From 4840fc1bda693acec52e89a7cbb6d162bd226709 Mon Sep 17 00:00:00 2001
From: Joe Slater <joe.slater@windriver.com>
Date: Tue, 18 Jan 2022 14:16:18 -0500
Subject: [PATCH] nss: fix CVE-2021-43527

nss is vulnerable to a heap overflow when handling DER-encoded
DSA or RSA-PSS signatures.  We update nss packages and nspr to
the latest centos7 versions.

*** Testing ***
To be sure we will work with existing databases, before updating,
create a database.

$ mkdir arf
$ echo "Pword22*" > arf/pass.
$ certutil -N -d arf -f arf/pass
$ certutil -G -d arf -f arf/pass   # put a key pair in the database

Save the arf directory.  Install an iso with the updated nss packages.
Import arf.  Then...

$ certutil -K -d arf -f arf/pass   # display the keyID
$ certutil -G -d arf -f arf/pass   # add a key
$ certutil -K -d arf -f arf/pass   # display both keyID's
***

Closes-bug: 1957929
Change-Id: I960e42d1e361dace4443d6a052fe06206c6675dd
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
 .../config/centos/compiler/rpms_centos.lst       | 16 ++++++++--------
 .../centos/compiler/rpms_centos3rdparties.lst    |  8 ++++----
 .../config/centos/distro/rpms_centos.lst         | 16 ++++++++--------
 .../centos/distro/rpms_centos3rdparties.lst      |  8 ++++----
 .../config/centos/flock/rpms_centos.lst          | 12 ++++++------
 .../centos/flock/rpms_centos3rdparties.lst       |  8 ++++----
 .../config/centos/mock/rpms_centos.lst           | 10 +++++-----
 .../config/centos/mock/rpms_centos3rdparties.lst |  4 ++--
 8 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/centos-mirror-tools/config/centos/compiler/rpms_centos.lst b/centos-mirror-tools/config/centos/compiler/rpms_centos.lst
index 156aae82..3a074645 100644
--- a/centos-mirror-tools/config/centos/compiler/rpms_centos.lst
+++ b/centos-mirror-tools/config/centos/compiler/rpms_centos.lst
@@ -179,15 +179,15 @@ ncurses-devel-5.9-14.20130511.el7_4.x86_64.rpm
 # ncurses-libs-5.9-14.20130511.el7_4.x86_64.rpm provided by mock
 neon-0.30.0-3.el7.x86_64.rpm
 nettle-2.7.1-8.el7.x86_64.rpm
-# nspr-4.25.0-2.el7_9.x86_64.rpm provided by mock
-nspr-devel-4.25.0-2.el7_9.x86_64.rpm
-# nss-3.53.1-3.el7_9.x86_64.rpm provided by mock
-nss-devel-3.53.1-3.el7_9.x86_64.rpm
+# nspr-4.32.0-1.el7_9.x86_64.rpm provided by mock
+nspr-devel-4.32.0-1.el7_9.x86_64.rpm
+# nss-3.67.0-4.el7_9.x86_64.rpm provided by mock
+nss-devel-3.67.0-4.el7_9.x86_64.rpm
 # nss-pem-1.0.3-5.el7.x86_64.rpm provided by mock
-# nss-sysinit-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-tools-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-util-3.53.1-1.el7_9.x86_64.rpm provided by mock
-nss-util-devel-3.53.1-1.el7_9.x86_64.rpm
+# nss-sysinit-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-tools-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-util-3.67.0-1.el7_9.x86_64.rpm provided by mock
+nss-util-devel-3.67.0-1.el7_9.x86_64.rpm
 openssh-7.4p1-21.el7.x86_64.rpm
 openssh-clients-7.4p1-21.el7.x86_64.rpm
 openssl-devel-1.0.2k-16.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/compiler/rpms_centos3rdparties.lst b/centos-mirror-tools/config/centos/compiler/rpms_centos3rdparties.lst
index f9d2879a..5702998f 100644
--- a/centos-mirror-tools/config/centos/compiler/rpms_centos3rdparties.lst
+++ b/centos-mirror-tools/config/centos/compiler/rpms_centos3rdparties.lst
@@ -22,10 +22,10 @@ mesa-libgbm-18.0.5-3.el7.x86_64.rpm
 mesa-libGL-18.0.5-3.el7.x86_64.rpm
 mesa-libglapi-18.0.5-3.el7.x86_64.rpm
 mesa-libGL-devel-18.0.5-3.el7.x86_64.rpm
-# nss-softokn-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-devel-3.53.1-6.el7_9.x86_64.rpm
-# nss-softokn-freebl-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-freebl-devel-3.53.1-6.el7_9.x86_64.rpm
+# nss-softokn-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-devel-3.67.0-3.el7_9.x86_64.rpm
+# nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-freebl-devel-3.67.0-3.el7_9.x86_64.rpm
 # openldap-2.4.44-20.el7.x86_64.rpm provided by mock
 # systemd-219-78.el7_9.3.x86_64.rpm provided by mock
 # systemd-devel-219-78.el7_9.3.x86_64.rpm provided by mock
diff --git a/centos-mirror-tools/config/centos/distro/rpms_centos.lst b/centos-mirror-tools/config/centos/distro/rpms_centos.lst
index ac90b99c..37a2259b 100644
--- a/centos-mirror-tools/config/centos/distro/rpms_centos.lst
+++ b/centos-mirror-tools/config/centos/distro/rpms_centos.lst
@@ -597,15 +597,15 @@ newt-0.52.15-4.el7.x86_64.rpm
 newt-devel-0.52.15-4.el7.x86_64.rpm
 nfs-utils-1.3.0-0.61.el7.x86_64.rpm
 nmap-ncat-6.40-16.el7.x86_64.rpm
-# nspr-4.25.0-2.el7_9.x86_64.rpm provided by mock
-nspr-devel-4.25.0-2.el7_9.x86_64.rpm
-# nss-3.53.1-3.el7_9.x86_64.rpm provided by mock
-nss-devel-3.53.1-3.el7_9.x86_64.rpm
+# nspr-4.32.0-1.el7_9.x86_64.rpm provided by mock
+nspr-devel-4.32.0-1.el7_9.x86_64.rpm
+# nss-3.67.0-4.el7_9.x86_64.rpm provided by mock
+nss-devel-3.67.0-4.el7_9.x86_64.rpm
 # nss-pem-1.0.3-5.el7.x86_64.rpm provided by mock
-# nss-sysinit-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-tools-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-util-3.53.1-1.el7_9.x86_64.rpm provided by mock
-nss-util-devel-3.53.1-1.el7_9.x86_64.rpm
+# nss-sysinit-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-tools-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-util-3.67.0-1.el7_9.x86_64.rpm provided by mock
+nss-util-devel-3.67.0-1.el7_9.x86_64.rpm
 numactl-devel-2.0.9-7.el7.x86_64.rpm
 numactl-libs-2.0.9-7.el7.x86_64.rpm
 nvme-cli-1.8.1-3.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/distro/rpms_centos3rdparties.lst b/centos-mirror-tools/config/centos/distro/rpms_centos3rdparties.lst
index 1de43e58..d6d77355 100644
--- a/centos-mirror-tools/config/centos/distro/rpms_centos3rdparties.lst
+++ b/centos-mirror-tools/config/centos/distro/rpms_centos3rdparties.lst
@@ -52,10 +52,10 @@ mesa-libglapi-18.0.5-3.el7.x86_64.rpm
 mesa-libGL-devel-18.0.5-3.el7.x86_64.rpm
 NetworkManager-glib-1.12.0-8.el7_6.x86_64.rpm
 NetworkManager-glib-devel-1.12.0-8.el7_6.x86_64.rpm
-# nss-softokn-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-devel-3.53.1-6.el7_9.x86_64.rpm
-# nss-softokn-freebl-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-freebl-devel-3.53.1-6.el7_9.x86_64.rpm
+# nss-softokn-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-devel-3.67.0-3.el7_9.x86_64.rpm
+# nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-freebl-devel-3.67.0-3.el7_9.x86_64.rpm
 # openldap-2.4.44-20.el7.x86_64.rpm provided by mock
 policycoreutils-2.5-29.el7.x86_64.rpm
 policycoreutils-devel-2.5-29.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/flock/rpms_centos.lst b/centos-mirror-tools/config/centos/flock/rpms_centos.lst
index 7297b30b..3d266240 100644
--- a/centos-mirror-tools/config/centos/flock/rpms_centos.lst
+++ b/centos-mirror-tools/config/centos/flock/rpms_centos.lst
@@ -597,15 +597,15 @@ ndctl-libs-65-5.el7.x86_64.rpm
 nfs-utils-1.3.0-0.61.el7.x86_64.rpm
 nmap-ncat-6.40-16.el7.x86_64.rpm
 nscd-2.17-323.el7_9.x86_64.rpm
-# nspr-4.25.0-2.el7_9.x86_64.rpm provided by mock
-# nss-3.53.1-3.el7_9.x86_64.rpm provided by mock
+# nspr-4.32.0-1.el7_9.x86_64.rpm provided by mock
+# nss-3.67.0-4.el7_9.x86_64.rpm provided by mock
 nss_compat_ossl-0.9.6-8.el7.x86_64.rpm
 nss-pam-ldapd-0.8.13-16.el7.x86_64.rpm
 # nss-pem-1.0.3-5.el7.x86_64.rpm provided by mock
-# nss-sysinit-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-tools-3.53.1-3.el7_9.x86_64.rpm provided by mock
-# nss-util-3.53.1-1.el7_9.x86_64.rpm provided by mock
-nss-util-devel-3.53.1-1.el7_9.x86_64.rpm
+# nss-sysinit-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-tools-3.67.0-4.el7_9.x86_64.rpm provided by mock
+# nss-util-3.67.0-1.el7_9.x86_64.rpm provided by mock
+nss-util-devel-3.67.0-1.el7_9.x86_64.rpm
 numactl-devel-2.0.9-7.el7.x86_64.rpm
 numactl-libs-2.0.9-7.el7.x86_64.rpm
 nvme-cli-1.8.1-3.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/flock/rpms_centos3rdparties.lst b/centos-mirror-tools/config/centos/flock/rpms_centos3rdparties.lst
index 4cb78e1c..c053cdb9 100644
--- a/centos-mirror-tools/config/centos/flock/rpms_centos3rdparties.lst
+++ b/centos-mirror-tools/config/centos/flock/rpms_centos3rdparties.lst
@@ -43,10 +43,10 @@ libtevent-0.9.39-1.el7.x86_64.rpm
 libwbclient-4.10.16-5.el7.x86_64.rpm
 lvm2-2.02.177-4.el7.x86_64.rpm
 lvm2-libs-2.02.177-4.el7.x86_64.rpm
-# nss-softokn-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-devel-3.53.1-6.el7_9.x86_64.rpm
-# nss-softokn-freebl-3.53.1-6.el7_9.x86_64.rpm provided by mock
-nss-softokn-freebl-devel-3.53.1-6.el7_9.x86_64.rpm
+# nss-softokn-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-devel-3.67.0-3.el7_9.x86_64.rpm
+# nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm provided by mock
+nss-softokn-freebl-devel-3.67.0-3.el7_9.x86_64.rpm
 ntfs-3g-2017.3.23-11.el7.x86_64.rpm
 ntfs-3g-devel-2017.3.23-11.el7.x86_64.rpm
 ntfsprogs-2017.3.23-11.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/mock/rpms_centos.lst b/centos-mirror-tools/config/centos/mock/rpms_centos.lst
index 939e55da..5b09105d 100644
--- a/centos-mirror-tools/config/centos/mock/rpms_centos.lst
+++ b/centos-mirror-tools/config/centos/mock/rpms_centos.lst
@@ -95,12 +95,12 @@ mpfr-3.1.1-4.el7.x86_64.rpm
 ncurses-5.9-14.20130511.el7_4.x86_64.rpm
 ncurses-base-5.9-14.20130511.el7_4.noarch.rpm
 ncurses-libs-5.9-14.20130511.el7_4.x86_64.rpm
-nspr-4.25.0-2.el7_9.x86_64.rpm
-nss-3.53.1-3.el7_9.x86_64.rpm
+nspr-4.32.0-1.el7_9.x86_64.rpm
+nss-3.67.0-4.el7_9.x86_64.rpm
 nss-pem-1.0.3-5.el7.x86_64.rpm
-nss-sysinit-3.53.1-3.el7_9.x86_64.rpm
-nss-tools-3.53.1-3.el7_9.x86_64.rpm
-nss-util-3.53.1-1.el7_9.x86_64.rpm
+nss-sysinit-3.67.0-4.el7_9.x86_64.rpm
+nss-tools-3.67.0-4.el7_9.x86_64.rpm
+nss-util-3.67.0-1.el7_9.x86_64.rpm
 openldap-2.4.44-20.el7.x86_64.rpm
 openssl-libs-1.0.2k-16.el7.x86_64.rpm
 p11-kit-0.23.5-3.el7.x86_64.rpm
diff --git a/centos-mirror-tools/config/centos/mock/rpms_centos3rdparties.lst b/centos-mirror-tools/config/centos/mock/rpms_centos3rdparties.lst
index 8411067e..2062c1d5 100644
--- a/centos-mirror-tools/config/centos/mock/rpms_centos3rdparties.lst
+++ b/centos-mirror-tools/config/centos/mock/rpms_centos3rdparties.lst
@@ -9,8 +9,8 @@ ima-evm-utils-1.1-2.el7.x86_64.rpm
 libblkid-2.23.2-59.el7.x86_64.rpm
 libcom_err-1.42.9-13.el7.x86_64.rpm
 libsemanage-2.5-14.el7.x86_64.rpm
-nss-softokn-3.53.1-6.el7_9.x86_64.rpm
-nss-softokn-freebl-3.53.1-6.el7_9.x86_64.rpm
+nss-softokn-3.67.0-3.el7_9.x86_64.rpm
+nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm
 systemd-219-78.el7_9.3.x86_64.rpm
 systemd-devel-219-78.el7_9.3.x86_64.rpm
 systemd-libs-219-78.el7_9.3.x86_64.rpm