Just in case anyone else is in the same boat, here's my preliminary work of copying Bullseye's CVE patches to Buster's libnss.
The patch should apply directly to an expanded 'apt-get source libnss3' on Debian Buster. If you want to do it yourself, simply copying these two patch files from bullseye to buster was enough, they applied cleanly. - Chris
Patch to apply to freshly expanded sources of 3.42.1-1+deb10u8 to create 3.42.1-1+deb10u9. diff --git a/.pc/applied-patches b/.pc/applied-patches index 533a62a..3ee580f 100644 --- a/.pc/applied-patches +++ b/.pc/applied-patches @@ -20,3 +20,5 @@ CVE-2020-25648.patch CVE-2023-4421.patch CVE-2024-0743.patch CVE-2023-5388.patch +CVE-2024-6602.patch +CVE-2024-6609.patch diff --git a/debian/changelog b/debian/changelog index de6682e..60e9722 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +nss (2:3.42.1-1+deb10u9) buster-security; urgency=medium + + * Copied CVE-2024-6602 and CE-2024-6609 from bullseye + + -- Chris Frey <cdf...@foursquare.net> Tue, 29 Oct 2024 02:46:00 -0400 + nss (2:3.42.1-1+deb10u8) buster-security; urgency=medium * Non-maintainer upload by the LTS Security Team. diff --git a/debian/patches/CVE-2024-6602.patch b/debian/patches/CVE-2024-6602.patch new file mode 100644 index 0000000..3556809 --- /dev/null +++ b/debian/patches/CVE-2024-6602.patch @@ -0,0 +1,65 @@ + +# HG changeset patch +# User John Schanck <jscha...@mozilla.com> +# Date 1716230774 0 +# Node ID f9b22115dc97be76e388dc9d0dca946dde955e64 +# Parent dbd189b826b80eb0ff99d7769e16482624434682 +Bug 1895032 - remove redundant AllocItem implementation. r=nss-reviewers,rrelyea + +Differential Revision: https://phabricator.services.mozilla.com/D209476 + +diff --git a/nss/lib/util/secitem.c b/nss/lib/util/secitem.c +--- a/nss/lib/util/secitem.c ++++ b/nss/lib/util/secitem.c +@@ -233,45 +233,30 @@ SECITEM_DupItem(const SECItem *from) + } + + SECItem * + SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from) + { + SECItem *to; + + if (from == NULL) { +- return (NULL); +- } +- +- if (arena != NULL) { +- to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem)); +- } else { +- to = (SECItem *)PORT_Alloc(sizeof(SECItem)); +- } +- if (to == NULL) { +- return (NULL); ++ return NULL; + } + +- if (arena != NULL) { +- to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len); +- } else { +- to->data = (unsigned char *)PORT_Alloc(from->len); +- } +- if (to->data == NULL) { +- PORT_Free(to); +- return (NULL); ++ to = SECITEM_AllocItem(arena, NULL, from->len); ++ if (to == NULL) { ++ return NULL; + } + +- to->len = from->len; + to->type = from->type; + if (to->len) { + PORT_Memcpy(to->data, from->data, to->len); + } + +- return (to); ++ return to; + } + + SECStatus + SECITEM_CopyItem(PLArenaPool *arena, SECItem *to, const SECItem *from) + { + to->type = from->type; + if (from->data && from->len) { + if (arena) { + diff --git a/debian/patches/CVE-2024-6609.patch b/debian/patches/CVE-2024-6609.patch new file mode 100644 index 0000000..fefb280 --- /dev/null +++ b/debian/patches/CVE-2024-6609.patch @@ -0,0 +1,18 @@ +origin: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/t9JmsYkujWM/m/HjKuk-ngBAAJ + +--- + +diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c +--- a/nss/lib/freebl/ec.c ++++ b/nss/lib/freebl/ec.c +@@ -297,6 +297,10 @@ done: + + cleanup: + mp_clear(&k); ++ if (err < MP_OKAY) { ++ MP_TO_SEC_ERROR(err); ++ rv = SECFailure; ++ } + if (rv) { + PORT_FreeArena(arena, PR_TRUE); + } diff --git a/debian/patches/series b/debian/patches/series index 0286298..ef1ef66 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -22,3 +22,5 @@ CVE-2023-4421.patch #CVE-2023-6135-part2.patch -- see dEP3 header of patch file CVE-2024-0743.patch CVE-2023-5388.patch +CVE-2024-6602.patch +CVE-2024-6609.patch diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c index 7c460cd..798fb43 100644 --- a/nss/lib/freebl/ec.c +++ b/nss/lib/freebl/ec.c @@ -297,6 +297,10 @@ done: cleanup: mp_clear(&k); + if (err < MP_OKAY) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } if (rv) { PORT_FreeArena(arena, PR_TRUE); } diff --git a/nss/lib/util/secitem.c b/nss/lib/util/secitem.c index cd69961..6ba11a5 100644 --- a/nss/lib/util/secitem.c +++ b/nss/lib/util/secitem.c @@ -238,35 +238,20 @@ SECITEM_ArenaDupItem(PLArenaPool *arena, const SECItem *from) SECItem *to; if (from == NULL) { - return (NULL); + return NULL; } - if (arena != NULL) { - to = (SECItem *)PORT_ArenaAlloc(arena, sizeof(SECItem)); - } else { - to = (SECItem *)PORT_Alloc(sizeof(SECItem)); - } + to = SECITEM_AllocItem(arena, NULL, from->len); if (to == NULL) { - return (NULL); - } - - if (arena != NULL) { - to->data = (unsigned char *)PORT_ArenaAlloc(arena, from->len); - } else { - to->data = (unsigned char *)PORT_Alloc(from->len); - } - if (to->data == NULL) { - PORT_Free(to); - return (NULL); + return NULL; } - to->len = from->len; to->type = from->type; if (to->len) { PORT_Memcpy(to->data, from->data, to->len); } - return (to); + return to; } SECStatus
