From 7bc1e27b79e89a51e175563653d4b5abb118ad12 Mon Sep 17 00:00:00 2001
From: panzhe0328 <panzhe@kylinos.cn>
Date: Mon, 30 Jun 2025 13:51:19 +0800
Subject: [PATCH] fix cve-2023-0767

---
 cve-2023-0767.patch | 92 +++++++++++++++++++++++++++++++++++++++++++++
 nss.spec            |  7 +++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 cve-2023-0767.patch

diff --git a/cve-2023-0767.patch b/cve-2023-0767.patch
new file mode 100644
index 0000000..fc5d4fa
--- /dev/null
+++ b/cve-2023-0767.patch
@@ -0,0 +1,92 @@
+diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
+--- a/lib/pkcs12/p12d.c
++++ b/lib/pkcs12/p12d.c
+@@ -335,35 +335,42 @@
+     sec_PKCS12SafeContentsContext *safeContentsCtx =
+         (sec_PKCS12SafeContentsContext *)arg;
+     SEC_PKCS12DecoderContext *p12dcx;
+     SECStatus rv;
+ 
+-    /* make sure that we are not skipping the current safeBag,
+-     * and that there are no errors.  If so, just return rather
+-     * than continuing to process.
+-     */
+-    if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
+-        safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++    if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
+         return;
+     }
+     p12dcx = safeContentsCtx->p12dcx;
+ 
++    /* make sure that there are no errors and we are not skipping the current safeBag */
++    if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
++        goto loser;
++    }
++
+     rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
+     if (rv != SECSuccess) {
+         p12dcx->errorValue = PORT_GetError();
++        p12dcx->error = PR_TRUE;
++        goto loser;
++    }
++
++    /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
++     * may not get another opportunity to clean up the decoder context.
++     */
++    if (safeContentsCtx->skipCurrentSafeBag) {
+         goto loser;
+     }
+ 
+     return;
+ 
+ loser:
+-    /* set the error, and finish the decoder context.  because there
++    /* Finish the decoder context. Because there
+      * is not a way of returning an error message, it may be worth
+      * while to do a check higher up and finish any decoding contexts
+      * that are still open.
+      */
+-    p12dcx->error = PR_TRUE;
+     SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
+     safeContentsCtx->currentSafeBagA1Dcx = NULL;
+     return;
+ }
+ 
+diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
+--- a/lib/pkcs12/p12t.h
++++ b/lib/pkcs12/p12t.h
+@@ -71,10 +71,11 @@
+         SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
+         sec_PKCS12CertBag *certBag;
+         sec_PKCS12CRLBag *crlBag;
+         sec_PKCS12SecretBag *secretBag;
+         sec_PKCS12SafeContents *safeContents;
++        SECItem *unknownBag;
+     } safeBagContent;
+ 
+     sec_PKCS12Attribute **attribs;
+ 
+     /* used locally */
+diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
+--- a/lib/pkcs12/p12tmpl.c
++++ b/lib/pkcs12/p12tmpl.c
+@@ -28,16 +28,16 @@
+ 
+     safeBag = (sec_PKCS12SafeBag *)src_or_dest;
+ 
+     oiddata = SECOID_FindOID(&safeBag->safeBagType);
+     if (oiddata == NULL) {
+-        return SEC_ASN1_GET(SEC_AnyTemplate);
++        return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+     }
+ 
+     switch (oiddata->offset) {
+         default:
+-            theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
++            theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_KEY_BAG_ID:
+             theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
+             break;
+         case SEC_OID_PKCS12_V1_CERT_BAG_ID:
+
diff --git a/nss.spec b/nss.spec
index 04e4131..33e5a7d 100644
--- a/nss.spec
+++ b/nss.spec
@@ -14,7 +14,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          11
+Release:          12
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Provides:         nss-system-init
@@ -48,6 +48,7 @@ Patch5:           backport-0001-CVE-2020-12403.patch
 Patch6:           backport-0002-CVE-2020-12403.patch
 Patch7:           backport-Bug-1666891-Add-PK11_Pub-Wrap-Unwrap.patch
 Patch8:           backport-CVE-2022-22747-Bug-1735028-check-for-missing.patch
+Patch9:           cve-2023-0767.patch
 
 Patch6000:        backport-CVE-2021-43527.patch
 
@@ -142,6 +143,7 @@ Help document for NSS
 pushd nss
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 %patch6000 -p1
 popd
 
@@ -564,6 +566,9 @@ update-crypto-policies &> /dev/null || :
 %doc %{_mandir}/man*
 
 %changelog
+* Mon Jun 30 2025 panzhe <panzhe@kylinos.cn> - 3.54.0-12
+- fix cve-2023-0767
+
 * Tue May 20 2025 steven <steven_ygui@163.com> - 3.54.0-11
 - fix cve-2022-22747
 
-- 
Gitee