Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 836386 (CVE-2022-1097) - <dev-libs/nss-{3.68.3, 3.76.1}: Memory safety issues with PKCS#11 tokens
Summary: <dev-libs/nss-{3.68.3, 3.76.1}: Memory safety issues with PKCS#11 tokens
Status: IN_PROGRESS
Alias: CVE-2022-1097
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa?]
Keywords:
Depends on: 836621
Blocks:
  Show dependency tree
 
Reported: 2022-03-29 23:47 UTC by Sam James
Modified: 2022-04-10 14:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-29 23:47:29 UTC 
From the 3.76.1 release notes:
"":
   This release improves the stability of NSS when used in a multi-threaded
   environment. In particular, it fixes memory safety violations that can occur
   when PKCS#11 tokens are removed while in use (CVE-2022-1097). We presume
   that with enough effort these memory safety violations are exploitable.
"""

Please bump to 3.76.1.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-03-30 02:32:55 UTC 
Oops, already in tree.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-30 04:57:17 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200

commit 6d157cf9c7ecb644ca59c667e9b6a6e20c5a2200
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-03-30 04:56:41 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-30 04:56:41 +0000

    dev-libs/nss: drop 3.75-r1, 3.76-r1 (security cleanup p1)
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest           |   2 -
 dev-libs/nss/nss-3.75-r1.ebuild | 361 ----------------------------------------
 dev-libs/nss/nss-3.76-r1.ebuild | 361 ----------------------------------------
 3 files changed, 724 deletions(-)
Comment 3 tt_1 2022-04-01 06:51:20 UTC 
please bump to 3.68.3 too, it has the same fix backported according to the changelogs
Comment 4 Larry the Git Cow gentoo-dev 2022-04-02 05:30:46 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e0d5c3a907c56c8ab278f57a6261e8ea875f15e7

commit e0d5c3a907c56c8ab278f57a6261e8ea875f15e7
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-04-02 05:29:01 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-02 05:30:43 +0000

    dev-libs/nss: add 3.68.3
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest          |   1 +
 dev-libs/nss/nss-3.68.3.ebuild | 362 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 363 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:39:04 UTC 
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2022-04-10 12:59:22 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=35b2d5cf4c16277977814b89becd779d20f84726

commit 35b2d5cf4c16277977814b89becd779d20f84726
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-04-10 12:58:00 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-04-10 12:58:00 +0000

    dev-libs/nss: drop 3.68.2-r1
    
    Bug: https://bugs.gentoo.org/836386
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest             |   1 -
 dev-libs/nss/nss-3.68.2-r1.ebuild | 361 --------------------------------------
 2 files changed, 362 deletions(-)