Closed Bug 641052 (CVE-2011-3640) Opened 14 years ago Closed 14 years ago

NSS_NoDB_Init should not try to open /pkcs11.txt and /secmod.db

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

(Whiteboard: [sg:moderate])

Attachments

(1 file, 2 obsolete files)

Patch v3
4.60 KB, patch
Details | Diff | Splinter Review
Although NSS_NoDB_Init takes a 'configdir' argument, it ignores the argument: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/nss/nssinit.c&rev=1.106&mark=838#834 A coworker of mine ran strace on a simple program that calls NSS_NoDB_Init(NULL). strace showed that NSS_NoDB_Init tries to open /pkcs11.txt and /secmod.db. NSS_NoDB_Init should not try to open /pkcs11.txt and /secmod.db because those are not the intended file paths.
Bob, please review this patch. This bug was rediscovered and reported in Chromium bug 97426: http://code.google.com/p/chromium/issues/detail?id=97426 This patch makes NSS_NoDB_Init try to open "" and "" (empty string pathnames) instead of "/pkcs11.txt" and "/secmod.db". Ideally NSS_NoDB_Init should not try to open the pkcs11 and secmod databases at all, but I don't know the code well enough to do that. The patch does two things: 1. Make sftk_getSecmodName return "" and "" as the pkcs11 and secmod database pathnames if the noModDB flag is specified. 2. Make sftk_getOldSecmodName work correctly if dbname does not contain any path separator (i.e., it contains just a file name or is an empty string).
Assignee: nobody → wtc
Status: NEW → ASSIGNED
Attachment #562178 - Flags: review?(rrelyea)
Comment on attachment 562178 [details] [diff] [review] Proposed patch: make NSS_NoDB_Init try to open "" and "" instead of "/pkcs11.txt" and "/secmod.db" Two changes in this patch need extra explanation. >-#ifdef WINDOWS >+#ifdef _WIN32 coreconf/WIN32.mk defines _WINDOWS, not WINDOWS. But I use _WIN32 for consistency (used elsewhere in the same file). >- if (lconfigdir) { >+ if (noModDB) { >+ value = PR_smprintf(""); >+ } else if (lconfigdir && lconfigdir[0] != '\0') { > value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName); > } else { > value = PR_smprintf("%s",secmodName); > } For a NSS_NoDB_Init(NULL) call, lconfigdir is "" as opposed to NULL. (This is why we ended up with "/pkcs11.txt".) So we also need to test for an empty string.
Priority: P2 → P1
Target Milestone: --- → 3.13
Ah... We handle the regular databases correctly, but we don't handle secomd/pkcs11.txt... I would go ahead and return NULL for the filename and value from sftk_getSecmodName(), then check dbname for NULL in each of the following entry points (before the legacy DB call): sftkdb_DeleteSecmodDB - return SECFailure sftkdb_AddSecmodDB - return SECFailure sftkdb_ReleaseSecmodDBData - skip the legacy if and continue.. (I.E. -if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) { +if ((dbname != NULL) && ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) { sftkdb_ReadSecmodDB - skip the entire function to the if which reads... if (!moduleList[0]) { -------------------------------- Other comments on the patch.. + /* XXX is this a good idea? when we can't open a sql: cert database, + * do we also look for the old cert database? */ yes, it's required. The semantics of sql: is to fall back to the oldDB it the sql db doesn't exist and the old one does. If the DB was open rw, the database is updated. For the NSS_NoDB_Init() case, however, we aren't going to open any of these, so we need to skip past this check in that case. The rest of the patch seems fine...
Comment on attachment 562178 [details] [diff] [review] Proposed patch: make NSS_NoDB_Init try to open "" and "" instead of "/pkcs11.txt" and "/secmod.db" r- see comments in comment 3 The patch is pretty close. bob
Attachment #562178 - Flags: review?(rrelyea) → review-
Attached patch Update wtc's patch to use (obsolete) — Splinter Review
wtc, you can r+ and check in this version, or replace it with your own and request a review from me.
Attachment #562178 - Attachment is obsolete: true
Attachment #563870 - Flags: review?(wtc)
Attached patch Patch v3Splinter Review
Bob, I've reviewed and tested your patch. Thanks a lot! The only change I made is to reformat the comment block. For sftkdb_DeleteSecmodDB and sftkdb_AddSecmodDB, I assume it is an error for dbname to be NULL, so it would be inappropriate for these functions to be a no-op and return SECSuccess. Should they set an error code before returning SECFailure? Patch checked in on the NSS trunk (NSS 3.13). Checking in sftkmod.c; /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v <-- sftkmod.c new revision: 1.9; previous revision: 1.8 done Checking in sftkpars.c; /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v <-- sftkpars.c new revision: 1.12; previous revision: 1.11 done
Attachment #563870 - Attachment is obsolete: true
Attachment #563870 - Flags: review?(wtc)
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
> For sftkdb_DeleteSecmodDB and sftkdb_AddSecmodDB, I assume > it is an error for dbname to be NULL, so it would be > inappropriate for these functions to be a no-op and return > SECSuccess. Should they set an error code before returning > SECFailure? yes
Bob: which error code do you recommend? SEC_ERROR_LIBRARY_FAILURE (because this seems like a programming error) or SEC_ERROR_INVALID_ARGS? Or SEC_ERROR_JS_DEL_MOD_FAILURE and SEC_ERROR_JS_ADD_MOD_FAILURE?
dveditz, can you assign a CVE?
Whiteboard: [sg:moderate]
> Bob: which error code do you recommend? SEC_ERROR_LIBRARY_FAILURE > (because this seems like a programming error) or SEC_ERROR_INVALID_ARGS? > Or SEC_ERROR_JS_DEL_MOD_FAILURE and SEC_ERROR_JS_ADD_MOD_FAILURE? SEC_ERROR_INVALID_ARGS bob
Alias: CVE-2011-3640
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: