nss: Add fix for CVE-2022-22747

Add a patch to fix CVE-2022-22747 Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> Signed-off-by: Ranjitsinh Rathod <ranjitsinhrathod1991@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> 2022-02-11 18:23:22 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-02-13 10:47:08 -0800
commit: aa5b9a1ff04212f6c725128730d4e36bdadf6516 (patch)
tree: 8154608b3bb7f67d1cfb3d9757c47fc5e303d724
parent: 93a315f96f90915382532717cb2c356f995d66b2 (diff)
download: meta-openembedded-aa5b9a1ff04212f6c725128730d4e36bdadf6516.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
new file mode 100644
index 0000000000..cccb73187d
--- /dev/null
+++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1633990165 0
+# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
+# Parent  f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
+Bug 1735028 - check for missing signedData field r=keeler
+Differential Revision: https://phabricator.services.mozilla.com/D128112
+Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
+CVE: CVE-2022-22747
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
+   unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
+                                       0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
+                                       0x05, 0xa0, 0x02, 0x30, 0x00};
+   EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
+                          reinterpret_cast<char*>(emptyCertPackage),
+                          sizeof(emptyCertPackage)));
+   EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+ }
+
+TEST_F(DecodeCertsTest, EmptySignedData) {
+  // This represents a PKCS#7 ContentInfo of contentType
+  // 1.2.840.113549.1.7.2 (signedData) with missing content.
+  unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
+                                     0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+                                     0x02, 0x00, 0x00, 0x05, 0x00};
+
+  EXPECT_EQ(nullptr,
+            CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
+                                       sizeof(emptySignedData)));
+  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
+diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
+--- a/nss/lib/pkcs7/certread.c
+++ b/nss/lib/pkcs7/certread.c
+@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
+                            pkcs7Item) != SECSuccess) {
+         goto done;
+     }
+ 
+     if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
+         goto done;
+     }
+ 
+    if (contentInfo.content.signedData == NULL) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        goto done;
+    }
+
+     rv = SECSuccess;
+ 
+     certs = contentInfo.content.signedData->certificates;
+     if (certs) {
+         count = 0;
+ 
+         while (*certs) {
+             count++;
diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb
index f03473b1a0..8b59f7ea8f 100644
--- a/meta-oe/recipes-support/nss/nss_3.51.1.bb
+++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
           file://CVE-2020-12403_1.patch \
           file://CVE-2020-12403_2.patch \
           file://CVE-2021-43527.patch \
+           file://CVE-2022-22747.patch \
           "
 SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"
author	Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>	2022-02-11 18:23:22 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-02-13 10:47:08 -0800
commit	aa5b9a1ff04212f6c725128730d4e36bdadf6516 (patch)
tree	8154608b3bb7f67d1cfb3d9757c47fc5e303d724
parent	93a315f96f90915382532717cb2c356f995d66b2 (diff)
download	meta-openembedded-aa5b9a1ff04212f6c725128730d4e36bdadf6516.tar.gz

diff --git a/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch new file mode 100644 index 0000000000..cccb73187d --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch
@@ -0,0 +1,63 @@
		1	# HG changeset patch
		2	# User John M. Schanck <jschanck@mozilla.com>
		3	# Date 1633990165 0
		4	# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
		5	# Parent f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
		6	Bug 1735028 - check for missing signedData field r=keeler
		7
		8	Differential Revision: https://phabricator.services.mozilla.com/D128112
		9
		10	Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
		11	CVE: CVE-2022-22747
		12	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		13
		14	diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
		15	--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
		16	+++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
		17	@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
		18	unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
		19	0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
		20	0x05, 0xa0, 0x02, 0x30, 0x00};
		21	EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
		22	reinterpret_cast<char*>(emptyCertPackage),
		23	sizeof(emptyCertPackage)));
		24	EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
		25	}
		26	+
		27	+TEST_F(DecodeCertsTest, EmptySignedData) {
		28	+ // This represents a PKCS#7 ContentInfo of contentType
		29	+ // 1.2.840.113549.1.7.2 (signedData) with missing content.
		30	+ unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
		31	+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
		32	+ 0x02, 0x00, 0x00, 0x05, 0x00};
		33	+
		34	+ EXPECT_EQ(nullptr,
		35	+ CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
		36	+ sizeof(emptySignedData)));
		37	+ EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
		38	+}
		39	diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
		40	--- a/nss/lib/pkcs7/certread.c
		41	+++ b/nss/lib/pkcs7/certread.c
		42	@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
		43	pkcs7Item) != SECSuccess) {
		44	goto done;
		45	}
		46
		47	if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
		48	goto done;
		49	}
		50
		51	+ if (contentInfo.content.signedData == NULL) {
		52	+ PORT_SetError(SEC_ERROR_BAD_DER);
		53	+ goto done;
		54	+ }
		55	+
		56	rv = SECSuccess;
		57
		58	certs = contentInfo.content.signedData->certificates;
		59	if (certs) {
		60	count = 0;
		61
		62	while (*certs) {
		63	count++;


diff --git a/meta-oe/recipes-support/nss/nss_3.51.1.bb b/meta-oe/recipes-support/nss/nss_3.51.1.bb index f03473b1a0..8b59f7ea8f 100644 --- a/meta-oe/recipes-support/nss/nss_3.51.1.bb +++ b/meta-oe/recipes-support/nss/nss_3.51.1.bb
@@ -40,6 +40,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO
40	file://CVE-2020-12403_1.patch \	40	file://CVE-2020-12403_1.patch \
41	file://CVE-2020-12403_2.patch \	41	file://CVE-2020-12403_2.patch \
42	file://CVE-2021-43527.patch \	42	file://CVE-2021-43527.patch \
		43	file://CVE-2022-22747.patch \
43	"	44	"
44		45
45	SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"	46	SRC_URI[md5sum] = "6acaf1ddff69306ae30a908881c6f233"