From $URL: Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker. What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository (https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc. CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105) https://bugzilla.mozilla.org/show_bug.cgi?id=1360782 CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241) https://bugzilla.mozilla.org/show_bug.cgi?id=1360778 CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229) https://bugzilla.mozilla.org/show_bug.cgi?id=1360900 CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704) https://bugzilla.mozilla.org/show_bug.cgi?id=1360779 These flaws were discovered by Brian Carpenter of Geeknik Labs (http://www.geeknik.net) using the American Fuzzy Lop tool.
Maintainer(s), please advise, this looks like it has gotten lost in Bugzilla, can you please advise if this is fixed?
(In reply to Yury German from comment #1) > Maintainer(s), please advise, this looks like it has gotten lost in > Bugzilla, can you please advise if this is fixed? Important comment from Mozilla about the status of this: "I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped. This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4]. These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s. For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly." https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Added to an existing GLSA. We need to stabilize >=dev0libs/nss-3.49 to ensure that the affected libraries are no longer present.
An automated check of this bug failed - repoman reported dependency errors (203 lines truncated): > dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad dev-libs/nss/nss-3.51.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]'] > dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
sparc stable
This issue was resolved and addressed in GLSA 202003-37 at https://security.gentoo.org/glsa/202003-37 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
Looks like the re-opening comment and glsa+ went to the wrong place, with not even amd64 done here? arm64 stable
amd64 stable
s390 stable
ppc stable
ppc64 stable
ia64 stable
x86 stable
hppa stable
arm stable. Maintainer(s), please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0cb2ef179d11014b83d4f5547949fcc057b4951 commit e0cb2ef179d11014b83d4f5547949fcc057b4951 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-31 17:48:42 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-31 17:50:38 +0000 dev-libs/nss: security cleanup (#627534) Bug: https://bugs.gentoo.org/627534 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-libs/nss/Manifest | 5 - dev-libs/nss/files/nss-3.47-enable-pem.patch | 11 - dev-libs/nss/metadata.xml | 1 - dev-libs/nss/nss-3.47.1-r1.ebuild | 375 --------------------------- dev-libs/nss/nss-3.48-r1.ebuild | 375 --------------------------- dev-libs/nss/nss-3.49.2.ebuild | 375 --------------------------- dev-libs/nss/nss-3.50-r1.ebuild | 359 ------------------------- 7 files changed, 1501 deletions(-)
Repository is clean, all done!
