Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388045 (CVE-2011-3640) - <dev-libs/nss-3.12.11-r1 Insecure Library Loading Vulnerability (CVE-2011-3640)
Summary: <dev-libs/nss-3.12.11-r1 Insecure Library Loading Vulnerability (CVE-2011-3640)
Status: RESOLVED FIXED
Alias: CVE-2011-3640
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46557/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-10-21 21:24 UTC by Agostino Sarubbo
Modified: 2013-01-08 01:05 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-10-21 21:24:59 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to the "NSS_NoDB_Init()" function incorrectly constructing a file path for the "pkcs11.txt" configuration file. This can be exploited to load arbitrary security modules via the "library" directive when a configuration file is loaded from a remote WebDAV or SMB share.

Successful exploitation allows execution of arbitrary code.

Solution:
Fixed in the CVS repository.
https://bugzilla.mozilla.org/show_bug.cgi?id=641052
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-10-27 15:59:15 UTC
+*nss-3.12.11-r1 (27 Oct 2011)
+
+  27 Oct 2011; Lars Wendler <polynomial-c@gentoo.org> +nss-3.12.11-r1.ebuild,
+  +files/nss-3.12.11-CVE-2011-3640.patch:
+  Revbump to fix CVE-2011-3640 (bug #388045).
+
Comment 2 Agostino Sarubbo gentoo-dev 2011-10-27 16:15:01 UTC
Thanks Lars.

Arches, please test and mark stable:
=dev-libs/nss-3.12.11-r1
target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-10-27 16:23:14 UTC
That's not enough. In order to get nss-3.12.11-r1 stable we also need dev-libs/nspr-4.8.9 stable (it's a dependency of dev-libs/nss). 

So arches please test and mark stable:

=dev-libs/nspr-4.8.9
=dev-libs/nss-3.12.11-r1

Target keywords are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Agostino Sarubbo gentoo-dev 2011-10-27 16:56:18 UTC
amd64: both ok
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-10-27 22:57:46 UTC
ditto Ago
Comment 6 Tony Vroon (RETIRED) gentoo-dev 2011-10-28 09:32:11 UTC
+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> nspr-4.8.9.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #388045.

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> nss-3.12.11-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #388045.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-28 16:39:52 UTC
Stable for HPPA.
Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-10-30 12:39:24 UTC
x86 stable
Comment 9 Jory A. Pratt gentoo-dev 2011-10-31 21:25:15 UTC
Mozilla team is done here, readd if needed.
Comment 10 Markus Meier gentoo-dev 2011-11-05 21:11:14 UTC
arm stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2011-11-06 16:23:50 UTC
ppc done
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-11-19 19:51:34 UTC
alpha/ia64/sparc stable
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-11-25 17:31:42 UTC
ppc64 stable, last arch done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-12-09 00:27:59 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2011-12-13 00:14:39 UTC
CVE-2011-3640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3640):
  ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network
  Security Services (NSS), as used in Google Chrome before 17 on Windows and
  Mac OS X, might allow local users to gain privileges via a Trojan horse
  pkcs11.txt file in a top-level directory.  NOTE: the vendor's response was
  "Strange behavior, but we're not treating this as a security bug."
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:00 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).