Bug#774023: unblock: nss/2:3.17.2-1.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package nss.
nss/2:3.17.2-1.1 fixes bug #773625, an information leak in NSS (CVE-2014-1569),
using a patch extracted from upstream.
unblock nss/2:3.17.2-1.1
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog 2014-10-17 21:22:21.000000000 -0700
+++ nss-3.17.2/debian/changelog 2014-12-21 19:46:52.000000000 -0800
@@ -1,3 +1,10 @@
+nss (2:3.17.2-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2014-1569. Closes: #773625.
+
+ -- Matt Kraai <kraai@debian.org> Sun, 21 Dec 2014 19:46:52 -0800
+
nss (2:3.17.2-1) unstable; urgency=medium
* New upstream release.
diff -Nru nss-3.17.2/debian/patches/98_CVE-2014-1569.patch nss-3.17.2/debian/patches/98_CVE-2014-1569.patch
--- nss-3.17.2/debian/patches/98_CVE-2014-1569.patch 1969-12-31 16:00:00.000000000 -0800
+++ nss-3.17.2/debian/patches/98_CVE-2014-1569.patch 2014-12-21 20:02:10.000000000 -0800
@@ -0,0 +1,155 @@
+Description: Be more strict on DER length decoding in quickder.c
+Origin: https://hg.mozilla.org/projects/nss/rev/a163e09dc4d5
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
+Last-Update: 2014-12-21
+
+# HG changeset patch
+# User J.C. Jones <jjones@mozilla.com>
+# Date 1415421927 28800
+# Node ID a163e09dc4d5e90f609f25cf63fae46711b55f73
+# Parent b6db7a6d2e2c35609450ea8569cc179feffe45e0
+Bug 1064670 - (CVE-2014-1569) ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (r=wtc)
+
+diff --git a/lib/util/quickder.c b/lib/util/quickder.c
+--- nss.orig/nss/lib/util/quickder.c
++++ nss/nss/lib/util/quickder.c
+@@ -11,65 +11,120 @@
+ #include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
+ #include "secitem.h"
+
+ /*
+ * simple definite-length ASN.1 decoder
+ */
+
+ static unsigned char* definite_length_decoder(const unsigned char *buf,
+- const unsigned int length,
+- unsigned int *data_length,
++ const unsigned int buf_length,
++ unsigned int *out_data_length,
+ PRBool includeTag)
+ {
+ unsigned char tag;
+- unsigned int used_length= 0;
+- unsigned int data_len;
++ unsigned int used_length = 0;
++ unsigned int data_length = 0;
++ unsigned char length_field_len = 0;
++ unsigned char byte;
++ unsigned int i;
+
+- if (used_length >= length)
++ if (used_length >= buf_length)
+ {
++ /* Tag field was not found! */
+ return NULL;
+ }
+ tag = buf[used_length++];
+
+- /* blow out when we come to the end */
+ if (tag == 0)
+ {
++ /* End-of-contents octects should not be present in DER because
++ DER doesn't use the indefinite length form. */
+ return NULL;
+ }
+
+- if (used_length >= length)
++ if ((tag & 0x1F) == 0x1F)
+ {
++ /* High tag number (a tag number > 30) is not supported */
+ return NULL;
+ }
+- data_len = buf[used_length++];
+
+- if (data_len&0x80)
++ if (used_length >= buf_length)
+ {
+- int len_count = data_len & 0x7f;
++ /* Length field was not found! */
++ return NULL;
++ }
++ byte = buf[used_length++];
+
+- data_len = 0;
++ if (!(byte & 0x80))
++ {
++ /* Short form: The high bit is not set. */
++ data_length = byte; /* clarity; we're returning a 32-bit int. */
++ }
++ else
++ {
++ /* Long form. Extract the field length */
++ length_field_len = byte & 0x7F;
++ if (length_field_len == 0)
++ {
++ /* DER doesn't use the indefinite length form. */
++ return NULL;
++ }
+
+- while (len_count-- > 0)
++ if (length_field_len > sizeof(data_length))
+ {
+- if (used_length >= length)
++ /* We don't support an extended length field longer than
++ 4 bytes (2^32) */
++ return NULL;
++ }
++
++ if (length_field_len > (buf_length - used_length))
++ {
++ /* Extended length field was not found */
++ return NULL;
++ }
++
++ /* Iterate across the extended length field */
++ for (i = 0; i < length_field_len; i++)
++ {
++ byte = buf[used_length++];
++ data_length = (data_length << 8) | byte;
++
++ if (i == 0)
+ {
+- return NULL;
++ PRBool too_long = PR_FALSE;
++ if (length_field_len == 1)
++ {
++ too_long = ((byte & 0x80) == 0); /* Short form suffices */
++ }
++ else
++ {
++ too_long = (byte == 0); /* This zero byte can be omitted */
++ }
++ if (too_long)
++ {
++ /* The length is longer than needed. */
++ return NULL;
++ }
+ }
+- data_len = (data_len << 8) | buf[used_length++];
+ }
+ }
+
+- if (data_len > (length-used_length) )
++ if (data_length > (buf_length - used_length))
+ {
++ /* The decoded length exceeds the available buffer */
+ return NULL;
+ }
+- if (includeTag) data_len += used_length;
+
+- *data_length = data_len;
++ if (includeTag)
++ {
++ data_length += used_length;
++ }
++
++ *out_data_length = data_length;
+ return ((unsigned char*)buf + (includeTag ? 0 : used_length));
+ }
+
+ static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
+ {
+ if ( (!src) || (!dest) || (!src->data && src->len) )
+ {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series 2014-09-24 06:14:30.000000000 -0700
+++ nss-3.17.2/debian/patches/series 2014-12-21 19:23:24.000000000 -0800
@@ -4,3 +4,4 @@
85_security_load.patch
95_add_spi+cacert_ca_certs.patch
97_SSL_RENEGOTIATE_TRANSITIONAL.patch
+98_CVE-2014-1569.patch
Reply to: