[curl/f18] prevent NSS from crashing on client auth hook failure

Kamil Dudka kdudka at fedoraproject.org
Tue Jan 15 13:31:26 UTC 2013


commit 53d6e752c3f2b9b4a9b1cb6256af04ca0dd8bb8f
Author: Kamil Dudka <kdudka at redhat.com>
Date:   Tue Jan 15 13:48:21 2013 +0100

    prevent NSS from crashing on client auth hook failure

 0006-curl-7.27.0-68d2830e.patch |   68 +++++++++++++++++++++++++++++++++++++++
 curl.spec                       |    5 +++
 2 files changed, 73 insertions(+), 0 deletions(-)
---
diff --git a/0006-curl-7.27.0-68d2830e.patch b/0006-curl-7.27.0-68d2830e.patch
new file mode 100644
index 0000000..be8c558
--- /dev/null
+++ b/0006-curl-7.27.0-68d2830e.patch
@@ -0,0 +1,68 @@
+From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Mon, 3 Dec 2012 13:17:50 +0100
+Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure
+
+Although it is not explicitly stated in the documentation, NSS uses
+*pRetCert and *pRetKey even if the client authentication hook returns
+a failure.  Namely, if we destroy *pRetCert without clearing *pRetCert
+afterwards, NSS destroys the certificate once again, which causes a
+double free.
+
+Reported by: Bob Relyea
+
+[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e]
+---
+ lib/nss.c |   17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 22b53bf..794eccb 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+     static const char pem_slotname[] = "PEM Token #1";
+     SECItem cert_der = { 0, NULL, 0 };
+     void *proto_win = SSL_RevealPinArg(sock);
++    struct CERTCertificateStr *cert;
++    struct SECKEYPrivateKeyStr *key;
+ 
+     PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
+     if(NULL == slot) {
+@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+       return SECFailure;
+     }
+ 
+-    *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
++    cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
+     SECITEM_FreeItem(&cert_der, PR_FALSE);
+-    if(NULL == *pRetCert) {
++    if(NULL == cert) {
+       failf(data, "NSS: client certificate from file not found");
+       PK11_FreeSlot(slot);
+       return SECFailure;
+     }
+ 
+-    *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL);
++    key = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
+     PK11_FreeSlot(slot);
+-    if(NULL == *pRetKey) {
++    if(NULL == key) {
+       failf(data, "NSS: private key from file not found");
+-      CERT_DestroyCertificate(*pRetCert);
++      CERT_DestroyCertificate(cert);
+       return SECFailure;
+     }
+ 
+     infof(data, "NSS: client certificate from file\n");
+-    display_cert_info(data, *pRetCert);
++    display_cert_info(data, cert);
++
++    *pRetCert = cert;
++    *pRetKey = key;
+     return SECSuccess;
+   }
+ 
+-- 
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index 2af8f02..349ac30 100644
--- a/curl.spec
+++ b/curl.spec
@@ -23,6 +23,9 @@ Patch4: 0004-curl-7.27.0-52b6eda4.patch
 # update the links to cipher-suites supported by NSS
 Patch5: 0005-curl-7.27.0-f208bf5a.patch
 
+# prevent NSS from crashing on client auth hook failure
+Patch6: 0006-curl-7.27.0-68d2830e.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.27.0-multilib.patch
 
@@ -121,6 +124,7 @@ documentation of the library, too.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
 
 # Fedora patches
 %patch101 -p1
@@ -247,6 +251,7 @@ rm -rf $RPM_BUILD_ROOT
 * Tue Jan 15 2013 Kamil Dudka <kdudka at redhat.com> 7.27.0-5
 - do not print misleading NSS error codes
 - update the links to cipher-suites supported by NSS
+- prevent NSS from crashing on client auth hook failure
 
 * Wed Oct 31 2012 Kamil Dudka <kdudka at redhat.com> 7.27.0-4
 - fix a syntax error in curl-config (#871317)


More information about the scm-commits mailing list