Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 827946 (CVE-2021-43527, MFSA-2021-51)

Summary: <dev-libs/nss-{3.68.1, 3.73}: Heap overflow when verifying DSA/RSA-PSS DER-encoded signatures (CVE-2021-43527)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: adnae, mozilla, phmagic
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=822294
Whiteboard: A1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 827951    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:55:53 UTC 
From https://marc.info/?l=oss-security&m=163837712525728&w=2:

"NSS (Network Security Services) versions prior to 3.73 are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS
signatures. Applications using NSS for handling signatures encoded
within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.
Applications using NSS for certificate validation or other TLS, X.509,
OCSP or CRL functionality may be impacted, depending on how they
configure NSS.

This vulnerability does NOT impact Mozilla Firefox, Tor Browser or
Chromium. However, other applications that use NSS for signature
verification are likely to be impacted."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:56:21 UTC 
"NSS 3.73 [1] and NSS ESR 3.68.1 [2] have been released and contain the
fix. A patch suitable for backporting is also attached (patch.diff)."
Comment 2 Hanno Böck gentoo-dev 2021-12-01 17:24:15 UTC 
We should check which other packages may be affected by this.

According to the advisory this can affect thunderbird. The thunderbird-bin package ships its own libnss copy, so at least thunderbird-bin should be bumped as well.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 17:58:28 UTC 
From MFSA-2021-51 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/):
"Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted."
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:12:10 UTC 
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2022-12-19 02:05:31 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=300d0a6989f134e6228f91cb9ea405db485ee8f0

commit 300d0a6989f134e6228f91cb9ea405db485ee8f0
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 02:01:58 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:29 +0000

    [ GLSA 202212-05 ] Mozilla Network Security Service (NSS): Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/827946
    Bug: https://bugs.gentoo.org/836386
    Bug: https://bugs.gentoo.org/848984
    Bug: https://bugs.gentoo.org/877169
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 02:32:00 UTC 
GLSA released, all done.