Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 827946 (CVE-2021-43527, MFSA-2021-51) - <dev-libs/nss-{3.68.1, 3.73}: Heap overflow when verifying DSA/RSA-PSS DER-encoded signatures (CVE-2021-43527)
Summary: <dev-libs/nss-{3.68.1, 3.73}: Heap overflow when verifying DSA/RSA-PSS DER-en...
Status: RESOLVED FIXED
Alias: CVE-2021-43527, MFSA-2021-51
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa+]
Keywords:
Depends on: 827951
Blocks:
  Show dependency tree
 
Reported: 2021-12-01 16:55 UTC by Sam James
Modified: 2022-12-19 02:32 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:55:53 UTC
From https://marc.info/?l=oss-security&m=163837712525728&w=2:

"NSS (Network Security Services) versions prior to 3.73 are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS
signatures. Applications using NSS for handling signatures encoded
within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.
Applications using NSS for certificate validation or other TLS, X.509,
OCSP or CRL functionality may be impacted, depending on how they
configure NSS.

This vulnerability does NOT impact Mozilla Firefox, Tor Browser or
Chromium. However, other applications that use NSS for signature
verification are likely to be impacted."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:56:21 UTC
"NSS 3.73 [1] and NSS ESR 3.68.1 [2] have been released and contain the
fix. A patch suitable for backporting is also attached (patch.diff)."
Comment 2 Hanno Böck gentoo-dev 2021-12-01 17:24:15 UTC
We should check which other packages may be affected by this.

According to the advisory this can affect thunderbird. The thunderbird-bin package ships its own libnss copy, so at least thunderbird-bin should be bumped as well.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 17:58:28 UTC
From MFSA-2021-51 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/):
"Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted."
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:12:10 UTC
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2022-12-19 02:05:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=300d0a6989f134e6228f91cb9ea405db485ee8f0

commit 300d0a6989f134e6228f91cb9ea405db485ee8f0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 02:01:58 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:29 +0000

    [ GLSA 202212-05 ] Mozilla Network Security Service (NSS): Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/827946
    Bug: https://bugs.gentoo.org/836386
    Bug: https://bugs.gentoo.org/848984
    Bug: https://bugs.gentoo.org/877169
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 02:32:00 UTC
GLSA released, all done.