Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 627534 (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698)

Summary: <dev-libs/nss-3.49: Multiple Vulnerabilities (CVE-2017-{11695,11696,11697,11698})
Product: Gentoo Security Reporter: Aleksandr Wagner (Kivak) <alwag>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: arthur, mozilla
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2017/Aug/17
Whiteboard: A2 [glsa+ cve]
Package list:
dev-libs/nss-3.51 dev-libs/nspr-4.25
Runtime testing required: ---

Description Aleksandr Wagner (Kivak) 2017-08-11 10:46:13 UTC
From $URL:

Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification 
have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that 
these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform 
development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration 
on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of 
cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository 
(https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` 
files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

These flaws were discovered by Brian Carpenter of Geeknik Labs (http://www.geeknik.net) using the American Fuzzy Lop 
tool.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 18:51:34 UTC
Maintainer(s), please advise, this looks like it has gotten lost in Bugzilla, can you please advise if this is fixed?
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-15 04:05:38 UTC
(In reply to Yury German from comment #1)
> Maintainer(s), please advise, this looks like it has gotten lost in
> Bugzilla, can you please advise if this is fixed?

Important comment from Mozilla about the status of this:
"I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped.

This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4].

These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s.

For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly."

https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-15 15:32:03 UTC
Added to an existing GLSA.

We need to stabilize >=dev0libs/nss-3.49 to ensure that the affected libraries are no longer present.
Comment 4 Stabilization helper bot gentoo-dev 2020-03-15 20:00:50 UTC
An automated check of this bug failed - repoman reported dependency errors (203 lines truncated): 

> dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/nss/nss-3.51.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
Comment 5 Rolf Eike Beer archtester 2020-03-16 17:45:09 UTC
sparc stable
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2020-03-16 21:19:21 UTC
This issue was resolved and addressed in
 GLSA 202003-37 at https://security.gentoo.org/glsa/202003-37
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-16 21:20:10 UTC
Re-opening for remaining architectures.
Comment 8 Mart Raudsepp gentoo-dev 2020-03-17 08:36:03 UTC
Looks like the re-opening comment and glsa+ went to the wrong place, with not even amd64 done here?
arm64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-17 18:44:45 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-18 09:49:29 UTC
s390 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-03-18 11:12:02 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-18 11:32:09 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2020-03-18 12:03:58 UTC
ia64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-18 16:03:51 UTC
x86 stable
Comment 15 Rolf Eike Beer archtester 2020-03-20 08:19:22 UTC
hppa stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-03-25 08:12:35 UTC
arm stable.

Maintainer(s), please cleanup.
Comment 17 Larry the Git Cow gentoo-dev 2020-03-31 17:50:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0cb2ef179d11014b83d4f5547949fcc057b4951

commit e0cb2ef179d11014b83d4f5547949fcc057b4951
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-31 17:48:42 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-31 17:50:38 +0000

    dev-libs/nss: security cleanup (#627534)
    
    Bug: https://bugs.gentoo.org/627534
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/nss/Manifest                        |   5 -
 dev-libs/nss/files/nss-3.47-enable-pem.patch |  11 -
 dev-libs/nss/metadata.xml                    |   1 -
 dev-libs/nss/nss-3.47.1-r1.ebuild            | 375 ---------------------------
 dev-libs/nss/nss-3.48-r1.ebuild              | 375 ---------------------------
 dev-libs/nss/nss-3.49.2.ebuild               | 375 ---------------------------
 dev-libs/nss/nss-3.50-r1.ebuild              | 359 -------------------------
 7 files changed, 1501 deletions(-)
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-31 17:51:19 UTC
Repository is clean, all done!