Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 486114 (CVE-2013-1739) - <dev-libs/nss-3.15.2: uninitialized data read (CVE-2013-1739)
Summary: <dev-libs/nss-3.15.2: uninitialized data read (CVE-2013-1739)
Status: RESOLVED FIXED
Alias: CVE-2013-1739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-09-26 20:03 UTC by Dirkjan Ochtman
Modified: 2014-06-21 22:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dirkjan Ochtman gentoo-dev 2013-09-26 20:03:43 UTC
The following security-relevant bugs have been resolved in NSS 3.15.2.
Users are encouraged to upgrade immediately.
* Bug 894370 - (CVE-2013-1739) Avoid uninitialized data read in the event
of a decryption failure.
Comment 1 Jory A. Pratt gentoo-dev 2013-09-27 01:23:55 UTC
Bring in the teams, it has been added to tree.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-29 16:19:57 UTC
Arches, please test and mark stable:
=dev-libs/nss-3.15.2
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 ~s390 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-09-30 06:23:39 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-09-30 06:23:48 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2013-10-01 13:25:29 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2013-10-06 10:12:16 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-10-06 15:20:23 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-10-07 19:30:33 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-10-09 11:16:59 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-10-09 11:18:57 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-10-09 17:10:19 UTC
sparc stable
Comment 12 Chris Reffett (RETIRED) gentoo-dev Security 2013-10-24 00:11:12 UTC
Cleanup, please.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:11:41 UTC
CVE-2013-1739 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1739):
  Mozilla Network Security Services (NSS) before 3.15.2 does not ensure that
  data structures are initialized before read operations, which allow remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via vectors that trigger a decryption failure.
Comment 14 Lars Wendler (Polynomial-C) gentoo-dev 2013-10-24 08:35:12 UTC
+  24 Oct 2013; Lars Wendler <polynomial-c@gentoo.org> -nss-3.14.3.ebuild,
+  -nss-3.15.1-r1.ebuild:
+  Removed vulnerable versions (bug #486114).
+
Comment 15 Dirkjan Ochtman gentoo-dev 2013-10-24 11:09:25 UTC
Do we want to add back 3.14.4?

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes
Comment 16 Lars Wendler (Polynomial-C) gentoo-dev 2013-10-24 11:45:03 UTC
(In reply to Dirkjan Ochtman from comment #15)
> Do we want to add back 3.14.4?
> 
> https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14.4_release_notes

Please don't. nss-3.15 introduced TLS-1.2 which is the only TLS implementation out there that AFAIK has no known attack vector. And besides, nss-3.15.2 is already stable where it's necessary.
Comment 17 Dirkjan Ochtman gentoo-dev 2013-10-24 11:50:59 UTC
I have no problem with that, but I thought we might have stuff in the tree that depends on the 3.14 slot.
Comment 18 Ian Stakenvicius (RETIRED) gentoo-dev 2013-10-24 13:20:47 UTC
(In reply to Dirkjan Ochtman from comment #17)
> I have no problem with that, but I thought we might have stuff in the tree
> that depends on the 3.14 slot.

if we do, it's not specified in *DEPEND -- if it was then repoman would've caught it.  I also grepped the tree just to be safe and didn't get any hits.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2014-06-19 02:30:12 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2014-06-21 22:14:02 UTC
This issue was resolved and addressed in
 GLSA 201406-19 at http://security.gentoo.org/glsa/glsa-201406-19.xml
by GLSA coordinator Mikle Kolyada (Zlogene).