Date: Wednesday, December 4, 2019 @ 14:52:57 Author: heftig Revision: 370381
3.47.1-5 Modified: nss/trunk/PKGBUILD nss/trunk/nss-3.47-certdb-temp-cert.patch ---------------------------------+ PKGBUILD | 4 ++-- nss-3.47-certdb-temp-cert.patch | 29 ++++++++++++++--------------- 2 files changed, 16 insertions(+), 17 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2019-12-04 12:43:52 UTC (rev 370380) +++ PKGBUILD 2019-12-04 14:52:57 UTC (rev 370381) @@ -3,7 +3,7 @@ pkgbase=nss pkgname=(nss ca-certificates-mozilla) pkgver=3.47.1 -pkgrel=4 +pkgrel=5 pkgdesc="Network Security Services" url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"; arch=(x86_64) @@ -15,7 +15,7 @@ nss-3.47-certdb-temp-cert.patch certdata2pem.py bundle.sh) sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb' - 'd2a0631328883bdee211d02f0748c97d72ef1462f28415e85efcfb0a6d066dd3' + 'e4d7c7d6ac8c8cccd5bb23c217402922aafc1c104e46ae17a39f3c13b0e96002' '0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0' '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd') Modified: nss-3.47-certdb-temp-cert.patch =================================================================== --- nss-3.47-certdb-temp-cert.patch 2019-12-04 12:43:52 UTC (rev 370380) +++ nss-3.47-certdb-temp-cert.patch 2019-12-04 14:52:57 UTC (rev 370381) @@ -1,20 +1,15 @@ # HG changeset patch # User Daiki Ueno <[email protected]> -# Date 1575381287 -3600 -# Tue Dec 03 14:54:47 2019 +0100 -# Node ID 5ad40d3c760edac96d22b99e4e3e916b74f903fe +# Date 1575450841 -3600 +# Wed Dec 04 10:14:01 2019 +0100 +# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2 # Parent d64102b76a437f24d98a20480dcc9f1655143e7c -Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available +Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards Summary: -When a builtin root module is loaded after some temp certs being -loaded, our certificate lookup logic preferred those temp certs over -perm certs stored on the root module. This was a problem because such -temp certs are usually not accompanied with trust information. +When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs. -This makes the certificate lookup logic capable of handling such -situations by checking if the trust information is attached to temp -certs and otherwise falling back to perm certs. +This change makes it properly roll up the trust information, if a temp cert doesn't have trust information. Reviewers: rrelyea, keeler @@ -29,7 +24,7 @@ diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c --- a/lib/pki/pki3hack.c +++ b/lib/pki/pki3hack.c -@@ -921,14 +921,24 @@ stan_GetCERTCertificate(NSSCertificate * +@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate * } if (!cc->nssCertificate || forceUpdate) { fill_CERTCertificateFields(c, cc, forceUpdate); @@ -49,9 +44,9 @@ + */ + trust = nssTrust_GetCERTCertTrustForCert(c, cc); + } else { -+ /* If it's a temp cert, it might have been stored before -+ * the builtin module is loaded, so look for the trust -+ * again, but not set the empty trust if not found. ++ /* If it's a temp cert, it might have been stored before the ++ * builtin trust module is loaded, so look for the trust ++ * again, but don't set the empty trust if it is not found. + */ + NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); + if (!t) { @@ -58,6 +53,10 @@ + goto loser; + } + trust = cert_trust_from_stan_trust(t, cc->arena); ++ nssTrust_Destroy(t); ++ if (!trust) { ++ goto loser; ++ } + } CERT_LockCertTrust(cc);
