Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836386 (CVE-2022-1097) - <dev-libs/nss-{3.68.3, 3.76.1}: Memory safety issues with PKCS#11 tokens
Summary: <dev-libs/nss-{3.68.3, 3.76.1}: Memory safety issues with PKCS#11 tokens
Status: IN_PROGRESS
Alias: CVE-2022-1097
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 836621
Blocks:
  Show dependency tree
 
Reported: 2022-03-29 23:47 UTC by Sam James
Modified: 2022-04-10 14:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-29 23:47:29 UTC
From the 3.76.1 release notes:
"":
   This release improves the stability of NSS when used in a multi-threaded
   environment. In particular, it fixes memory safety violations that can occur
   when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
   that with enough effort these memory safety violations are exploitable.
"""

Please bump to 3.76.1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 02:32:55 UTC
Oops, already in tree.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-30 04:57:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200

commit 6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-03-30 04:56:41 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-30 04:56:41 +0000

    dev-libs/nss: drop 3.75-r1, 3.76-r1 (security cleanup p1)
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest           |   2 -
 dev-libs/nss/nss-3.75-r1.ebuild | 361 ----------------------------------------
 dev-libs/nss/nss-3.76-r1.ebuild | 361 ----------------------------------------
 3 files changed, 724 deletions(-)
Comment 3 tt_1 2022-04-01 06:51:20 UTC
please bump to 3.68.3 too, it has the same fix backported according to the changelogs
Comment 4 Larry the Git Cow gentoo-dev 2022-04-02 05:30:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0d5c3a907c56c8ab278f57a6261e8ea875f15e7

commit e0d5c3a907c56c8ab278f57a6261e8ea875f15e7
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-04-02 05:29:01 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-02 05:30:43 +0000

    dev-libs/nss: add 3.68.3
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest          |   1 +
 dev-libs/nss/nss-3.68.3.ebuild | 362 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 363 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:39:04 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2022-04-10 12:59:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35b2d5cf4c16277977814b89becd779d20f84726

commit 35b2d5cf4c16277977814b89becd779d20f84726
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-04-10 12:58:00 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-10 12:58:00 +0000

    dev-libs/nss: drop 3.68.2-r1
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest             |   1 -
 dev-libs/nss/nss-3.68.2-r1.ebuild | 361 --------------------------------------
 2 files changed, 362 deletions(-)