Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 491234 (CVE-2013-1741)

Summary: <dev-libs/nss-3.15.3 - <www-client/firefox-bin-{24.1.1,25.0.1} - <mail-client/thunderbird-bin-24.1.1 - <www-client/seamonkey-bin-2.22.1 : multiple vulnerabilities (CVE-2013-{1741,2566,5605,5606,5607})
Product: Gentoo Security Reporter: Dirkjan Ochtman (RETIRED) <djc>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alex_y_xu, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-11-14 11:45:27 UTC
+*nss-3.15.3 (14 Nov 2013)
+
+  14 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> +nss-3.15.3.ebuild:
+  Security bump (bug #491234).
+
Comment 2 Agostino Sarubbo gentoo-dev 2013-11-19 11:41:08 UTC
http://www.mozilla.org/security/announce/2013/mfsa2013-103.html :

Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5.

Null Cipher buffer overflow (CVE-2013-5605)
Mozilla developer Camilo Viecco discovered that if the verifylog feature was used when validating certificates then certificates with incompatible key usage constraints were not rejected. This did not directly affect Firefox but might affect other software using the NSS library

CERT_VerifyCert can SECSuccess for bad certificates (CVE-2013-5606)
Google security researcher Tavis Ormandy reported a runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls.

Integer truncation in certificate parsing (CVE-2013-1741)
Pascal Cuoq, RedHat developer Kamil Dudka, and Google developer Wan-Teh Chang found equivalent Netscape Portable Runtime (NSPR) library code suffered the same integer truncation.

Avoid unsigned integer wrapping in PL_ArenaAllocate (CVE-2013-5607)
NSS lowered the priority of RC4 in cipher suite advertisement so that more secure ciphers instead of RC4 are likely to be chosen by the server. This can help address the problem described by Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt in their paper "On the Security of RC4 in TLS."

"On the Security of RC4 in TLS" plaintext recovery attack (CVE-2013-2566)
Comment 3 Ryan Sleevi 2013-11-25 02:54:42 UTC
There's been no stabilizing of this package following its upload a week ago. 

Shouldn't this be tagged STABLEREQ?
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2013-11-26 16:37:58 UTC
CC'ing arches:

dev-libs/nss-3.15.3 : KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

www-client/firefox-bin-24.1.1 : KEYWORDS="amd64 x86"
www-client/seamonkey-bin-2.22.1: KEYWORDS="amd64 x86"
mail-client/thunderbird-bin-24.1.1 : KEYWORDS="amd64 x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-11-26 19:07:32 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-11-27 10:55:51 UTC
(In reply to Ian Stakenvicius from comment #4)
> CC'ing arches:
> 
> dev-libs/nss-3.15.3 : KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc
> x86"
> 
> www-client/firefox-bin-24.1.1 : KEYWORDS="amd64 x86"
> www-client/seamonkey-bin-2.22.1: KEYWORDS="amd64 x86"
> mail-client/thunderbird-bin-24.1.1 : KEYWORDS="amd64 x86"

Why stabilize those version instead of 17.x series?
Comment 7 Andrius Štikonas 2013-11-27 11:52:48 UTC
(In reply to Agostino Sarubbo from comment #6)
> (In reply to Ian Stakenvicius from comment #4)
> > CC'ing arches:
> > 
> > dev-libs/nss-3.15.3 : KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc
> > x86"
> > 
> > www-client/firefox-bin-24.1.1 : KEYWORDS="amd64 x86"
> > www-client/seamonkey-bin-2.22.1: KEYWORDS="amd64 x86"
> > mail-client/thunderbird-bin-24.1.1 : KEYWORDS="amd64 x86"
> 
> Why stabilize those version instead of 17.x series?

I think that ESR series are no longer maintained after next_ESR+1 is released. Firefox 25 was released, so there will be no more updates to 17.x series. So you will have to stabilize 24.x soon anyway due to security issues.
Comment 8 Jory A. Pratt gentoo-dev 2013-11-27 14:37:45 UTC
(In reply to Agostino Sarubbo from comment #6)
> (In reply to Ian Stakenvicius from comment #4)
> > CC'ing arches:
> > 
> > dev-libs/nss-3.15.3 : KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc
> > x86"
> > 
> > www-client/firefox-bin-24.1.1 : KEYWORDS="amd64 x86"
> > www-client/seamonkey-bin-2.22.1: KEYWORDS="amd64 x86"
> > mail-client/thunderbird-bin-24.1.1 : KEYWORDS="amd64 x86"
> 
> Why stabilize those version instead of 17.x series?

24.x is new esr branch, that is why we are moving to it. He has missed the source builds as well but we can fix that in a day or two.
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-27 18:18:26 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-11-27 18:18:55 UTC
x86 stable
Comment 11 Andrius Štikonas 2013-11-27 19:33:45 UTC
Something strange is happenning. Why www-client/firefox became stable on HPPA but not on amd64/x86? It seems that this bug is only targeting www-client/firefox-bin but then it is not clear why www-client/firefox became stable on HPPA...
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2013-11-27 21:24:32 UTC
CVE-2013-5606 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5606):
  The CERT_VerifyCert function in lib/certhigh/certvfy.c in Mozilla Network
  Security Services (NSS) 3.15 before 3.15.3 provides an unexpected return
  value for an incompatible key-usage certificate when the CERTVerifyLog
  argument is valid, which might allow remote attackers to bypass intended
  access restrictions via a crafted certificate.

CVE-2013-5605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5605):
  Mozilla Network Security Services (NSS) 3.14 before 3.14.5 and 3.15 before
  3.15.3 allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via invalid handshake packets.

CVE-2013-1741 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1741):
  Integer overflow in Mozilla Network Security Services (NSS) 3.15 before
  3.15.3 allows remote attackers to cause a denial of service or possibly have
  unspecified other impact via a large size value.
Comment 13 Agostino Sarubbo gentoo-dev 2013-12-01 18:09:57 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-12-01 18:10:19 UTC
ppc64 stable
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-12-01 19:15:18 UTC
CVE-2013-5607 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5607):
  Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape
  Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1,
  Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before
  2.22.1, allows remote attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a crafted X.509
  certificate, a related issue to CVE-2013-1741.

CVE-2013-2566 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2566):
  The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many
  single-byte biases, which makes it easier for remote attackers to conduct
  plaintext-recovery attacks via statistical analysis of ciphertext in a large
  number of sessions that use the same plaintext.
Comment 16 Agostino Sarubbo gentoo-dev 2013-12-07 19:51:48 UTC
arm stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-12-08 17:06:04 UTC
alpha stable
Comment 18 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-12 16:27:56 UTC
Will continue stabilizing in bug 493850 since we need to request another round of stables there anyway.
Comment 19 Alex Xu (Hello71) 2014-04-19 02:10:08 UTC
cleaned up as part of bug 493850; sec, please decide whether to glsa this or coalesce into that one.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 01:55:50 UTC
Created a New GLSA request.
For NSS only, binaries of Firefox, thunderbird, sea monkey are part of another GLSA already in progress. as part of Bug #493850
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-06-21 22:14:04 UTC
This issue was resolved and addressed in
 GLSA 201406-19 at http://security.gentoo.org/glsa/glsa-201406-19.xml
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 22 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-06-21 22:16:24 UTC
Re-open for Mozilla things.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:17:10 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:17:53 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).