564834 – <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer overflow, integer overflow (CVE-2015-{7181,7182,7183})

Bug 564834 - <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer overflow, integer overflow (CVE-2015-{7181,7182,7183})

Summary: <dev-libs/nspr-4.10.10, <dev-libs/nss-3.20.1: use-after-poison, buffer overfl...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.mozilla.org/en-US/securit...
Whiteboard:	A2 [glsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2015-11-03 20:19 UTC by Hanno Böck
Modified:	2016-05-31 06:05 UTC (History)
CC List:	6 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2015-11-03 20:19:00 UTC

From Mozilla's advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-133/

"Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.

Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS."

Maintainers, please update.

Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev

2015-11-05 02:16:20 UTC

Ebuilds for both packages are in the tree now.  Arches, please stabilize:

dev-libs/nspr-4.10.10

dev-libs/nss-3.20.1

Comment 2 Agostino Sarubbo gentoo-dev

2015-11-05 10:06:54 UTC

amd64 stable

Comment 3 Agostino Sarubbo gentoo-dev

2015-11-05 10:07:53 UTC

x86 stable

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2015-11-06 04:21:46 UTC

Stable for HPPA PPC64.

Comment 5 Agostino Sarubbo gentoo-dev

2015-11-09 08:54:18 UTC

ppc stable

Comment 6 Markus Meier gentoo-dev

2015-11-14 16:52:26 UTC

arm stable

Comment 7 Matt Turner gentoo-dev

2015-11-15 18:27:12 UTC

alpha stable

Comment 8 Agostino Sarubbo gentoo-dev

2015-11-18 09:33:42 UTC

ia64 stable

Comment 9 Mikle Kolyada (RETIRED) archtester

2015-12-27 10:04:28 UTC

sparc stable

Comment 10 Yury German Gentoo Infrastructure

2015-12-31 08:04:24 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 11 Yury German Gentoo Infrastructure

2016-01-26 02:16:40 UTC

It has been 30 days since last request.
Maintainer(s), please drop the vulnerable version(s).

Comment 12 GLSAMaker/CVETool Bot gentoo-dev

2016-05-31 05:55:01 UTC

This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).