[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#774023: marked as done (unblock: nss/2:3.17.2-1.1)

Your message dated Sat, 27 Dec 2014 14:50:19 +0000
with message-id <1419691819.3384.5.camel@adam-barratt.org.uk>
and subject line Re: Bug#774023: unblock: nss/2:3.17.2-1.1
has caused the Debian Bug report #774023,
regarding unblock: nss/2:3.17.2-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
774023: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774023
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package nss.

nss/2:3.17.2-1.1 fixes bug #773625, an information leak in NSS (CVE-2014-1569),
using a patch extracted from upstream.

unblock nss/2:3.17.2-1.1

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/12 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog	2014-10-17 21:22:21.000000000 -0700
+++ nss-3.17.2/debian/changelog	2014-12-21 19:46:52.000000000 -0800
@@ -1,3 +1,10 @@
+nss (2:3.17.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2014-1569. Closes: #773625.
+
+ -- Matt Kraai <kraai@debian.org>  Sun, 21 Dec 2014 19:46:52 -0800
+
 nss (2:3.17.2-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru nss-3.17.2/debian/patches/98_CVE-2014-1569.patch nss-3.17.2/debian/patches/98_CVE-2014-1569.patch
--- nss-3.17.2/debian/patches/98_CVE-2014-1569.patch	1969-12-31 16:00:00.000000000 -0800
+++ nss-3.17.2/debian/patches/98_CVE-2014-1569.patch	2014-12-21 20:02:10.000000000 -0800
@@ -0,0 +1,155 @@
+Description: Be more strict on DER length decoding in quickder.c
+Origin: https://hg.mozilla.org/projects/nss/rev/a163e09dc4d5
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
+Last-Update: 2014-12-21
+
+# HG changeset patch
+# User J.C. Jones <jjones@mozilla.com>
+# Date 1415421927 28800
+# Node ID a163e09dc4d5e90f609f25cf63fae46711b55f73
+# Parent  b6db7a6d2e2c35609450ea8569cc179feffe45e0
+Bug 1064670 - (CVE-2014-1569) ASN.1 DER decoding of lengths is too permissive, allowing undetected smuggling of arbitrary data (r=wtc)
+
+diff --git a/lib/util/quickder.c b/lib/util/quickder.c
+--- nss.orig/nss/lib/util/quickder.c
++++ nss/nss/lib/util/quickder.c
+@@ -11,65 +11,120 @@
+ #include "secasn1.h" /* for SEC_ASN1GetSubtemplate */
+ #include "secitem.h"
+ 
+ /*
+  * simple definite-length ASN.1 decoder
+  */
+ 
+ static unsigned char* definite_length_decoder(const unsigned char *buf,
+-                                              const unsigned int length,
+-                                              unsigned int *data_length,
++                                              const unsigned int buf_length,
++                                              unsigned int *out_data_length,
+                                               PRBool includeTag)
+ {
+     unsigned char tag;
+-    unsigned int used_length= 0;
+-    unsigned int data_len;
++    unsigned int used_length = 0;
++    unsigned int data_length = 0;
++    unsigned char length_field_len = 0;
++    unsigned char byte;
++    unsigned int i;
+ 
+-    if (used_length >= length)
++    if (used_length >= buf_length)
+     {
++        /* Tag field was not found! */
+         return NULL;
+     }
+     tag = buf[used_length++];
+ 
+-    /* blow out when we come to the end */
+     if (tag == 0)
+     {
++        /* End-of-contents octects should not be present in DER because
++           DER doesn't use the indefinite length form. */
+         return NULL;
+     }
+ 
+-    if (used_length >= length)
++    if ((tag & 0x1F) == 0x1F)
+     {
++        /* High tag number (a tag number > 30) is not supported */
+         return NULL;
+     }
+-    data_len = buf[used_length++];
+ 
+-    if (data_len&0x80)
++    if (used_length >= buf_length)
+     {
+-        int  len_count = data_len & 0x7f;
++        /* Length field was not found! */
++        return NULL;
++    }
++    byte = buf[used_length++];
+ 
+-        data_len = 0;
++    if (!(byte & 0x80))
++    {
++        /* Short form: The high bit is not set. */
++        data_length = byte; /* clarity; we're returning a 32-bit int. */
++    }
++    else
++    {
++        /* Long form. Extract the field length */
++        length_field_len = byte & 0x7F;
++        if (length_field_len == 0)
++        {
++            /* DER doesn't use the indefinite length form. */
++            return NULL;
++        }
+ 
+-        while (len_count-- > 0)
++        if (length_field_len > sizeof(data_length))
+         {
+-            if (used_length >= length)
++            /* We don't support an extended length field  longer than
++               4 bytes (2^32) */
++            return NULL;
++        }
++
++        if (length_field_len > (buf_length - used_length))
++        {
++            /* Extended length field was not found */
++            return NULL;
++        }
++
++        /* Iterate across the extended length field */
++        for (i = 0; i < length_field_len; i++)
++        {
++            byte = buf[used_length++];
++            data_length = (data_length << 8) | byte;
++
++            if (i == 0)
+             {
+-                return NULL;
++                PRBool too_long = PR_FALSE;
++                if (length_field_len == 1)
++                {
++                    too_long = ((byte & 0x80) == 0); /* Short form suffices */
++                }
++                else
++                {
++                    too_long = (byte == 0); /* This zero byte can be omitted */
++                }
++                if (too_long)
++                {
++                    /* The length is longer than needed. */
++                    return NULL;
++                }
+             }
+-            data_len = (data_len << 8) | buf[used_length++];
+         }
+     }
+ 
+-    if (data_len > (length-used_length) )
++    if (data_length > (buf_length - used_length))
+     {
++        /* The decoded length exceeds the available buffer */
+         return NULL;
+     }
+-    if (includeTag) data_len += used_length;
+ 
+-    *data_length = data_len;
++    if (includeTag)
++    {
++        data_length += used_length;
++    }
++
++    *out_data_length = data_length;
+     return ((unsigned char*)buf + (includeTag ? 0 : used_length));
+ }
+ 
+ static SECStatus GetItem(SECItem* src, SECItem* dest, PRBool includeTag)
+ {
+     if ( (!src) || (!dest) || (!src->data && src->len) )
+     {
+         PORT_SetError(SEC_ERROR_INVALID_ARGS);
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series	2014-09-24 06:14:30.000000000 -0700
+++ nss-3.17.2/debian/patches/series	2014-12-21 19:23:24.000000000 -0800
@@ -4,3 +4,4 @@
 85_security_load.patch
 95_add_spi+cacert_ca_certs.patch
 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
+98_CVE-2014-1569.patch

--- End Message ---
--- Begin Message --- 
On Sat, 2014-12-27 at 06:44 -0800, Matt Kraai wrote:
> Please unblock package nss.
> 
> nss/2:3.17.2-1.1 fixes bug #773625, an information leak in NSS (CVE-2014-1569),
> using a patch extracted from upstream.

Unblocked a little earlier this afternoon by jmw.

Regards,

Adam

--- End Message ---
Reply to: