Bug 627534 (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698)

Summary:	<dev-libs/nss-3.49: Multiple Vulnerabilities (CVE-2017-{11695,11696,11697,11698})
Product:	Gentoo Security	Reporter:	Aleksandr Wagner (Kivak) <alwag>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	arthur, mozilla
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://seclists.org/fulldisclosure/2017/Aug/17
Whiteboard:	A2 [glsa+ cve]
Package list:	dev-libs/nss-3.51 dev-libs/nspr-4.25	Runtime testing required:	---

Description Aleksandr Wagner (Kivak) 2017-08-11 10:46:13 UTC

From $URL:

Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification 
have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that 
these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform 
development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration 
on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of 
cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository 
(https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` 
files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

These flaws were discovered by Brian Carpenter of Geeknik Labs (http://www.geeknik.net) using the American Fuzzy Lop 
tool.

Comment 1 Yury German Gentoo Infrastructure

2019-04-27 18:51:34 UTC

Maintainer(s), please advise, this looks like it has gotten lost in Bugzilla, can you please advise if this is fixed?

Comment 2 Sam James archtester

2020-03-15 04:05:38 UTC

(In reply to Yury German from comment #1)
> Maintainer(s), please advise, this looks like it has gotten lost in
> Bugzilla, can you please advise if this is fixed?

Important comment from Mozilla about the status of this:
"I’m sorry this bug didn’t get suitable, timely attention, nor follow-up. This CVE was not tracked in Mozilla’s lists (since the CVE wasn’t allocated by us), and both age and turnover in the NSS team led to it being dropped.

This bug and its peers from the 9 Aug 2017 disclosure [0] are all in libnssdbm, which has been replaced by a SQLite datastore, starting in NSS 3.12 in 2008 [1]. In 2018, Firefox 60 and NSS 3.35 made SQLite the default [2], and in Bug 1594931 (Firefox 73) and Bug 1594933 (NSS 3.49) we will stop building this legacy database by default [3][4].

These bugs are real and easily demonstrated, but require local modification of the profile directory, and thus are difficult to exploit widely. The underlying causes are deep within DBM, which was legacy ndbm code even back unto the first commits of NSS in Netscape. Fixing these issues is effectively fixing structual problems with the serialization layer of ndbm from the early 1990s. Unfortunately, these bugs are not shallow. The solution is to move to the SQLite format and leave this deprecated, legacy code until we can remove it entirely in the early 2020s.

For that reason, I am closing this and its peer bugs as WONTFIX. As [0] already disclosed the bugs, I am going to open them up as well to explain this publicly."

https://bugzilla.mozilla.org/show_bug.cgi?id=1360779#c9

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-15 15:32:03 UTC

Added to an existing GLSA.

We need to stabilize >=dev0libs/nss-3.49 to ensure that the affected libraries are no longer present.

Comment 4 Stabilization helper bot gentoo-dev

2020-03-15 20:00:50 UTC

An automated check of this bug failed - repoman reported dependency errors (203 lines truncated): 

> dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/nss/nss-3.51.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']
> dependency.bad dev-libs/nss/nss-3.51.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/nspr-4.25[abi_x86_32(-)?,abi_x86_64(-)?,abi_x86_x32(-)?,abi_mips_n32(-)?,abi_mips_n64(-)?,abi_mips_o32(-)?,abi_riscv_lp64d(-)?,abi_riscv_lp64(-)?,abi_s390_32(-)?,abi_s390_64(-)?]']

Comment 5 Rolf Eike Beer archtester

2020-03-16 17:45:09 UTC

sparc stable

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2020-03-16 21:19:21 UTC

This issue was resolved and addressed in
 GLSA 202003-37 at https://security.gentoo.org/glsa/202003-37
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-16 21:20:10 UTC

Re-opening for remaining architectures.

Comment 8 Mart Raudsepp gentoo-dev

2020-03-17 08:36:03 UTC

Looks like the re-opening comment and glsa+ went to the wrong place, with not even amd64 done here?
arm64 stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-03-17 18:44:45 UTC

amd64 stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-03-18 09:49:29 UTC

s390 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-03-18 11:12:02 UTC

ppc stable

Comment 12 Agostino Sarubbo gentoo-dev

2020-03-18 11:32:09 UTC

ppc64 stable

Comment 13 Agostino Sarubbo gentoo-dev

2020-03-18 12:03:58 UTC

ia64 stable

Comment 14 Agostino Sarubbo gentoo-dev

2020-03-18 16:03:51 UTC

x86 stable

Comment 15 Rolf Eike Beer archtester

2020-03-20 08:19:22 UTC

hppa stable

Comment 16 Agostino Sarubbo gentoo-dev

2020-03-25 08:12:35 UTC

arm stable.

Maintainer(s), please cleanup.

Comment 17 Larry the Git Cow gentoo-dev

2020-03-31 17:50:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0cb2ef179d11014b83d4f5547949fcc057b4951

commit e0cb2ef179d11014b83d4f5547949fcc057b4951
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-31 17:48:42 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-31 17:50:38 +0000

    dev-libs/nss: security cleanup (#627534)
    
    Bug: https://bugs.gentoo.org/627534
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/nss/Manifest                        |   5 -
 dev-libs/nss/files/nss-3.47-enable-pem.patch |  11 -
 dev-libs/nss/metadata.xml                    |   1 -
 dev-libs/nss/nss-3.47.1-r1.ebuild            | 375 ---------------------------
 dev-libs/nss/nss-3.48-r1.ebuild              | 375 ---------------------------
 dev-libs/nss/nss-3.49.2.ebuild               | 375 ---------------------------
 dev-libs/nss/nss-3.50-r1.ebuild              | 359 -------------------------
 7 files changed, 1501 deletions(-)

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2020-03-31 17:51:19 UTC

Repository is clean, all done!