Bug 388045 (CVE-2011-3640)

Summary:	<dev-libs/nss-3.12.11-r1 Insecure Library Loading Vulnerability (CVE-2011-3640)
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://secunia.com/advisories/46557/
Whiteboard:	B1 [glsa]
Package list:		Runtime testing required:	---

Description Agostino Sarubbo gentoo-dev

2011-10-21 21:24:59 UTC

From secunia security advisory at $URL:

Description:
The vulnerability is caused due to the "NSS_NoDB_Init()" function incorrectly constructing a file path for the "pkcs11.txt" configuration file. This can be exploited to load arbitrary security modules via the "library" directive when a configuration file is loaded from a remote WebDAV or SMB share.

Successful exploitation allows execution of arbitrary code.

Solution:
Fixed in the CVS repository.
https://bugzilla.mozilla.org/show_bug.cgi?id=641052

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2011-10-27 15:59:15 UTC

+*nss-3.12.11-r1 (27 Oct 2011)
+
+  27 Oct 2011; Lars Wendler <polynomial-c@gentoo.org> +nss-3.12.11-r1.ebuild,
+  +files/nss-3.12.11-CVE-2011-3640.patch:
+  Revbump to fix CVE-2011-3640 (bug #388045).
+

Comment 2 Agostino Sarubbo gentoo-dev

2011-10-27 16:15:01 UTC

Thanks Lars.

Arches, please test and mark stable:
=dev-libs/nss-3.12.11-r1
target KEYWORDS : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2011-10-27 16:23:14 UTC

That's not enough. In order to get nss-3.12.11-r1 stable we also need dev-libs/nspr-4.8.9 stable (it's a dependency of dev-libs/nss). 

So arches please test and mark stable:

=dev-libs/nspr-4.8.9
=dev-libs/nss-3.12.11-r1

Target keywords are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Comment 4 Agostino Sarubbo gentoo-dev

2011-10-27 16:56:18 UTC

amd64: both ok

Comment 5 Ian Delaney (RETIRED) gentoo-dev

2011-10-27 22:57:46 UTC

ditto Ago

Comment 6 Tony Vroon (RETIRED) gentoo-dev

2011-10-28 09:32:11 UTC

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> nspr-4.8.9.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #388045.

+  28 Oct 2011; Tony Vroon <chainsaw@gentoo.org> nss-3.12.11-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+  "idella4" Delaney in security bug #388045.

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2011-10-28 16:39:52 UTC

Stable for HPPA.

Comment 8 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-10-30 12:39:24 UTC

x86 stable

Comment 9 Jory A. Pratt gentoo-dev

2011-10-31 21:25:15 UTC

Mozilla team is done here, readd if needed.

Comment 10 Markus Meier gentoo-dev

2011-11-05 21:11:14 UTC

arm stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2011-11-06 16:23:50 UTC

ppc done

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2011-11-19 19:51:34 UTC

alpha/ia64/sparc stable

Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-11-25 17:31:42 UTC

ppc64 stable, last arch done

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2011-12-09 00:27:59 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 15 GLSAMaker/CVETool Bot gentoo-dev

2011-12-13 00:14:39 UTC

CVE-2011-3640 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3640):
  ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network
  Security Services (NSS), as used in Google Chrome before 17 on Windows and
  Mac OS X, might allow local users to gain privileges via a Trojan horse
  pkcs11.txt file in a top-level directory.  NOTE: the vendor's response was
  "Strange behavior, but we're not treating this as a security bug."

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2013-01-08 01:05:00 UTC

This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).