From 6a19b29d7380fa1af2a4218aa4689e8cd78bcb16 Mon Sep 17 00:00:00 2001
From: Chenxi Mao <chenxi.mao@suse.com>
Date: Mon, 19 Dec 2022 11:29:16 +0800
Subject: [PATCH] Fix NSS DB cannot be shutdown if certification cannot be
 found

In find_certificate_by_callback, function return -1 directly without
free resource if node is null, that will lead to nss shut down failed.

The error message as below:
could not shut down NSS: NSS could not shutdown. Objects are still in use.

To fix this issue, free all resources before function return -1.

References: bsn#381
Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
(cherry picked from commit 69547bbf03ed38151d879eeb6ded32010aef945b)
---
 ...urces-if-certificate-cannot-be-found.patch | 39 +++++++++++++++++++
 pesign.spec                                   |  6 ++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 Bugfix-Free-resources-if-certificate-cannot-be-found.patch

diff --git a/Bugfix-Free-resources-if-certificate-cannot-be-found.patch b/Bugfix-Free-resources-if-certificate-cannot-be-found.patch
new file mode 100644
index 0000000..b128b2c
--- /dev/null
+++ b/Bugfix-Free-resources-if-certificate-cannot-be-found.patch
@@ -0,0 +1,39 @@
+From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001
+From: Chenxi Mao <chenxi.mao@suse.com>
+Date: Tue, 13 Dec 2022 22:12:29 +0800
+Subject: [PATCH 1/1] Free resources if certificate cannot be found
+
+In find_certificate_by_callback, function return -1 directly without
+free resource if node is null, that will lead to nss shut down failed.
+
+The error message as below:
+could not shut down NSS: NSS could not shutdown. Objects are still in use.
+
+To fix this issue, free all resources before function return -1.
+
+Signed-off-by: Chenxi Mao <chenxi.mao@suse.com>
+---
+ src/cms_common.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 1c54c90..24576f2 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms,
+ 		}
+ 	}
+ 
+-	if (!node)
++	if (!node) {
++		PK11_DestroySlotListElement(slots, &psle);
++		PK11_FreeSlotList(slots);
++		CERT_DestroyCertList(certlist);
+ 		cnreterr(-1, cms, "Could not find certificate");
++	}
+ 
+ 	*cert = CERT_DupCertificate(node->cert);
+ 
+-- 
+2.33.0
+
diff --git a/pesign.spec b/pesign.spec
index 6e5ee84..9de5142 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -2,7 +2,7 @@
 Name:          pesign
 Summary:       Signing utility for UEFI binaries
 Version:       115
-Release:       2
+Release:       3
 License:       GPLv2
 URL:           https://github.com/rhboot/pesign
 Source0:       https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz
@@ -17,6 +17,7 @@ BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz
 BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc
 
 Patch0001:     Bugfix-cms_common-fix-cert-match-check.patch
+Patch0002:     Bugfix-Free-resources-if-certificate-cannot-be-found.patch
 
 # Feature: support SM2 and SM3
 Patch9000:     Feature-pesign-support-SM3-digest-algorithm.patch
@@ -98,6 +99,9 @@ exit 0
 %{_mandir}/man*/*
 
 %changelog
+* Mon Dec 19 2022 Chenxi Mao <chenxi.mao@suse.com> - 115-3
+- Free resources if certification cannot be found. 
+
 * Sat Nov 12 2022 luhuaxin <luhuaxin1@huawei.com> - 115-2
 - fix certificate chain bug
 
-- 
Gitee