meta-oe/recipes-support/nss/nss/CVE-2022-22747.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

# HG changeset patch
# User John M. Schanck <jschanck@mozilla.com>
# Date 1633990165 0
# Node ID 7ff99e71f3e37faed12bc3cc90a3eed27e3418d0
# Parent  f80fafd04cf82b4d315c8fe42bb4639703f6ee4f
Bug 1735028 - check for missing signedData field r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D128112

Upstream-Status: Backport [https://hg.mozilla.org/projects/nss/raw-rev/7ff99e71f3e37faed12bc3cc90a3eed27e3418d0]
CVE: CVE-2022-22747
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>

diff --git a/nss/gtests/certdb_gtest/decode_certs_unittest.cc b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
--- a/nss/gtests/certdb_gtest/decode_certs_unittest.cc
+++ b/nss/gtests/certdb_gtest/decode_certs_unittest.cc
@@ -21,8 +21,21 @@ TEST_F(DecodeCertsTest, EmptyCertPackage
   unsigned char emptyCertPackage[] = {0x30, 0x0f, 0x06, 0x09, 0x60, 0x86,
                                       0x48, 0x01, 0x86, 0xf8, 0x42, 0x02,
                                       0x05, 0xa0, 0x02, 0x30, 0x00};
   EXPECT_EQ(nullptr, CERT_DecodeCertFromPackage(
                          reinterpret_cast<char*>(emptyCertPackage),
                          sizeof(emptyCertPackage)));
   EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
 }
+
+TEST_F(DecodeCertsTest, EmptySignedData) {
+  // This represents a PKCS#7 ContentInfo of contentType
+  // 1.2.840.113549.1.7.2 (signedData) with missing content.
+  unsigned char emptySignedData[] = {0x30, 0x80, 0x06, 0x09, 0x2a, 0x86,
+                                     0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
+                                     0x02, 0x00, 0x00, 0x05, 0x00};
+
+  EXPECT_EQ(nullptr,
+            CERT_DecodeCertFromPackage(reinterpret_cast<char*>(emptySignedData),
+                                       sizeof(emptySignedData)));
+  EXPECT_EQ(SEC_ERROR_BAD_DER, PR_GetError());
+}
diff --git a/nss/lib/pkcs7/certread.c b/nss/lib/pkcs7/certread.c
--- a/nss/lib/pkcs7/certread.c
+++ b/nss/lib/pkcs7/certread.c
@@ -134,16 +134,21 @@ SEC_ReadPKCS7Certs(SECItem *pkcs7Item, C
                            pkcs7Item) != SECSuccess) {
         goto done;
     }
 
     if (GetContentTypeTag(&contentInfo) != SEC_OID_PKCS7_SIGNED_DATA) {
         goto done;
     }
 
+    if (contentInfo.content.signedData == NULL) {
+        PORT_SetError(SEC_ERROR_BAD_DER);
+        goto done;
+    }
+
     rv = SECSuccess;
 
     certs = contentInfo.content.signedData->certificates;
     if (certs) {
         count = 0;
 
         while (*certs) {
             count++;