Control: tags 773625 + patch Control: tags 773625 + pending Hi,
I've prepared an NMU for nss (versioned as 2:3.17.2-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should cancel it or delay it longer. -- Matt
diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog --- nss-3.17.2/debian/changelog 2014-10-17 21:22:21.000000000 -0700 +++ nss-3.17.2/debian/changelog 2014-12-21 19:46:52.000000000 -0800 @@ -1,3 +1,10 @@ +nss (2:3.17.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2014-1569. Closes: #773625. + + -- Matt Kraai <kr...@debian.org> Sun, 21 Dec 2014 19:46:52 -0800 + nss (2:3.17.2-1) unstable; urgency=medium * New upstream release. diff -Nru nss-3.17.2/debian/patches/98_CVE-2014-1569.patch nss-3.17.2/debian/patches/98_CVE-2014-1569.patch --- nss-3.17.2/debian/patches/98_CVE-2014-1569.patch 1969-12-31 16:00:00.000000000 -0800 +++ nss-3.17.2/debian/patches/98_CVE-2014-1569.patch 2014-12-21 20:02:10.000000000 -0800 @@ -0,0 +1,155 @@ +Description: Be more strict on DER length decoding in quickder.c +Origin: https://hg.mozilla.org/projects/nss/rev/a163e09dc4d5 +Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1064670 +Last-Update: 2014-12-21 + +# HG changeset patch +# User J.C. Jones <jjo...@mozilla.com> +# Date 1415421927 28800 +# Node ID a163e09dc4d5e90f609f25cf63fae46711b55f73 +# Parent b6db7a6d2e2c35609450ea8569cc179feffe45e0 +Bug 1064670 - (CVE-2014-1569) ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (r=wtc) + +diff --git a/lib/util/quickder.c b/lib/util/quickder.c +--- nss.orig/nss/lib/util/quickder.c ++++ nss/nss/lib/util/quickder.c +@@ -11,65 +11,120 @@ + #include "secasn1.h" /* for SEC_ASN1GetSubtemplate */ + #include "secitem.h" + + /* + * simple definite-length ASN.1 decoder + */ + + static unsigned char* definite_length_decoder(const unsigned char *buf, +- const unsigned int length, +- unsigned int *data_length, ++ const unsigned int buf_length, ++ unsigned int *out_data_length, + PRBool includeTag) + { + unsigned char tag; +- unsigned int used_length= 0; +- unsigned int data_len; ++ unsigned int used_length = 0; ++ unsigned int data_length = 0; ++ unsigned char length_field_len = 0; ++ unsigned char byte; ++ unsigned int i; + +- if (used_length >= length) ++ if (used_length >= buf_length) + { ++ /* Tag field was not found! */ + return NULL; + } + tag = buf[used_length++]; + +- /* blow out when we come to the end */ + if (tag == 0) + { ++ /* End-of-contents octects should not be present in DER because ++ DER doesn't use the indefinite length form. */ + return NULL; + } + +- if (used_length >= length) ++ if ((tag & 0x1F) == 0x1F) + { ++ /* High tag number (a tag number > 30) is not supported */ + return NULL; + } +- data_len = buf[used_length++]; + +- if (data_len&0x80) ++ if (used_length >= buf_length) + { +- int len_count = data_len & 0x7f; ++ /* Length field was not found! */ ++ return NULL; ++ } ++ byte = buf[used_length++]; + +- data_len = 0; ++ if (!(byte & 0x80)) ++ { ++ /* Short form: The high bit is not set. */ ++ data_length = byte; /* clarity; we're returning a 32-bit int. */ ++ } ++ else ++ { ++ /* Long form. Extract the field length */ ++ length_field_len = byte & 0x7F; ++ if (length_field_len == 0) ++ { ++ /* DER doesn't use the indefinite length form. */ ++ return NULL; ++ } + +- while (len_count-- > 0) ++ if (length_field_len > sizeof(data_length)) + { +- if (used_length >= length) ++ /* We don't support an extended length field longer than ++ 4 bytes (2^32) */ ++ return NULL; ++ } ++ ++ if (length_field_len > (buf_length - used_length)) ++ { ++ /* Extended length field was not found */ ++ return NULL; ++ } ++ ++ /* Iterate across the extended length field */ ++ for (i = 0; i < length_field_len; i++) ++ { ++ byte = buf[used_length++]; ++ data_length = (data_length << 8) | byte; ++ ++ if (i == 0) + { +- return NULL; ++ PRBool too_long = PR_FALSE; ++ if (length_field_len == 1) ++ { ++ too_long = ((byte & 0x80) == 0); /* Short form suffices */ ++ } ++ else ++ { ++ too_long = (byte == 0); /* This zero byte can be omitted */ ++ } ++ if (too_long) ++ { ++ /* The length is longer than needed. */ ++ return NULL; ++ } + } +- data_len = (data_len << 8) | buf[used_length++]; + } + } + +- if (data_len > (length-used_length) ) ++ if (data_length > (buf_length - used_length)) + { ++ /* The decoded length exceeds the available buffer */ + return NULL; + } +- if (includeTag) data_len += used_length; + +- *data_length = data_len; ++ if (includeTag) ++ { ++ data_length += used_length; ++ } ++ ++ *out_data_length = data_length; + return ((unsigned char*)buf + (includeTag ? 0 : used_length)); + } + + static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag) + { + if ( (!src) || (!dest) || (!src->data && src->len) ) + { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series --- nss-3.17.2/debian/patches/series 2014-09-24 06:14:30.000000000 -0700 +++ nss-3.17.2/debian/patches/series 2014-12-21 19:23:24.000000000 -0800 @@ -4,3 +4,4 @@ 85_security_load.patch 95_add_spi+cacert_ca_certs.patch 97_SSL_RENEGOTIATE_TRANSITIONAL.patch +98_CVE-2014-1569.patch
