meta-oe/recipes-support/nss/nss/CVE-2023-0767.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124

# HG changeset patch
# User John M. Schanck <jschanck@mozilla.com>
# Date 1675974326 0
# Node ID 62f6b3e9024dd72ba3af9ce23848d7573b934f18
# Parent  52b4b7d3d3ebdb25fbf2cf1c101bfad3721680f4
Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea

Differential Revision: https://phabricator.services.mozilla.com/D167443

CVE: CVE-2023-0767
Upstream-Status: Backport [https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/nss/2:3.35-2ubuntu2.16/nss_3.35-2ubuntu2.16.debian.tar.xz]
Signed-off-by: Virendra Thakur <virendra.thakur@kpit.com>

diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c
--- a/nss/lib/pkcs12/p12d.c
+++ b/nss/lib/pkcs12/p12d.c
@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void 
                                    unsigned long len, int depth,
                                    SEC_ASN1EncodingPart data_kind)
 {
     sec_PKCS12SafeContentsContext *safeContentsCtx =
         (sec_PKCS12SafeContentsContext *)arg;
     SEC_PKCS12DecoderContext *p12dcx;
     SECStatus rv;
 
-    /* make sure that we are not skipping the current safeBag,
-     * and that there are no errors.  If so, just return rather
-     * than continuing to process.
-     */
-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
         return;
     }
     p12dcx = safeContentsCtx->p12dcx;
 
+    /* make sure that there are no errors and we are not skipping the current safeBag */
+    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+        goto loser;
+    }
+
     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
     if (rv != SECSuccess) {
         p12dcx->errorValue = PORT_GetError();
+        p12dcx->error = PR_TRUE;
+        goto loser;
+    }
+
+    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
+     * may not get another opportunity to clean up the decoder context.
+     */
+    if (safeContentsCtx->skipCurrentSafeBag) {
         goto loser;
     }
 
     return;
 
 loser:
-    /* set the error, and finish the decoder context.  because there
+    /* Finish the decoder context. Because there
      * is not a way of returning an error message, it may be worth
      * while to do a check higher up and finish any decoding contexts
      * that are still open.
      */
-    p12dcx->error = PR_TRUE;
     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
     safeContentsCtx->currentSafeBagA1Dcx = NULL;
     return;
 }
 
 /* notify function for decoding safeBags.  This function is
  * used to filter safeBag types which are not supported,
  * initiate the decoding of nested safe contents, and decode
diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h
--- a/nss/lib/pkcs12/p12t.h
+++ b/nss/lib/pkcs12/p12t.h
@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr {
     /* Dependent upon the type of bag being used. */
     union {
         SECKEYPrivateKeyInfo *pkcs8KeyBag;
         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
         sec_PKCS12CertBag *certBag;
         sec_PKCS12CRLBag *crlBag;
         sec_PKCS12SecretBag *secretBag;
         sec_PKCS12SafeContents *safeContents;
+        SECItem *unknownBag;
     } safeBagContent;
 
     sec_PKCS12Attribute **attribs;
 
     /* used locally */
     SECOidData *bagTypeTag;
     PLArenaPool *arena;
     unsigned int nAttribs;
diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c
--- a/nss/lib/pkcs12/p12tmpl.c
+++ b/nss/lib/pkcs12/p12tmpl.c
@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr
     if (src_or_dest == NULL) {
         return NULL;
     }
 
     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
 
     oiddata = SECOID_FindOID(&safeBag->safeBagType);
     if (oiddata == NULL) {
-        return SEC_ASN1_GET(SEC_AnyTemplate);
+        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
     }
 
     switch (oiddata->offset) {
         default:
-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
             break;
         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
             break;
         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
             theTemplate = sec_PKCS12PointerToCertBagTemplate;
             break;
         case SEC_OID_PKCS12_V1_CRL_BAG_ID: