Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 498172 (CVE-2013-1740) - <dev-libs/nss-3.15.4: False Start PR_Recv Information Disclosure Security Issue (CVE-2013-1740)
Summary: <dev-libs/nss-3.15.4: False Start PR_Recv Information Disclosure Security Iss...
Status: RESOLVED FIXED
Alias: CVE-2013-1740
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/56386/
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-01-15 13:39 UTC by Agostino Sarubbo
Modified: 2014-01-27 17:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-01-15 13:39:01 UTC
From ${URL} :

Description

A security issue has been reported in Network Security Services (NSS), which can be exploited by 
malicious people to disclose certain information.

The security issue is caused due an error within the "ssl_Do1stHandshake()" function 
(lib/ssl/sslsecur.c) and can be exploited to potentially return unencrypted and unauthenticated 
data from PR_Recv.

Successful exploitation requires that false start is enabled.

The security issue is reported in versions prior to 3.15.4.


Solution:
Update to version 3.15.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.4_release_notes


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-15 13:51:10 UTC
Arches please test and mark stable =dev-libs/nss-3.15.4 with target KEYWORDS:

alpha amd64 arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris
Comment 2 Jeroen Roovers gentoo-dev 2014-01-15 16:00:07 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-01-16 20:16:16 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-01-16 20:18:00 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-01-17 20:43:37 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2014-01-17 20:47:24 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-01-19 13:48:10 UTC
alpha stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-01-19 13:55:28 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-01-26 11:49:37 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-01-26 12:00:09 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Lars Wendler (Polynomial-C) gentoo-dev 2014-01-27 11:16:09 UTC
+  27 Jan 2014; Lars Wendler <polynomial-c@gentoo.org> -nss-3.15.2.ebuild,
+  -nss-3.15.3.ebuild, -nss-3.15.3.1.ebuild,
+  -files/nss-3.12.6-gentoo-fixup-warnings.patch,
+  -files/nss-3.14.1-gentoo-fixups-r1.patch, -files/nss-3.14.2-x32.patch,
+  -files/nss-3.14.3_sync_with_upstream_softokn_changes.patch,
+  -files/nss-3.15.1-fipstest-warnings.patch:
+  Removed old...
+
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 14:36:33 UTC
CVE-2013-1740 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1740):
  The ssl_Do1stHandshake function in sslsecur.c in libssl in Mozilla Network
  Security Services (NSS) before 3.15.4, when the TLS False Start feature is
  enabled, allows man-in-the-middle attackers to spoof SSL servers by using an
  arbitrary X.509 certificate during certain handshake traffic.
Comment 13 Chris Reffett (RETIRED) gentoo-dev Security 2014-01-27 14:40:45 UTC
GLSA vote: no.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-01-27 17:53:10 UTC
GLSA vote: no.

Closing as [noglsa]