Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 498172 (CVE-2013-1740)

Summary: <dev-libs/nss-3.15.4: False Start PR_Recv Information Disclosure Security Issue (CVE-2013-1740)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/56386/
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-01-15 13:39:01 UTC
From ${URL} :

Description

A security issue has been reported in Network Security Services (NSS), which can be exploited by 
malicious people to disclose certain information.

The security issue is caused due an error within the "ssl_Do1stHandshake()" function 
(lib/ssl/sslsecur.c) and can be exploited to potentially return unencrypted and unauthenticated 
data from PR_Recv.

Successful exploitation requires that false start is enabled.

The security issue is reported in versions prior to 3.15.4.


Solution:
Update to version 3.15.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-01-15 13:51:10 UTC
Arches please test and mark stable =dev-libs/nss-3.15.4 with target KEYWORDS:

alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-01-15 16:00:07 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:16 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-16 20:18:00 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-17 20:43:37 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-17 20:47:24 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-19 13:48:10 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-19 13:55:28 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:37 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-26 12:00:09 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-01-27 11:16:09 UTC
+  27 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> -nss-3.15.2.ebuild,
+  -nss-3.15.3.ebuild, -nss-3.15.3.1.ebuild,
+  -files/nss-3.12.6-gentoo-fixup-warnings.patch,
+  -files/nss-3.14.1-gentoo-fixups-r1.patch, -files/nss-3.14.2-x32.patch,
+  -files/nss-3.14.3_sync_with_upstream_softokn_changes.patch,
+  -files/nss-3.15.1-fipstest-warnings.patch:
+  Removed old...
+
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 14:36:33 UTC
CVE-2013-1740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1740):
  The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network
  Security Services (NSS) before 3.15.4, when the TLS False Start feature is
  enabled, allows man-in-the-middle attackers to spoof SSL servers by using an
  arbitrary X.509 certificate during certain handshake traffic.
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-27 14:40:45 UTC
GLSA vote: no.
Comment 14 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 17:53:10 UTC
GLSA vote: no.

Closing as [noglsa]