Summary: | <dev-libs/nss-3.17.3: QuickDER Decoder security bypass (CVE-2014-1569) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | mozilla |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes | ||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-12-04 08:42:21 UTC
Arches please test and mark stable =dev-libs/nss-3.17.3 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris amd64 stable Stable for HPPA. x86 stable ppc stable ppc64 stable ia64 stable arm stable alpha stable sparc stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). GLSA Vote: No CVE-2014-1569 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1569): The definite_length_decoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00. GLSA Vote: No, marking noglsa Maintainer(s), please drop the vulnerable version(s). I am using all other open NSS bugs as depend for this bug for cleanup. Maintainer(s), it has been 30 days since request for cleanup. Please drop the vulnerable versions. +*nss-3.17.4 (31 Jan 2015) + + 31 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -nss-3.15.4.ebuild, + -nss-3.16.5.ebuild, -nss-3.16.6.ebuild, -nss-3.17.2.ebuild, + +nss-3.17.4.ebuild, -files/nss-3.15-gentoo-fixups.patch, + -files/nss-3.15-x32.patch: + Version bump (bug #538288). Removed old. + Vulnerable versions have been dropped. Sorry for the delay... Maintainer(s), Thank you for cleanup! Closing noglsa. |