Version in base suite: 3.87.1-1

Base version: nss_3.87.1-1
Target version: nss_3.87.1-1+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nss/nss_3.87.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nss/nss_3.87.1-1+deb12u1.dsc

 changelog                   |    6 ++++
 patches/CVE-2024-0743.patch |   30 ++++++++++++++++++++
 patches/CVE-2024-6602.patch |   65 ++++++++++++++++++++++++++++++++++++++++++++
 patches/CVE-2024-6609.patch |   17 +++++++++++
 patches/series              |    3 ++
 5 files changed, 121 insertions(+)

diff -Nru nss-3.87.1/debian/changelog nss-3.87.1/debian/changelog
--- nss-3.87.1/debian/changelog	2023-02-15 00:22:38.000000000 +0000
+++ nss-3.87.1/debian/changelog	2024-10-10 19:51:11.000000000 +0000
@@ -1,3 +1,9 @@
+nss (2:3.87.1-1+deb12u1) bookworm-security; urgency=medium
+
+  * nss: fix CVE-2024-6602, CVE-2024-6609 and CVE-2024-0743
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org>  Thu, 10 Oct 2024 21:51:11 +0200
+
 nss (2:3.87.1-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru nss-3.87.1/debian/patches/CVE-2024-0743.patch nss-3.87.1/debian/patches/CVE-2024-0743.patch
--- nss-3.87.1/debian/patches/CVE-2024-0743.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.87.1/debian/patches/CVE-2024-0743.patch	2024-10-10 19:51:11.000000000 +0000
@@ -0,0 +1,30 @@
+Description: CVE-2024-0743 potiential crash due to interger underflow.
+Origin: https://hg.mozilla.org/projects/nss/rev/1bda168c0da97e19e5f14bc4227c15c0a9f493b
+Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1867408 (not public)
+Bug: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0743
+
+# HG changeset patch
+# User John Schanck <jschanck@mozilla.com>
+# Date 1702322654 0
+# Node ID 1bda168c0da97e19e5f14bc4227c15c0a9f493bf
+# Parent  e934c6d1d4366d152e3307cb76af4c02667c9147
+Bug 1867408 - add a defensive check for large ssl_DefSend return values. r=nkulatova
+
+Differential Revision: https://phabricator.services.mozilla.com/D195054
+
+--- a/nss/lib/ssl/sslsecur.c
++++ b/nss/lib/ssl/sslsecur.c
+@@ -458,7 +458,12 @@
+         if (rv < 0) {
+             return rv;
+         }
+-        ss->pendingBuf.len -= rv;
++        if (rv > ss->pendingBuf.len) {
++            PORT_Assert(0); /* This shouldn't happen */
++            ss->pendingBuf.len = 0;
++        } else {
++            ss->pendingBuf.len -= rv;
++        }
+         if (ss->pendingBuf.len > 0 && rv > 0) {
+             /* UGH !! This shifts the whole buffer down by copying it */
+             PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv,
diff -Nru nss-3.87.1/debian/patches/CVE-2024-6602.patch nss-3.87.1/debian/patches/CVE-2024-6602.patch
--- nss-3.87.1/debian/patches/CVE-2024-6602.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.87.1/debian/patches/CVE-2024-6602.patch	2024-10-10 19:51:11.000000000 +0000
@@ -0,0 +1,65 @@
+
+# HG changeset patch
+# User John Schanck <jschanck@mozilla.com>
+# Date 1716230774 0
+# Node ID f9b22115dc97be76e388dc9d0dca946dde955e64
+# Parent  dbd189b826b80eb0ff99d7769e16482624434682
+Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D209476
+
+diff --git a/nss/lib/util/secitem.c b/nss/lib/util/secitem.c
+--- a/nss/lib/util/secitem.c
++++ b/nss/lib/util/secitem.c
+@@ -233,45 +233,30 @@ SECITEM_DupItem(const SECItem *from)
+ }
+ 
+ SECItem *
+ SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from)
+ {
+     SECItem *to;
+ 
+     if (from == NULL) {
+-        return (NULL);
+-    }
+-
+-    if (arena != NULL) {
+-        to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem));
+-    } else {
+-        to = (SECItem *)PORT_Alloc(sizeof(SECItem));
+-    }
+-    if (to == NULL) {
+-        return (NULL);
++        return NULL;
+     }
+ 
+-    if (arena != NULL) {
+-        to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len);
+-    } else {
+-        to->data = (unsigned char *)PORT_Alloc(from->len);
+-    }
+-    if (to->data == NULL) {
+-        PORT_Free(to);
+-        return (NULL);
++    to = SECITEM_AllocItem(arena, NULL, from->len);
++    if (to == NULL) {
++        return NULL;
+     }
+ 
+-    to->len = from->len;
+     to->type = from->type;
+     if (to->len) {
+         PORT_Memcpy(to->data, from->data, to->len);
+     }
+ 
+-    return (to);
++    return to;
+ }
+ 
+ SECStatus
+ SECITEM_CopyItem(PLArenaPool *arena, SECItem *to, const SECItem *from)
+ {
+     to->type = from->type;
+     if (from->data && from->len) {
+         if (arena) {
+
diff -Nru nss-3.87.1/debian/patches/CVE-2024-6609.patch nss-3.87.1/debian/patches/CVE-2024-6609.patch
--- nss-3.87.1/debian/patches/CVE-2024-6609.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.87.1/debian/patches/CVE-2024-6609.patch	2024-10-10 19:51:11.000000000 +0000
@@ -0,0 +1,17 @@
+origin: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/t9JmsYkujWM/m/HjKuk-ngBAAJ
+
+---
+
+--- a/nss/lib/freebl/ec.c
++++ b/nss/lib/freebl/ec.c
+@@ -304,6 +304,10 @@
+ 
+ cleanup:
+     mp_clear(&k);
++    if (err < MP_OKAY) {
++        MP_TO_SEC_ERROR(err);
++        rv = SECFailure;
++    }
+     if (rv) {
+         PORT_FreeArena(arena, PR_TRUE);
+     }
diff -Nru nss-3.87.1/debian/patches/series nss-3.87.1/debian/patches/series
--- nss-3.87.1/debian/patches/series	2021-11-01 22:39:53.000000000 +0000
+++ nss-3.87.1/debian/patches/series	2024-10-10 19:51:11.000000000 +0000
@@ -1,3 +1,6 @@
 38_hurd.patch
 80_security_tools.patch
 38_hppa.patch
+CVE-2024-0743.patch
+CVE-2024-6602.patch
+CVE-2024-6609.patch