diff -Nru nss-3.28.4/debian/changelog nss-3.28.4/debian/changelog --- nss-3.28.4/debian/changelog 2018-12-14 14:59:43.000000000 +0000 +++ nss-3.28.4/debian/changelog 2019-02-19 12:39:44.000000000 +0000 @@ -1,3 +1,16 @@ +nss (2:3.28.4-0ubuntu0.16.04.5) xenial-security; urgency=medium + + * SECURITY UPDATE: DoS in NULL pointer dereference in CMS functions + - debian/patches/CVE-2018-18508-1.patch: add null checks in + nss/lib/smime/cmscinfo.c, nss/lib/smime/cmsdigdata.c, + nss/lib/smime/cmsencdata.c, nss/lib/smime/cmsenvdata.c, + nss/lib/smime/cmsmessage.c, nss/lib/smime/cmsudf.c. + - debian/patches/CVE-2018-18508-2.patch: add null checks in + nss/lib/smime/cmsmessage.c. + - CVE-2018-18508 + + -- Marc Deslauriers Tue, 19 Feb 2019 13:39:44 +0100 + nss (2:3.28.4-0ubuntu0.16.04.4) xenial-security; urgency=medium * SECURITY UPDATE: side-channel attack on ECDSA signatures diff -Nru nss-3.28.4/debian/patches/CVE-2018-18508-1.patch nss-3.28.4/debian/patches/CVE-2018-18508-1.patch --- nss-3.28.4/debian/patches/CVE-2018-18508-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ nss-3.28.4/debian/patches/CVE-2018-18508-1.patch 2019-02-19 12:39:34.000000000 +0000 @@ -0,0 +1,309 @@ +Backport of: + + +# HG changeset patch +# User J.C. Jones +# Date 1547271196 25200 +# Node ID 08d1b0c1117f7a9a5382440864e243ece0d1a7a3 +# Parent 5e70b72131ac28457b14cdc6100e8674409bbdd4 +Bug 1507174 - Add additional null checks to other CMS functions r=mt + +Differential review: https://phabricator.services.mozilla.com//D16383 + +Index: nss-3.42/nss/lib/smime/cmscinfo.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmscinfo.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmscinfo.c 2019-02-19 12:00:17.662903828 +0100 +@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContent + { + SECOidTag kind; + ++ if (cinfo == NULL) { ++ return; ++ } ++ + kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + switch (kind) { + case SEC_OID_PKCS7_ENVELOPED_DATA: +@@ -86,6 +90,11 @@ NSSCMSContentInfo * + NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo) + { + NSSCMSContentInfo *ccinfo = NULL; ++ ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + switch (tag) { + case SEC_OID_PKCS7_SIGNED_DATA: +@@ -127,6 +136,9 @@ SECStatus + NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = NSS_CMSContentInfo_Private_Init(cinfo); + if (rv != SECSuccess) { +@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMess + SECOidTag type, void *ptr) + { + SECStatus rv; ++ if (cinfo == NULL || cmsg == NULL) { ++ return SECFailure; ++ } + + cinfo->contentTypeTag = SECOID_FindOIDByTag(type); +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo->contentTypeTag == NULL) { + return SECFailure; ++ } + + /* do not copy the oid, just create a reference */ + rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid)); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; ++ } + + cinfo->content.pointer = ptr; + +@@ -185,8 +202,9 @@ SECStatus + NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + SECItem *data, PRBool detached) + { +- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) ++ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) { + return SECFailure; ++ } + if (detached) { + cinfo->rawContent = NULL; + } +@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedD + void * + NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + SECOidTag tag = cinfo->contentTypeTag + ? cinfo->contentTypeTag->offset + : SEC_OID_UNKNOWN; +@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCM + SECOidTag tag; + SECItem *pItem = NULL; + ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + if (NSS_CMSType_IsData(tag)) { + pItem = cinfo->content.data; +@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCM + SECOidTag + NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return SEC_OID_UNKNOWN; ++ } ++ + if (cinfo->contentTypeTag == NULL) + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); + +@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSS + SECItem * + NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) + { +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ ++ if (cinfo->contentTypeTag == NULL) { + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); ++ } + +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo->contentTypeTag == NULL) { + return NULL; ++ } + + return &(cinfo->contentTypeTag->oid); + } +@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSS + SECOidTag + NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) + { +- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) ++ if (cinfo == NULL) { ++ return SEC_OID_UNKNOWN; ++ } ++ ++ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) { + cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg)); ++ } + + return cinfo->contentEncAlgTag; + } +@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(N + SECAlgorithmID * + NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + return &(cinfo->contentEncAlg); + } + +@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLAr + SECOidTag bulkalgtag, SECItem *parameters, int keysize) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; ++ } + cinfo->keysize = keysize; + return SECSuccess; + } +@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PL + SECAlgorithmID *algid, int keysize) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; +- if (keysize >= 0) ++ } ++ if (keysize >= 0) { + cinfo->keysize = keysize; ++ } + return SECSuccess; + } + + void + NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey) + { +- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); +- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); ++ if (cinfo == NULL) { ++ return; ++ } ++ ++ if (bulkkey == NULL) { ++ cinfo->bulkkey = NULL; ++ cinfo->keysize = 0; ++ } else { ++ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); ++ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); ++ } + } + + PK11SymKey * + NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) + { +- if (cinfo->bulkkey == NULL) ++ if (cinfo == NULL || cinfo->bulkkey == NULL) { + return NULL; ++ } + + return PK11_ReferenceSymKey(cinfo->bulkkey); + } +@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSCont + int + NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return 0; ++ } ++ + return cinfo->keysize; + } +Index: nss-3.42/nss/lib/smime/cmsdigdata.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsdigdata.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmsdigdata.c 2019-02-19 12:00:17.662903828 +0100 +@@ -56,7 +56,9 @@ void + NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd) + { + /* everything's in a pool, so don't worry about the storage */ +- NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); ++ if (digd != NULL) { ++ NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); ++ } + return; + } + +Index: nss-3.42/nss/lib/smime/cmsencdata.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsencdata.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmsencdata.c 2019-02-19 12:00:17.662903828 +0100 +@@ -87,7 +87,9 @@ void + NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd) + { + /* everything's in a pool, so don't worry about the storage */ +- NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); ++ if (encd != NULL) { ++ NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); ++ } + return; + } + +Index: nss-3.42/nss/lib/smime/cmsenvdata.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsenvdata.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmsenvdata.c 2019-02-19 12:00:17.662903828 +0100 +@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart( + poolp = envd->cmsg->poolp; + cinfo = &(envd->contentInfo); + ++ if (cinfo == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ goto loser; ++ } ++ + recipientinfos = envd->recipientInfos; + if (recipientinfos == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATA); +Index: nss-3.42/nss/lib/smime/cmsmessage.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsmessage.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmsmessage.c 2019-02-19 12:00:44.770732868 +0100 +@@ -88,6 +88,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSM + void + NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) ++ return; ++ + PORT_Assert(cmsg->refCount > 0); + if (cmsg->refCount <= 0) /* oops */ + return; +Index: nss-3.42/nss/lib/smime/cmsudf.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsudf.c 2019-02-19 12:00:17.662903828 +0100 ++++ nss-3.42/nss/lib/smime/cmsudf.c 2019-02-19 12:00:17.662903828 +0100 +@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOid + { + const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); + +- if (typeInfo && typeInfo->destroy) { ++ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) { + (*typeInfo->destroy)(gd); + } + } diff -Nru nss-3.28.4/debian/patches/CVE-2018-18508-2.patch nss-3.28.4/debian/patches/CVE-2018-18508-2.patch --- nss-3.28.4/debian/patches/CVE-2018-18508-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ nss-3.28.4/debian/patches/CVE-2018-18508-2.patch 2019-02-19 12:39:38.000000000 +0000 @@ -0,0 +1,211 @@ +Backport of: + + +# HG changeset patch +# User J.C. Jones +# Date 1547487325 25200 +# Node ID 5e70b72131ac28457b14cdc6100e8674409bbdd4 +# Parent da45424cb9a0b4d8e45e5040e2e3b574d994e254 +Bug 1507135 - Add additional null checks to CMS message functions r=mt + +Differential review: https://phabricator.services.mozilla.com//D16488 + +Index: nss-3.42/nss/lib/smime/cmsmessage.c +=================================================================== +--- nss-3.42.orig/nss/lib/smime/cmsmessage.c 2019-02-19 12:01:05.638605750 +0100 ++++ nss-3.42/nss/lib/smime/cmsmessage.c 2019-02-19 12:04:09.757630189 +0100 +@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp + + if (poolp == NULL) { + poolp = PORT_NewArena(1024); /* XXX what is right value? */ +- if (poolp == NULL) ++ if (poolp == NULL) { + return NULL; ++ } + poolp_is_ours = PR_TRUE; + } + +@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp + if (mark) { + PORT_ArenaRelease(poolp, mark); + } +- } else ++ } else { + PORT_FreeArena(poolp, PR_FALSE); ++ } + return NULL; + } + +@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp + cmsg->poolp_is_ours = poolp_is_ours; + cmsg->refCount = 1; + +- if (mark) ++ if (mark) { + PORT_ArenaUnmark(poolp, mark); ++ } + + return cmsg; + } +@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSM + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) + { +- if (pwfn) ++ if (cmsg == NULL) { ++ return; ++ } ++ if (pwfn) { + PK11_SetPasswordFunc(pwfn); ++ } ++ + cmsg->pwfn_arg = pwfn_arg; + cmsg->decrypt_key_cb = decrypt_key_cb; + cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; +@@ -92,18 +100,21 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cm + return; + + PORT_Assert(cmsg->refCount > 0); +- if (cmsg->refCount <= 0) /* oops */ ++ if (cmsg->refCount <= 0) { /* oops */ + return; ++ } + + cmsg->refCount--; /* thread safety? */ +- if (cmsg->refCount > 0) ++ if (cmsg->refCount > 0) { + return; ++ } + + NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo)); + + /* if poolp is not NULL, cmsg is the owner of its arena */ +- if (cmsg->poolp_is_ours) ++ if (cmsg->poolp_is_ours) { + PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */ ++ } + } + + /* +@@ -115,8 +126,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cm + NSSCMSMessage * + NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) + { +- if (cmsg == NULL) ++ if (cmsg == NULL) { + return NULL; ++ } + + PORT_Assert(cmsg->refCount > 0); + +@@ -130,6 +142,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) + PLArenaPool * + NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + return cmsg->poolp; + } + +@@ -139,6 +155,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *c + NSSCMSContentInfo * + NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + return &(cmsg->contentInfo); + } + +@@ -150,6 +170,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMess + SECItem * + NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + /* this is a shortcut */ + NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg); + SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo); +@@ -167,6 +191,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSM + int count = 0; + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return 0; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) { + count++; +@@ -186,6 +214,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessag + int count = 0; + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -203,6 +235,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCM + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* descend into CMS message */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -224,6 +260,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -254,13 +294,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *c + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { + case SEC_OID_PKCS7_SIGNED_DATA: +- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) ++ if (cinfo->content.signedData == NULL) { ++ return PR_FALSE; ++ } ++ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) { + return PR_TRUE; ++ } + break; + default: + /* callback here for generic wrappers? */ +@@ -281,8 +329,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMess + { + SECItem *item = NULL; + +- if (cmsg == NULL) ++ if (cmsg == NULL) { + return PR_TRUE; ++ } + + item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg)); + diff -Nru nss-3.28.4/debian/patches/series nss-3.28.4/debian/patches/series --- nss-3.28.4/debian/patches/series 2018-12-14 14:56:57.000000000 +0000 +++ nss-3.28.4/debian/patches/series 2019-02-19 12:39:38.000000000 +0000 @@ -9,3 +9,5 @@ CVE-2018-12384-2.patch CVE-2018-12404-1.patch CVE-2018-12404-3.patch +CVE-2018-18508-1.patch +CVE-2018-18508-2.patch