nss-3.15.1: fix CVE-2013-1739

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1739 (From OE-Core rev: 9b43af77d112e75fa9827a9080b7e94f41f9a116) (From OE-Core rev: 4ce30ef254511ce39dd576b80134b9316f9fa06c) Signed-off-by: yzhu1 <yanjun.zhu@windriver.com> Signed-off-by: Jackie Huang <jackie.huang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-support/nss/nss.inc
2026-05-31 12:49:46 +00:00 · 2014-06-18 05:41:30 -04:00
parent 1d04721fe8
commit 6780f20525
1 changed files with 81 additions and 0 deletions
@@ -0,0 +1,81 @@
 Upstream-Status: Backport
 Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
 --- a/nss/lib/ssl/ssl3con.c
 +++ b/nss/lib/ssl/ssl3con.c
@@ -10509,7 +10509,7 @@ ssl_RemoveSSLv3CBCPadding(sslBuffer *pla
     /* SSLv3 padding bytes are random and cannot be checked. */
     t = plaintext->len;
     t -= paddingLength+overhead;
 -    /* If len >= padding_length+overhead then the MSB of t is zero. */
 +    /* If len >= paddingLength+overhead then the MSB of t is zero. */
     good = DUPLICATE_MSB_TO_ALL(~t);
     /* SSLv3 requires that the padding is minimal. */
     t = blockSize - (paddingLength+1);
@@ -10742,7 +10742,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
 	}
     }
 -    good = (unsigned)-1;
 +    good = ~0U;
     minLength = crSpec->mac_size;
     if (cipher_def->type == type_block) {
 	/* CBC records have a padding length byte at the end. */
@@ -10756,14 +10756,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
     /* We can perform this test in variable time because the record's total
      * length and the ciphersuite are both public knowledge. */
     if (cText->buf->len < minLength) {
 -	SSL_DBG(("%d: SSL3[%d]: HandleRecord, record too small.",
 -		 SSL_GETPID(), ss->fd));
 -	/* must not hold spec lock when calling SSL3_SendAlert. */
 -	ssl_ReleaseSpecReadLock(ss);
 -	SSL3_SendAlert(ss, alert_fatal, bad_record_mac);
 -	/* always log mac error, in case attacker can read server logs. */
 -	PORT_SetError(SSL_ERROR_BAD_MAC_READ);
 -	return SECFailure;
 +	goto decrypt_loser;
     }
     if (cipher_def->type == type_block &&
@@ -10831,11 +10824,18 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
 	return SECFailure;
     }
 +    if (cipher_def->type == type_block &&
 +	((cText->buf->len - ivLen) % cipher_def->block_size) != 0) {
 +	goto decrypt_loser;
 +    }
 +
     /* decrypt from cText buf to plaintext. */
     rv = crSpec->decode(
 	crSpec->decodeContext, plaintext->buf, (int *)&plaintext->len,
 	plaintext->space, cText->buf->buf + ivLen, cText->buf->len - ivLen);
 -    good &= SECStatusToMask(rv);
 +    if (rv != SECSuccess) {
 +	goto decrypt_loser;
 +    }
     PRINT_BUF(80, (ss, "cleartext:", plaintext->buf, plaintext->len));
@@ -10843,7 +10843,7 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
     /* If it's a block cipher, check and strip the padding. */
     if (cipher_def->type == type_block) {
 -	const unsigned int blockSize = cipher_def->iv_size;
 +	const unsigned int blockSize = cipher_def->block_size;
 	const unsigned int macSize = crSpec->mac_size;
 	if (crSpec->version <= SSL_LIBRARY_VERSION_3_0) {
@@ -10899,10 +10899,11 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
     }
     if (good == 0) {
 +decrypt_loser:
 	/* must not hold spec lock when calling SSL3_SendAlert. */
 	ssl_ReleaseSpecReadLock(ss);
 -	SSL_DBG(("%d: SSL3[%d]: mac check failed", SSL_GETPID(), ss->fd));
 +	SSL_DBG(("%d: SSL3[%d]: decryption failed", SSL_GETPID(), ss->fd));
 	if (!IS_DTLS(ss)) {
 	    SSL3_SendAlert(ss, alert_fatal, bad_record_mac);