nss: CVE-2014-1492 Upstream-Status: Backport the patch comes from: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1492 https://bugzilla.mozilla.org/show_bug.cgi?id=903885 changeset: 11063:709d4e597979 user: Kai Engert date: Wed Mar 05 18:38:55 2014 +0100 summary: Bug 903885, address requests to clarify comments from wtc changeset: 11046:2ffa40a3ff55 tag: tip user: Wan-Teh Chang date: Tue Feb 25 18:17:08 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling v4, r=kaie changeset: 11045:15ea62260c21 user: Christian Heimes date: Mon Feb 24 17:50:25 2014 +0100 summary: Bug 903885, fix IDNA wildcard handling, r=kaie Signed-off-by: Li Wang --- nss/lib/certdb/certdb.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nss/lib/certdb/certdb.c b/nss/lib/certdb/certdb.c index b7d22bd..91877b7 100644 --- a/nss/lib/certdb/certdb.c +++ b/nss/lib/certdb/certdb.c @@ -1381,7 +1381,7 @@ cert_TestHostName(char * cn, const char * hn) return rv; } } else { - /* New approach conforms to RFC 2818. */ + /* New approach conforms to RFC 6125. */ char *wildcard = PORT_Strchr(cn, '*'); char *firstcndot = PORT_Strchr(cn, '.'); char *secondcndot = firstcndot ? PORT_Strchr(firstcndot+1, '.') : NULL; @@ -1390,14 +1390,17 @@ cert_TestHostName(char * cn, const char * hn) /* For a cn pattern to be considered valid, the wildcard character... * - may occur only in a DNS name with at least 3 components, and * - may occur only as last character in the first component, and - * - may be preceded by additional characters + * - may be preceded by additional characters, and + * - must not be preceded by an IDNA ACE prefix (xn--) */ if (wildcard && secondcndot && secondcndot[1] && firsthndot - && firstcndot - wildcard == 1 - && secondcndot - firstcndot > 1 - && PORT_Strrchr(cn, '*') == wildcard + && firstcndot - wildcard == 1 /* wildcard is last char in first component */ + && secondcndot - firstcndot > 1 /* second component is non-empty */ + && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */ && !PORT_Strncasecmp(cn, hn, wildcard - cn) - && !PORT_Strcasecmp(firstcndot, firsthndot)) { + && !PORT_Strcasecmp(firstcndot, firsthndot) + /* If hn starts with xn--, then cn must start with wildcard */ + && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) { /* valid wildcard pattern match */ return SECSuccess; } -- 1.7.9.5