nss: Fix CVE CVE-2023-0767

Add CVE-2023-0767.patch to fix CVE-2023-0767

Signed-off-by: Virendra Thakur <virendrak@kpit.com>
Signed-off-by: Bhabu Bindu <bindudaniel1996@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>

2 files changed, 125 insertions, 0 deletions

diff --git a/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch
new file mode 100644
index 0000000000..ec3b4a092a
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch
@@ -0,0 +1,124 @@
+
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1675974326 0
+# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18
+# Parent  52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4
+Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D167443
+
+CVE: CVE-2023-0767
+Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz]
+Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>
+
+diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c
+--- a/nss/lib/pkcs12/p12d.c
++++ b/nss/lib/pkcs12/p12d.c
+@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void 
+                                    unsigned long len, int depth,
+                                    SEC_ASN1EncodingPart data_kind)
+ {
+     sec_PKCS12SafeContentsContext *safeContentsCtx =
+         (sec_PKCS12SafeContentsContext *)arg;
+     SEC_PKCS12DecoderContext *p12dcx;
+     SECStatus rv;
+ 
+-    /* make sure that we are not skipping the current safeBag,
+-     * and that there are no errors.  If so, just return rather
+-     * than continuing to process.
+-     */
+-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
+-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
+         return;
+     }
+     p12dcx = safeContentsCtx->p12dcx;
+ 
++    /* make sure that there are no errors and we are not skipping the current safeBag */
++    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++        goto loser;
++    }
++
+     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
+     if (rv != SECSuccess) {
+         p12dcx->errorValue = PORT_GetError();
++        p12dcx->error = PR_TRUE;
++        goto loser;
++    }
++
++    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
++     * may not get another opportunity to clean up the decoder context.
++     */
++    if (safeContentsCtx->skipCurrentSafeBag) {
+         goto loser;
+     }
+ 
+     return;
+ 
+ loser:
+-    /* set the error, and finish the decoder context.  because there
++    /* Finish the decoder context. Because there
+      * is not a way of returning an error message, it may be worth
+      * while to do a check higher up and finish any decoding contexts
+      * that are still open.
+      */
+-    p12dcx->error = PR_TRUE;
+     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
+     safeContentsCtx->currentSafeBagA1Dcx = NULL;
+     return;
+ }
+ 
+ /* notify function for decoding safeBags.  This function is
+  * used to filter safeBag types which are not supported,
+  * initiate the decoding of nested safe contents, and decode
+diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h
+--- a/nss/lib/pkcs12/p12t.h
++++ b/nss/lib/pkcs12/p12t.h
+@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr {
+     /* Dependent upon the type of bag being used. */
+     union {
+         SECKEYPrivateKeyInfo *pkcs8KeyBag;
+         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+         sec_PKCS12CertBag *certBag;
+         sec_PKCS12CRLBag *crlBag;
+         sec_PKCS12SecretBag *secretBag;
+         sec_PKCS12SafeContents *safeContents;
++        SECItem *unknownBag;
+     } safeBagContent;
+ 
+     sec_PKCS12Attribute **attribs;
+ 
+     /* used locally */
+     SECOidData *bagTypeTag;
+     PLArenaPool *arena;
+     unsigned int nAttribs;
+diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c
+--- a/nss/lib/pkcs12/p12tmpl.c
++++ b/nss/lib/pkcs12/p12tmpl.c
+@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr
+     if (src_or_dest == NULL) {
+         return NULL;
+     }
+ 
+     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
+ 
+     oiddata = SECOID_FindOID(&safeBag->safeBagType);
+     if (oiddata == NULL) {
+-        return SEC_ASN1_GET(SEC_AnyTemplate);
++        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+     }
+ 
+     switch (oiddata->offset) {
+         default:
+-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
++            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+             theTemplate = sec_PKCS12PointerToCertBagTemplate;
+             break;
+         case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index 07adea1067..1de2a40094 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -42,6 +42,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
            file://CVE-2020-25648.patch \
            file://CVE-2021-43527.patch \
            file://CVE-2022-22747.patch \
+           file://CVE-2023-0767.patch \
            "
 
 SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"