[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#795794: marked as done (jessie-pu: package nss/3.17.2-1.1+deb8u1)

Your message dated Sat, 05 Sep 2015 14:31:07 +0100
with message-id <1441459867.2151.32.camel@adam-barratt.org.uk>
and subject line Closing p-u bugs for 8.2
has caused the Debian Bug report #795794,
regarding jessie-pu: package nss/3.17.2-1.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
795794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=795794
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

This is a small patch from mozilla hg. It fixes #774195 and is
confirmed to work. Would be cool if if can be included in the next
stable release.

Thanks!

  Christoph

-- System Information:
Debian Release: 8.0
  APT prefers stable-kfreebsd
  APT policy: (990, 'stable-kfreebsd'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'oldstable'), (1, 'experimental')
Architecture: kfreebsd-amd64 (x86_64)

Kernel: kFreeBSD 10.1-0-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

diff -Nru nss-3.17.2/debian/changelog nss-3.17.2/debian/changelog
--- nss-3.17.2/debian/changelog	2014-12-22 04:46:52.000000000 +0100
+++ nss-3.17.2/debian/changelog	2015-08-15 12:40:34.000000000 +0200
@@ -1,3 +1,12 @@
+nss (2:3.17.2-1.1+deb8u1) jessie; urgency=medium
+
+  [ Andrew Ayer ]
+  * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
+    certificate chain generation to prefer stronger/newer certificates
+    over weaker/older certs. Closes: #774195.
+
+ -- Christoph Egger <christoph@debian.org>  Sat, 15 Aug 2015 12:40:31 +0200
+
 nss (2:3.17.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch
--- nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	1970-01-01 01:00:00.000000000 +0100
+++ nss-3.17.2/debian/patches/99_prefer_stronger_cert_chains.patch	2015-05-25 18:34:09.000000000 +0200
@@ -0,0 +1,135 @@
+Description: Prefer stronger, newer certs when building chain.
+Origin: https://hg.mozilla.org/projects/nss/rev/34e1379ff6c7
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1112461
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sleevi@gmail.com>
+# Date 1420768742 28800
+# Node ID 34e1379ff6c77f6c2dc52b542eafbe9c18034828
+# Parent  6978c29bd763e8e20c4e837ef4cdc7f7d6e802bc
+Bug 1112461 - Have libpkix match classic & mozilla::pkix in preferring newer certs to older certs. r=wtc
+
+diff --git a/lib/libpkix/pkix/checker/pkix_revocationchecker.c b/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+--- a/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
++++ b/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c
+@@ -132,32 +132,38 @@ pkix_RevocationChecker_RegisterSelf(void
+         entry.comparator = NULL;
+         entry.duplicateFunction = pkix_RevocationChecker_Duplicate;
+ 
+         systemClasses[PKIX_REVOCATIONCHECKER_TYPE] = entry;
+ 
+         PKIX_RETURN(REVOCATIONCHECKER);
+ }
+ 
+-/* Sort methods by theirs priorities */
++/* Sort methods by their priorities (lower priority = higher preference) */
+ static PKIX_Error *
+ pkix_RevocationChecker_SortComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+     pkix_RevocationMethod *method1 = NULL, *method2 = NULL;
+     
+     PKIX_ENTER(BUILD, "pkix_RevocationChecker_SortComparator");
+     
+     method1 = (pkix_RevocationMethod *)obj1;
+     method2 = (pkix_RevocationMethod *)obj2;
+     
+-    *pResult = (method1->priority > method2->priority);
++    if (method1->priority < method2->priority) {
++      *pResult = -1;
++    } else if (method1->priority > method2->priority) {
++      *pResult = 1;
++    } else {
++      *pResult = 0;
++    }
+     
+     PKIX_RETURN(BUILD);
+ }
+ 
+ 
+ /* --Public-Functions--------------------------------------------- */
+ 
+ 
+diff --git a/lib/libpkix/pkix/top/pkix_build.c b/lib/libpkix/pkix/top/pkix_build.c
+--- a/nss/lib/libpkix/pkix/top/pkix_build.c
++++ b/nss/lib/libpkix/pkix/top/pkix_build.c
+@@ -655,19 +655,21 @@ pkix_ForwardBuilderState_IsIOPending(
+ 
+ /* --Private-BuildChain-Functions------------------------------------------- */
+ 
+ /*
+  * FUNCTION: pkix_Build_SortCertComparator
+  * DESCRIPTION:
+  *
+  *  This Function takes two Certificates cast in "obj1" and "obj2",
+- *  compares their validity NotAfter dates and returns the result at
+- *  "pResult". The comparison key(s) can be expanded by using other
+- *  data in the Certificate in the future.
++ *  compares them to determine which is a more preferable certificate
++ *  for chain building. This Function is suitable for use as a
++ *  comparator callback for pkix_List_BubbleSort, setting "*pResult" to
++ *  > 0 if "obj1" is less desirable than "obj2" and < 0 if "obj1"
++ *  is more desirable than "obj2".
+  *
+  * PARAMETERS:
+  *  "obj1"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+  *  "obj2"
+  *      Address of the PKIX_PL_Object that is a cast of PKIX_PL_Cert.
+  *      Must be non-NULL.
+@@ -686,24 +688,24 @@ static PKIX_Error *
+ pkix_Build_SortCertComparator(
+         PKIX_PL_Object *obj1,
+         PKIX_PL_Object *obj2,
+         PKIX_Int32 *pResult,
+         void *plContext)
+ {
+         PKIX_PL_Date *date1 = NULL;
+         PKIX_PL_Date *date2 = NULL;
+-        PKIX_Boolean result = PKIX_FALSE;
++        PKIX_Int32 result = 0;
+ 
+         PKIX_ENTER(BUILD, "pkix_Build_SortCertComparator");
+         PKIX_NULLCHECK_THREE(obj1, obj2, pResult);
+ 
+         /*
+          * For sorting candidate certificates, we use NotAfter date as the
+-         * sorted key for now (can be expanded if desired in the future).
++         * comparison key for now (can be expanded if desired in the future).
+          *
+          * In PKIX_BuildChain, the List of CertStores was reordered so that
+          * trusted CertStores are ahead of untrusted CertStores. That sort, or
+          * this one, could be taken out if it is determined that it doesn't help
+          * performance, or in some way hinders the solution of choosing desired
+          * candidates.
+          */
+ 
+@@ -722,17 +724,22 @@ pkix_Build_SortCertComparator(
+         
+         PKIX_CHECK(PKIX_PL_Object_Compare
+                 ((PKIX_PL_Object *)date1,
+                 (PKIX_PL_Object *)date2,
+                 &result,
+                 plContext),
+                 PKIX_OBJECTCOMPARATORFAILED);
+ 
+-        *pResult = !result;
++        /*
++         * Invert the result, so that if date1 is greater than date2,
++         * obj1 is sorted before obj2. This is because pkix_List_BubbleSort
++         * sorts in ascending order.
++         */
++        *pResult = -result;
+ 
+ cleanup:
+ 
+         PKIX_DECREF(date1);
+         PKIX_DECREF(date2);
+ 
+         PKIX_RETURN(BUILD);
+ }
+
diff -Nru nss-3.17.2/debian/patches/series nss-3.17.2/debian/patches/series
--- nss-3.17.2/debian/patches/series	2014-12-22 04:23:24.000000000 +0100
+++ nss-3.17.2/debian/patches/series	2015-05-25 18:34:09.000000000 +0200
@@ -5,3 +5,4 @@
 95_add_spi+cacert_ca_certs.patch
 97_SSL_RENEGOTIATE_TRANSITIONAL.patch
 98_CVE-2014-1569.patch
+99_prefer_stronger_cert_chains.patch

--- End Message ---
--- Begin Message --- 
Version: 8.2

Hi,

These bugs correspond to updates which were included in the 8.2 point
release.

Regards,

Adam

--- End Message ---
Reply to: