diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO index a6ec51c248fa..c8bf24013631 100644 --- a/security/nss/TAG-INFO +++ b/security/nss/TAG-INFO @@ -1 +1 @@ -NSS_3_101_2_RTM \ No newline at end of file +NSS_3_101_3_RTM \ No newline at end of file diff --git a/security/nss/cmd/pk12util/pk12util.c b/security/nss/cmd/pk12util/pk12util.c index 764942af9c23..182b3fd8a778 100644 --- a/security/nss/cmd/pk12util/pk12util.c +++ b/security/nss/cmd/pk12util/pk12util.c @@ -449,10 +449,10 @@ p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot, /* revert the option setting */ if (forceUnicode != pk12uForceUnicode) { - rv = NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode); - if (rv != SECSuccess) { + if (SECSuccess != NSS_OptionSet(__NSS_PKCS12_DECODE_FORCE_UNICODE, pk12uForceUnicode)) { SECU_PrintError(progName, "PKCS12 decoding failed to set option"); pk12uErrno = PK12UERR_DECODEVERIFY; + rv = SECFailure; } } /* rv has been set at this point */ diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep index 5182f75552c8..590d1bfaeee3 100644 --- a/security/nss/coreconf/coreconf.dep +++ b/security/nss/coreconf/coreconf.dep @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff --git a/security/nss/doc/rst/releases/index.rst b/security/nss/doc/rst/releases/index.rst index 1179e068b6e2..ef94d759691f 100644 --- a/security/nss/doc/rst/releases/index.rst +++ b/security/nss/doc/rst/releases/index.rst @@ -8,6 +8,8 @@ Releases :glob: :hidden: + nss_3_101_3.rst + nss_3_101_2.rst nss_3_101_1.rst nss_3_101.rst nss_3_100.rst @@ -67,12 +69,18 @@ Releases .. note:: - **NSS 3.101.1 (ESR)** is the latest ESR version of NSS. - Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_1_release_notes` + **NSS 3.101.3 (ESR)** is the latest ESR version of NSS. + Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_101_3_release_notes` .. container:: - Changes in 3.101.1 included in this release: + Changes in 3.101.3 included in this release: - - Bug 1901932 - missing sqlite header. - - Bug 1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. + - Bug 1935984 - Ensure zero-initialization of collectArgs.cert + - Bug 1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if NSS_DISABLE_DBM is set + - Bug 1926256 - fix build error from 9505f79d + - Bug 1926256 - simplify error handling in get_token_objects_for_cache. + - Bug 1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. + - Bug 1909768 - UBSAN fix: applying zero offset to null pointer in sslsnce.c. + - Bug 1908623 - move list size check after lock acquisition in sftk_PutObjectToList. + - Bug 1899402 - Correctly destroy bulkkey in error scenario. diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c index 302a6b56270b..50b2b07c36a3 100644 --- a/security/nss/lib/dev/devutil.c +++ b/security/nss/lib/dev/devutil.c @@ -577,9 +577,11 @@ get_token_objects_for_cache( } else { PRUint32 j; for (j = 0; j < i; j++) { - /* Any token references that were removed in successful loop iterations - * need to be restored before we call nssCryptokiObjectArray_Destroy */ - nssToken_AddRef(cache->objects[objectType][j]->object->token); + /* Objects that were successfully added to the cache do not own a + * token reference (they share a reference with the cache itself). + * Nulling out the pointer here prevents the token's refcount + * from being decremented in nssCryptokiObject_Destroy */ + cache->objects[objectType][j]->object->token = NULL; nssArena_Destroy(cache->objects[objectType][j]->arena); } nss_ZFreeIf(cache->objects[objectType]); diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 81958725e80f..2c5066750695 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,10 +22,10 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.101.1" _NSS_CUSTOMIZED +#define NSS_VERSION "3.101.3" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 101 -#define NSS_VPATCH 1 +#define NSS_VPATCH 3 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff --git a/security/nss/lib/pkcs7/certread.c b/security/nss/lib/pkcs7/certread.c index 15094f2d7886..1d44e0e38ea7 100644 --- a/security/nss/lib/pkcs7/certread.c +++ b/security/nss/lib/pkcs7/certread.c @@ -520,6 +520,8 @@ CERT_DecodeCertFromPackage(char *certbuf, int certlen) CERTCertificate *cert = NULL; collectArgs.arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + collectArgs.cert.data = NULL; + collectArgs.cert.len = 0; rv = CERT_DecodeCertPackage(certbuf, certlen, collect_certs, (void *)&collectArgs); diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index 641d201e5ad0..a6a98960f965 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -542,6 +542,7 @@ sec_pkcs7_decoder_start_decrypt(SEC_PKCS7DecoderContext *p7dcx, int depth, * We are done with (this) bulkkey now. */ PK11_FreeSymKey(bulkkey); + bulkkey = NULL; if (decryptobj == NULL) { p7dcx->error = PORT_GetError(); diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index b32c8bcdd152..d45957b7c7bc 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -3182,14 +3182,15 @@ SFTK_DestroySlotData(SFTKSlot *slot) char ** NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) { -#ifndef NSS_DISABLE_DBM +#ifdef NSS_DISABLE_DBM + return NSSUTIL_DoModuleDBFunction(function, parameters, args); +#else char *secmod = NULL; char *appName = NULL; char *filename = NULL; NSSDBType dbType = NSS_DB_TYPE_NONE; PRBool rw; static char *success = "Success"; -#endif /* NSS_DISABLE_DBM */ char **rvstr = NULL; rvstr = NSSUTIL_DoModuleDBFunction(function, parameters, args); @@ -3201,7 +3202,6 @@ NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args) return NULL; } -#ifndef NSS_DISABLE_DBM /* The legacy database uses the old dbm, which is only linked with the * legacy DB handler, which is only callable from softoken */ @@ -3293,8 +3293,8 @@ loser: PORT_Free(appName); if (filename) PORT_Free(filename); -#endif /* NSS_DISABLE_DBM */ return rvstr; +#endif /* NSS_DISABLE_DBM */ } static void diff --git a/security/nss/lib/softoken/pkcs11u.c b/security/nss/lib/softoken/pkcs11u.c index a3e7140ae9da..ce78f349306a 100644 --- a/security/nss/lib/softoken/pkcs11u.c +++ b/security/nss/lib/softoken/pkcs11u.c @@ -994,13 +994,16 @@ sftk_PutObjectToList(SFTKObject *object, SFTKObjectFreeList *list, */ PRBool optimizeSpace = isSessionObject && ((SFTKSessionObject *)object)->optimizeSpace; - if (object->refLock && !optimizeSpace && (list->count < MAX_OBJECT_LIST_SIZE)) { + if (object->refLock && !optimizeSpace) { PZ_Lock(list->lock); - object->next = list->head; - list->head = object; - list->count++; + if (list->count < MAX_OBJECT_LIST_SIZE) { + object->next = list->head; + list->head = object; + list->count++; + PZ_Unlock(list->lock); + return; + } PZ_Unlock(list->lock); - return; } if (isSessionObject) { SFTKSessionObject *so = (SFTKSessionObject *)object; diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index e770d662b86c..e3efdd37d83c 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -17,10 +17,10 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.101.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.101.3" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 101 -#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VPATCH 3 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff --git a/security/nss/lib/ssl/sslsnce.c b/security/nss/lib/ssl/sslsnce.c index 49f041c972db..09426658a5e6 100644 --- a/security/nss/lib/ssl/sslsnce.c +++ b/security/nss/lib/ssl/sslsnce.c @@ -1878,8 +1878,6 @@ getSvrWrappingKey(unsigned int symWrapMechIndex, cacheDesc *cache, PRUint32 lockTime) { - PRUint32 ndx = (wrapKeyIndex * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; - SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx; PRUint32 now = 0; PRBool rv = SECFailure; @@ -1887,6 +1885,10 @@ getSvrWrappingKey(unsigned int symWrapMechIndex, PORT_SetError(SSL_ERROR_SERVER_CACHE_NOT_CONFIGURED); return SECFailure; } + + PRUint32 ndx = (wrapKeyIndex * SSL_NUM_WRAP_MECHS) + symWrapMechIndex; + SSLWrappedSymWrappingKey *pwswk = cache->keyCacheData + ndx; + if (!lockTime) { now = LockSidCacheLock(cache->keyCacheLock, 0); if (!now) { diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 7f5ab90c9948..12228c75481f 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,10 +19,10 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.101.1" +#define NSSUTIL_VERSION "3.101.3" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 101 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VPATCH 3 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff --git a/security/nss/lib/util/utilmod.c b/security/nss/lib/util/utilmod.c index 3ed7b3dd61c9..e005ed7dd754 100644 --- a/security/nss/lib/util/utilmod.c +++ b/security/nss/lib/util/utilmod.c @@ -308,6 +308,7 @@ nssutil_growList(char ***pModuleList, int *useCount, int last) return SECSuccess; } +#ifndef NSS_DISABLE_DBM static char * _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename) { @@ -332,6 +333,7 @@ _NSSUTIL_GetOldSecmodName(const char *dbname, const char *filename) PORT_Free(dirPath); return file; } +#endif // NSS_DISABLE_DBM static SECStatus nssutil_AddSecmodDBEntry(const char *appName, const char *filename, @@ -567,6 +569,7 @@ nssutil_ReadSecmodDB(const char *appName, moduleString = NULL; } done: +#ifndef NSS_DISABLE_DBM /* if we couldn't open a pkcs11 database, look for the old one */ if (fd == NULL) { char *olddbname = _NSSUTIL_GetOldSecmodName(dbname, filename); @@ -591,6 +594,7 @@ done: PR_smprintf_free(olddbname); } } +#endif // NSS_DISABLE_DBM return_default: