WITH_RC4_128_MD5, /* 112-bit 3DES */ #ifdef NSS_ENABLE_ECC diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/util/nssutil.h new/nss-3.15.3/nss/lib/util/nssutil.h --- old/nss-3.15.2/nss/lib/util/nssutil.h 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/util/nssutil.h 2013-11-09 18:23:30.000000000 +0100 @@ -19,10 +19,10 @@ * The format of the version string should be * "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]" */ -#define NSSUTIL_VERSION "3.15.2" +#define NSSUTIL_VERSION "3.15.3" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 15 -#define NSSUTIL_VPATCH 2 +#define NSSUTIL_VPATCH 3 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nss-3.15.2/nss/lib/util/secport.c new/nss-3.15.3/nss/lib/util/secport.c --- old/nss-3.15.2/nss/lib/util/secport.c 2013-09-25 15:57:55.000000000 +0200 +++ new/nss-3.15.3/nss/lib/util/secport.c 2013-11-09 18:23:30.000000000 +0100 @@ -69,13 +69,22 @@ PORTCharConversionFunc ucs2Utf8ConvertFunc; PORTCharConversionWSwapFunc ucs2AsciiConvertFunc; +/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc) + * use the PRUint32 type for the size parameter. Before we pass a size_t or + * unsigned long size to these functions, we need to ensure it is <= half of + * the maximum PRUint32 value to avoid truncation and catch a negative size. + */ +#define MAX_SIZE (PR_UINT32_MAX >> 1) + void * PORT_Alloc(size_t bytes) { - void *rv; + void *rv = NULL; - /* Always allocate a non-zero amount of bytes */ - rv = (void *)PR_Malloc(bytes ? bytes : 1); + if (bytes <= MAX_SIZE) { + /* Always allocate a non-zero amount of bytes */ + rv = PR_Malloc(bytes ? bytes : 1); + } if (!rv) { ++port_allocFailures; PORT_SetError(SEC_ERROR_NO_MEMORY); @@ -86,9 +95,11 @@ void * PORT_Realloc(void *oldptr, size_t bytes) { - void *rv; + void *rv = NULL; - rv = (void *)PR_Realloc(oldptr, bytes); + if (bytes <= MAX_SIZE) { + rv = PR_Realloc(oldptr, bytes); + } if (!rv) { ++port_allocFailures; PORT_SetError(SEC_ERROR_NO_MEMORY); @@ -99,10 +110,12 @@ void * PORT_ZAlloc(size_t bytes) { - void *rv; + void *rv = NULL; - /* Always allocate a non-zero amount of bytes */ - rv = (void *)PR_Calloc(1, bytes ? bytes : 1); + if (bytes <= MAX_SIZE) { + /* Always allocate a non-zero amount of bytes */ + rv = PR_Calloc(1, bytes ? bytes : 1); + } if (!rv) { ++port_allocFailures; PORT_SetError(SEC_ERROR_NO_MEMORY); @@ -209,6 +222,10 @@ { PORTArenaPool *pool; + if (chunksize > MAX_SIZE) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } pool = PORT_ZNew(PORTArenaPool); if (!pool) { return NULL; @@ -224,8 +241,6 @@ return(&pool->arena); } -#define MAX_SIZE 0x7fffffffUL - void * PORT_ArenaAlloc(PLArenaPool *arena, size_t size) { @@ -330,6 +345,11 @@ PORTArenaPool *pool = (PORTArenaPool *)arena; PORT_Assert(newsize >= oldsize); + if (newsize > MAX_SIZE) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; + } + if (ARENAPOOL_MAGIC == pool->magic ) { PZ_Lock(pool->lock); /* Do we do a THREADMARK check here? */ -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
