Version in base suite: 3.42.1-1+deb10u1

Base version: nss_3.42.1-1+deb10u1
Target version: nss_3.42.1-1+deb10u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/nss/nss_3.42.1-1+deb10u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/nss/nss_3.42.1-1+deb10u2.dsc

 changelog                    |    6 +
 patches/CVE-2019-11745.patch |   19 ++++++
 patches/CVE-2019-17007.patch |  130 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    2 
 4 files changed, 157 insertions(+)

diff -Nru nss-3.42.1/debian/changelog nss-3.42.1/debian/changelog
--- nss-3.42.1/debian/changelog	2019-08-22 22:03:22.000000000 +0000
+++ nss-3.42.1/debian/changelog	2019-12-03 21:17:43.000000000 +0000
@@ -1,3 +1,9 @@
+nss (2:3.42.1-1+deb10u2) buster-security; urgency=medium
+
+  * CVE-2019-11745 CVE-2019-17007
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Tue, 03 Dec 2019 22:17:43 +0100
+
 nss (2:3.42.1-1+deb10u1) buster; urgency=medium
 
   * Fixes for CVE-2019-11719, CVE-2019-11727 and CVE-2019-11729 (in unstable
diff -Nru nss-3.42.1/debian/patches/CVE-2019-11745.patch nss-3.42.1/debian/patches/CVE-2019-11745.patch
--- nss-3.42.1/debian/patches/CVE-2019-11745.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.42.1/debian/patches/CVE-2019-11745.patch	2019-12-03 21:14:57.000000000 +0000
@@ -0,0 +1,19 @@
+
+# HG changeset patch
+# User Craig Disselkoen <cdisselk@cs.ucsd.edu>
+# Date 1574189697 25200
+# Node ID 60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec
+# Parent  64e55c9f658e2a75f0835d00a8a1cdc2f25c74d6
+Bug 1586176 - EncryptUpdate should use maxout not block size. r=franziskus
+
+--- a/nss/lib/softoken/pkcs11c.c
++++ b/nss/lib/softoken/pkcs11c.c
+@@ -1285,7 +1285,7 @@ NSC_EncryptUpdate(CK_SESSION_HANDLE hSes
+             }
+             /* encrypt the current padded data */
+             rv = (*context->update)(context->cipherInfo, pEncryptedPart,
+-                                    &padoutlen, context->blockSize, context->padBuf,
++                                    &padoutlen, maxout, context->padBuf,
+                                     context->blockSize);
+             if (rv != SECSuccess) {
+                 return sftk_MapCryptError(PORT_GetError());
diff -Nru nss-3.42.1/debian/patches/CVE-2019-17007.patch nss-3.42.1/debian/patches/CVE-2019-17007.patch
--- nss-3.42.1/debian/patches/CVE-2019-17007.patch	1970-01-01 00:00:00.000000000 +0000
+++ nss-3.42.1/debian/patches/CVE-2019-17007.patch	2019-12-03 21:17:13.000000000 +0000
@@ -0,0 +1,130 @@
+
+# HG changeset patch
+# User Dana Keeler <dkeeler@mozilla.com>
+# Date 1553112229 25200
+# Node ID 1473dd7efe2ce4f8722a33ebb03a3425e09887de
+# Parent  e8136553ef86fb9dd04119ee66014f624fbcf18d
+Bug 1533216 - check we actually got some certs in collect_certs r=jcj
+
+diff --git a/nss/gtests/certdb_gtest/certdb_gtest.gyp b/nss/gtests/certdb_gtest/certdb_gtest.gyp
+--- a/nss/gtests/certdb_gtest/certdb_gtest.gyp
++++ b/nss/gtests/certdb_gtest/certdb_gtest.gyp
+@@ -7,23 +7,25 @@
+     '../common/gtest.gypi',
+   ],
+   'targets': [
+     {
+       'target_name': 'certdb_gtest',
+       'type': 'executable',
+       'sources': [
+         'alg1485_unittest.cc',
++        'decode_certs_unittest.cc',
+         '<(DEPTH)/gtests/common/gtests.cc'
+       ],
+       'dependencies': [
+         '<(DEPTH)/exports.gyp:nss_exports',
+         '<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
+         '<(DEPTH)/lib/util/util.gyp:nssutil3',
+         '<(DEPTH)/lib/ssl/ssl.gyp:ssl3',
+         '<(DEPTH)/lib/nss/nss.gyp:nss3',
++        '<(DEPTH)/lib/smime/smime.gyp:smime3',
+       ]
+     }
+   ],
+   'variables': {
+     'module': 'nss'
+   }
+ }
+diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+new file mode 100644
+--- /dev/null
++++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+@@ -0,0 +1,28 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
++ * You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++#include "gtest/gtest.h"
++
++#include "cert.h"
++#include "prerror.h"
++#include "secerr.h"
++
++class DecodeCertsTest : public ::testing::Test {};
++
++TEST_F(DecodeCertsTest, EmptyCertPackage) {
++  // This represents a PKCS#7 ContentInfo with a contentType of
++  // '2.16.840.1.113730.2.5' (Netscape data-type cert-sequence) and a content
++  // consisting of an empty SEQUENCE. This is valid ASN.1, but it contains no
++  // certificates, so CERT_DecodeCertFromPackage should just return a null
++  // pointer.
++  unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
++                                      0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
++                                      0x05, 0xa0, 0x02, 0x30, 0x00};
++  EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
++                         reinterpret_cast<char*>(emptyCertPackage),
++                         sizeof(emptyCertPackage)));
++  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
++}
+diff --git a/nss/gtests/certdb_gtest/manifest.mn b/nss/gtests/certdb_gtest/manifest.mn
+--- a/nss/gtests/certdb_gtest/manifest.mn
++++ b/nss/gtests/certdb_gtest/manifest.mn
+@@ -3,16 +3,17 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ CORE_DEPTH = ../..
+ DEPTH      = ../..
+ MODULE = nss
+ 
+ CPPSRCS = \
+       alg1485_unittest.cc \
++      decode_certs_unittest.cc \
+       $(NULL)
+ 
+ INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \
+             -I$(CORE_DEPTH)/gtests/common \
+             -I$(CORE_DEPTH)/cpputil
+ 
+ REQUIRES = nspr nss libdbm gtest
+ 
+diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
+--- a/nss/lib/pkcs7/certread.c
++++ b/nss/lib/pkcs7/certread.c
+@@ -487,24 +487,26 @@ loser:
+ typedef struct {
+     PLArenaPool *arena;
+     SECItem cert;
+ } collect_args;
+ 
+ static SECStatus
+ collect_certs(void *arg, SECItem **certs, int numcerts)
+ {
+-    SECStatus rv;
+-    collect_args *collectArgs;
+-
+-    collectArgs = (collect_args *)arg;
+-
+-    rv = SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
+-
+-    return (rv);
++    collect_args *collectArgs = (collect_args *)arg;
++    if (!collectArgs || !collectArgs->arena) {
++        PORT_SetError(SEC_ERROR_INVALID_ARGS);
++        return SECFailure;
++    }
++    if (numcerts < 1 || !certs || !*certs) {
++        PORT_SetError(SEC_ERROR_BAD_DER);
++        return SECFailure;
++    }
++    return SECITEM_CopyItem(collectArgs->arena, &collectArgs->cert, *certs);
+ }
+ 
+ /*
+  * read an old style ascii or binary certificate
+  */
+ CERTCertificate *
+ CERT_DecodeCertFromPackage(char *certbuf, int certlen)
+ {
+
diff -Nru nss-3.42.1/debian/patches/series nss-3.42.1/debian/patches/series
--- nss-3.42.1/debian/patches/series	2019-08-22 22:03:22.000000000 +0000
+++ nss-3.42.1/debian/patches/series	2019-12-03 21:17:32.000000000 +0000
@@ -3,3 +3,5 @@
 85_security_load.patch
 38_hppa.patch
 CVE-2019-11719_CVE-2019-11727_CVE-2019-11729.patch
+CVE-2019-11745.patch
+CVE-2019-17007.patch