Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 280226 (CVE-2009-2404)

Summary: <dev-libs/nss-3.12.3 multiple vulnerabilites (CVE-2009-{2404,2408})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=512912
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 280837, 280839    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-08-03 22:06:25 UTC 
CVE-2009-2404 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2404):
  Heap-based buffer overflow in a regular-expression parser in Mozilla
  Network Security Services (NSS) before 3.12.3, as used in Firefox,
  Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger
  (AIM), allows remote SSL servers to cause a denial of service
  (application crash) or possibly execute arbitrary code via a long
  domain name in the subject's Common Name (CN) field of an X.509
  certificate, related to the cert_TestHostName function.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 23:11:33 UTC 
CVE-2009-2408 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2408):
  Mozilla Network Security Services (NSS) before 3.12.3, Firefox before
  3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do
  not properly handle a '\0' character in a domain name in the subject's
  Common Name (CN) field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority.
  NOTE: this was originally reported for Firefox before 3.5.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-04 18:50:45 UTC 
Re-rating A3.
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:03 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:51:31 UTC 
Added to existing GLSA request.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:21 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).