From b666d173ff0ba213bf81e2c035a605a28e5395ea Mon Sep 17 00:00:00 2001 From: "yanjun.zhu" Date: Fri, 28 Mar 2014 17:43:37 +0800 Subject: nss-3.15.1: fix CVE-2013-1741 Integer overflow in Mozilla Network Security Services (NSS) 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1741 Signed-off-by: yanjun.zhu Signed-off-by: Hongxu Jia Signed-off-by: Richard Purdie --- .../nss/files/nss-3.15.1-fix-CVE-2013-1741.patch | 92 ++++++++++++++++++++++ meta/recipes-support/nss/nss.inc | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch (limited to 'meta/recipes-support') diff --git a/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch new file mode 100644 index 0000000000..21da0c03b5 --- /dev/null +++ b/meta/recipes-support/nss/files/nss-3.15.1-fix-CVE-2013-1741.patch @@ -0,0 +1,92 @@ +Upstream-Status: backport +yanjun.zhu +--- a/nss/lib/util/secport.c ++++ b/nss/lib/util/secport.c +@@ -69,13 +69,22 @@ PORTCharConversionFunc ucs4Utf8ConvertFu + PORTCharConversionFunc ucs2Utf8ConvertFunc; + PORTCharConversionWSwapFunc ucs2AsciiConvertFunc; + ++/* NSPR memory allocation functions (PR_Malloc, PR_Calloc, and PR_Realloc) ++ * use the PRUint32 type for the size parameter. Before we pass a size_t or ++ * unsigned long size to these functions, we need to ensure it is <= half of ++ * the maximum PRUint32 value to avoid truncation and catch a negative size. ++ */ ++#define MAX_SIZE (PR_UINT32_MAX >> 1) ++ + void * + PORT_Alloc(size_t bytes) + { +- void *rv; ++ void *rv = NULL; + +- /* Always allocate a non-zero amount of bytes */ +- rv = (void *)PR_Malloc(bytes ? bytes : 1); ++ if (bytes <= MAX_SIZE) { ++ /* Always allocate a non-zero amount of bytes */ ++ rv = PR_Malloc(bytes ? bytes : 1); ++ } + if (!rv) { + ++port_allocFailures; + PORT_SetError(SEC_ERROR_NO_MEMORY); +@@ -86,9 +95,11 @@ PORT_Alloc(size_t bytes) + void * + PORT_Realloc(void *oldptr, size_t bytes) + { +- void *rv; ++ void *rv = NULL; + +- rv = (void *)PR_Realloc(oldptr, bytes); ++ if (bytes <= MAX_SIZE) { ++ rv = PR_Realloc(oldptr, bytes); ++ } + if (!rv) { + ++port_allocFailures; + PORT_SetError(SEC_ERROR_NO_MEMORY); +@@ -99,10 +110,12 @@ PORT_Realloc(void *oldptr, size_t bytes) + void * + PORT_ZAlloc(size_t bytes) + { +- void *rv; ++ void *rv = NULL; + +- /* Always allocate a non-zero amount of bytes */ +- rv = (void *)PR_Calloc(1, bytes ? bytes : 1); ++ if (bytes <= MAX_SIZE) { ++ /* Always allocate a non-zero amount of bytes */ ++ rv = PR_Calloc(1, bytes ? bytes : 1); ++ } + if (!rv) { + ++port_allocFailures; + PORT_SetError(SEC_ERROR_NO_MEMORY); +@@ -209,6 +222,10 @@ PORT_NewArena(unsigned long chunksize) + { + PORTArenaPool *pool; + ++ if (chunksize > MAX_SIZE) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return NULL; ++ } + pool = PORT_ZNew(PORTArenaPool); + if (!pool) { + return NULL; +@@ -224,8 +241,6 @@ PORT_NewArena(unsigned long chunksize) + return(&pool->arena); + } + +-#define MAX_SIZE 0x7fffffffUL +- + void * + PORT_ArenaAlloc(PLArenaPool *arena, size_t size) + { +@@ -330,6 +345,11 @@ PORT_ArenaGrow(PLArenaPool *arena, void + PORTArenaPool *pool = (PORTArenaPool *)arena; + PORT_Assert(newsize >= oldsize); + ++ if (newsize > MAX_SIZE) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return NULL; ++ } ++ + if (ARENAPOOL_MAGIC == pool->magic ) { + PZ_Lock(pool->lock); + /* Do we do a THREADMARK check here? */ diff --git a/meta/recipes-support/nss/nss.inc b/meta/recipes-support/nss/nss.inc index a6aeed8b1a..6364562a13 100644 --- a/meta/recipes-support/nss/nss.inc +++ b/meta/recipes-support/nss/nss.inc @@ -16,6 +16,7 @@ SRC_URI = "\ file://nss-fix-support-cross-compiling.patch \ file://nss-no-rpath-for-cross-compiling.patch \ file://nss-fix-incorrect-shebang-of-perl.patch \ + file://nss-3.15.1-fix-CVE-2013-1741.patch \ " SRC_URI_append_class-target = "\ file://nss.pc.in \ -- cgit 1.2.3-korg