Version in base suite: 3.61-1+deb11u2

Base version: nss_3.61-1+deb11u2
Target version: nss_3.61-1+deb11u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nss/nss_3.61-1+deb11u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nss/nss_3.61-1+deb11u3.dsc

 changelog                   |    7 ++
 patches/CVE-2023-0767.patch |  120 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    1 
 3 files changed, 128 insertions(+)

diff -Nru nss-3.61/debian/changelog nss-3.61/debian/changelog
--- nss-3.61/debian/changelog	2022-01-23 07:55:45.000000000 +0000
+++ nss-3.61/debian/changelog	2023-02-15 20:31:28.000000000 +0000
@@ -1,3 +1,10 @@
+nss (2:3.61-1+deb11u3) bullseye-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Improve handling of unknown PKCS#12 safe bag types (CVE-2023-0767)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 15 Feb 2023 21:31:28 +0100
+
 nss (2:3.61-1+deb11u2) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru nss-3.61/debian/patches/CVE-2023-0767.patch nss-3.61/debian/patches/CVE-2023-0767.patch
--- nss-3.61/debian/patches/CVE-2023-0767.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.61/debian/patches/CVE-2023-0767.patch	2023-02-15 20:31:28.000000000 +0000
@@ -0,0 +1,120 @@
+
+# HG changeset patch
+# User John M. Schanck <jschanck@mozilla.com>
+# Date 1675974326 0
+# Node ID 684586ec163ad4fbbf15ea2cd1ee5c2da43036ad
+# Parent  58d7a8a55aea6a363bb8c7a9a7752739c4d32823
+Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. r=rrelyea
+
+Differential Revision: https://phabricator.services.mozilla.com/D167443
+
+diff --git a/nss/lib/pkcs12/p12d.c b/nss/lib/pkcs12/p12d.c
+--- a/nss/lib/pkcs12/p12d.c
++++ b/nss/lib/pkcs12/p12d.c
+@@ -332,41 +332,48 @@ sec_pkcs12_decoder_safe_bag_update(void 
+                                    unsigned long len, int depth,
+                                    SEC_ASN1EncodingPart data_kind)
+ {
+     sec_PKCS12SafeContentsContext *safeContentsCtx =
+         (sec_PKCS12SafeContentsContext *)arg;
+     SEC_PKCS12DecoderContext *p12dcx;
+     SECStatus rv;
+ 
+-    /* make sure that we are not skipping the current safeBag,
+-     * and that there are no errors.  If so, just return rather
+-     * than continuing to process.
+-     */
+-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
+-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
+         return;
+     }
+     p12dcx = safeContentsCtx->p12dcx;
+ 
++    /* make sure that there are no errors and we are not skipping the current safeBag */
++    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++        goto loser;
++    }
++
+     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
+     if (rv != SECSuccess) {
+         p12dcx->errorValue = PORT_GetError();
++        p12dcx->error = PR_TRUE;
++        goto loser;
++    }
++
++    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
++     * may not get another opportunity to clean up the decoder context.
++     */
++    if (safeContentsCtx->skipCurrentSafeBag) {
+         goto loser;
+     }
+ 
+     return;
+ 
+ loser:
+-    /* set the error, and finish the decoder context.  because there
++    /* Finish the decoder context. Because there
+      * is not a way of returning an error message, it may be worth
+      * while to do a check higher up and finish any decoding contexts
+      * that are still open.
+      */
+-    p12dcx->error = PR_TRUE;
+     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
+     safeContentsCtx->currentSafeBagA1Dcx = NULL;
+     return;
+ }
+ 
+ /* notify function for decoding safeBags.  This function is
+  * used to filter safeBag types which are not supported,
+  * initiate the decoding of nested safe contents, and decode
+diff --git a/nss/lib/pkcs12/p12t.h b/nss/lib/pkcs12/p12t.h
+--- a/nss/lib/pkcs12/p12t.h
++++ b/nss/lib/pkcs12/p12t.h
+@@ -68,16 +68,17 @@ struct sec_PKCS12SafeBagStr {
+     /* Dependent upon the type of bag being used. */
+     union {
+         SECKEYPrivateKeyInfo *pkcs8KeyBag;
+         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+         sec_PKCS12CertBag *certBag;
+         sec_PKCS12CRLBag *crlBag;
+         sec_PKCS12SecretBag *secretBag;
+         sec_PKCS12SafeContents *safeContents;
++        SECItem *unknownBag;
+     } safeBagContent;
+ 
+     sec_PKCS12Attribute **attribs;
+ 
+     /* used locally */
+     SECOidData *bagTypeTag;
+     PLArenaPool *arena;
+     unsigned int nAttribs;
+diff --git a/nss/lib/pkcs12/p12tmpl.c b/nss/lib/pkcs12/p12tmpl.c
+--- a/nss/lib/pkcs12/p12tmpl.c
++++ b/nss/lib/pkcs12/p12tmpl.c
+@@ -25,22 +25,22 @@ sec_pkcs12_choose_safe_bag_type(void *sr
+     if (src_or_dest == NULL) {
+         return NULL;
+     }
+ 
+     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
+ 
+     oiddata = SECOID_FindOID(&safeBag->safeBagType);
+     if (oiddata == NULL) {
+-        return SEC_ASN1_GET(SEC_AnyTemplate);
++        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+     }
+ 
+     switch (oiddata->offset) {
+         default:
+-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
++            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+             theTemplate = sec_PKCS12PointerToCertBagTemplate;
+             break;
+         case SEC_OID_PKCS12_V1_CRL_BAG_ID:
+
diff -Nru nss-3.61/debian/patches/series nss-3.61/debian/patches/series
--- nss-3.61/debian/patches/series	2022-01-23 07:55:45.000000000 +0000
+++ nss-3.61/debian/patches/series	2023-02-15 20:31:28.000000000 +0000
@@ -4,3 +4,4 @@
 38_hppa.patch
 CVE-2021-43527.patch
 CVE-2022-22747.patch
+CVE-2023-0767.patch