From 282c6dc18d62c3df75f553b01a162ebe87bd5e77 Mon Sep 17 00:00:00 2001
From: Mathieu Dubois-Briand <mbriand@witekio.com>
Date: Thu, 8 Dec 2022 16:17:30 +0100
Subject: [PATCH 1/2] nss: Add missing CVE product

Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
---
 meta-oe/recipes-support/nss/nss_3.74.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb
index 591b12a917a..73701393e6b 100644
--- a/meta-oe/recipes-support/nss/nss_3.74.bb
+++ b/meta-oe/recipes-support/nss/nss_3.74.bb
@@ -280,5 +280,7 @@ RDEPENDS:${PN}-smime = "perl"
 
 BBCLASSEXTEND = "native nativesdk"
 
+CVE_PRODUCT += "network_security_services"
+
 # CVE-2006-5201 affects only Sun Solaris
 CVE_CHECK_IGNORE += "CVE-2006-5201"

From 910f40c38567e5c7d90ad8140b7009859cde4c22 Mon Sep 17 00:00:00 2001
From: Mathieu Dubois-Briand <mbriand@witekio.com>
Date: Thu, 8 Dec 2022 15:23:45 +0100
Subject: [PATCH 2/2] nss: Whitelist CVEs related to libnssdbm

These CVEs only affect libnssdbm, compiled when --enable-legacy-db is
used.

https://bugzilla.mozilla.org/show_bug.cgi?id=1360782#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778#c8
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900#c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
---
 meta-oe/recipes-support/nss/nss_3.74.bb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb
index 73701393e6b..4a9482fca47 100644
--- a/meta-oe/recipes-support/nss/nss_3.74.bb
+++ b/meta-oe/recipes-support/nss/nss_3.74.bb
@@ -284,3 +284,7 @@ CVE_PRODUCT += "network_security_services"
 
 # CVE-2006-5201 affects only Sun Solaris
 CVE_CHECK_IGNORE += "CVE-2006-5201"
+
+# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect
+# the legacy db (libnssdbm), only compiled with --enable-legacy-db.
+CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"