Bug 750254 (CVE-2020-25648)

Summary:	<dev-libs/nss-3.58: Tighten CCS handling for middlebox compatibility mode in TLS 1.3 handshake (CVE-2020-25648)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mozilla
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://bugzilla.mozilla.org/show_bug.cgi?id=1641480
Whiteboard:	A3 [glsa+ cve]
Package list:	dev-libs/nss-3.58-r2 dev-libs/nspr-4.29 amd64 hppa ppc ppc64 s390 x86	Runtime testing required:	---
Bug Depends on:	750746
Bug Blocks:

Description Sam James archtester

2020-10-19 20:27:48 UTC

"Tighten CCS handling for middlebox compatibility mode."


Fixed in NSS 3.58.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2020-10-19 21:04:25 UTC

Upstream fix: https://github.com/nss-dev/nss/commit/e10a362f69191506e73bfa31778da45f4c5df482

Comment 2 Larry the Git Cow gentoo-dev

2020-10-19 21:04:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8e18430ce14e579a2b7c6c5afbede6281dff231a

commit 8e18430ce14e579a2b7c6c5afbede6281dff231a
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-19 21:00:36 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-19 21:00:36 +0000

    dev-libs/nss: bump to v3.58
    
    Bug: https://bugs.gentoo.org/750254
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-libs/nss/Manifest        |   1 +
 dev-libs/nss/nss-3.58.ebuild | 359 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 360 insertions(+)

Comment 3 NATTkA bot gentoo-dev

2020-10-20 01:41:01 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-libs/nss-3.58
>   depend amd64 stable profile default/linux/amd64/17.0 (22 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-),abi_x86_64(-)]
>   depend amd64 stable profile default/linux/amd64/17.0/no-multilib (6 total)
>     >=dev-libs/nspr-4.29[abi_x86_64(-)]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=dev-libs/nspr-4.29[abi_x86_64(-)]
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (22 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-),abi_x86_64(-)]
>   rdepend amd64 stable profile default/linux/amd64/17.0/no-multilib (6 total)
>     >=dev-libs/nspr-4.29[abi_x86_64(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=dev-libs/nspr-4.29[abi_x86_64(-)]
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (1 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-),abi_x86_64(-),abi_x86_x32(-)]
>   depend arm stable profile default/linux/arm/17.0 (40 total)
>     >=dev-libs/nspr-4.29
>   depend arm dev profile default/linux/arm/17.0/armv4 (33 total)
>     >=dev-libs/nspr-4.29
>   rdepend arm stable profile default/linux/arm/17.0 (40 total)
>     >=dev-libs/nspr-4.29
>   rdepend arm dev profile default/linux/arm/17.0/armv4 (33 total)
>     >=dev-libs/nspr-4.29
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-)]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=dev-libs/nspr-4.29[abi_x86_32(-)]

Comment 4 Sam James archtester

2020-10-21 01:08:15 UTC

arm done

Comment 5 Sam James archtester

2020-10-21 01:09:20 UTC

arm64 done

Comment 6 Sam James archtester

2020-10-21 03:42:30 UTC

sparc done

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2020-10-23 09:58:49 UTC

Stabilization canceled due to regression.

Comment 8 NATTkA bot gentoo-dev

2020-10-23 10:04:50 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 9 Larry the Git Cow gentoo-dev

2020-10-23 12:16:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ebfd820b1074bbdd0409328af0af1328fdd3ee9

commit 6ebfd820b1074bbdd0409328af0af1328fdd3ee9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-23 12:16:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-23 12:16:16 +0000

    dev-libs/nss: drop 3.58 stable keywords
    
    There is a regression in 3.58 currently being
    investigated. See the bug for details.
    
    Bug: https://bugs.gentoo.org/750746
    Bug: https://bugs.gentoo.org/750254
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/nss/nss-3.58.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 10 NATTkA bot gentoo-dev

2020-10-23 16:20:54 UTC

Unable to check for sanity:

> no match for package: dev-libs/nss-3.58

Comment 11 NATTkA bot gentoo-dev

2020-10-23 19:44:49 UTC

Resetting sanity check; keywords are not fully specified and arches are not CC-ed.

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2020-10-26 16:13:20 UTC

x86 stable

Comment 13 Sam James archtester

2020-10-28 03:04:56 UTC

arm64 done

Comment 14 Sam James archtester

2020-10-28 16:15:14 UTC

arm done

Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev

2020-10-28 22:42:46 UTC

hppa/ppc/ppc64/sparc stable

Comment 16 Piotr Karbowski (RETIRED) gentoo-dev

2020-10-31 15:48:49 UTC

amd64 stable

Comment 17 Agostino Sarubbo gentoo-dev

2020-11-17 19:06:49 UTC

s390 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev

2020-12-22 23:12:46 UTC

New GLSA request filed.

Comment 19 GLSAMaker/CVETool Bot gentoo-dev

2020-12-23 20:22:18 UTC

This issue was resolved and addressed in
 GLSA 202012-21 at https://security.gentoo.org/glsa/202012-21
by GLSA coordinator Thomas Deutschmann (whissi).