Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877169 (CVE-2022-3479) - <dev-libs/nss-3.79.2: tstclnt crash when accessing gnutls server without user cert
Summary: <dev-libs/nss-3.79.2: tstclnt crash when accessing gnutls server without user...
Status: IN_PROGRESS
Alias: CVE-2022-3479
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A3 [glsa]
Keywords:
Depends on: 879175
Blocks:
  Show dependency tree
 
Reported: 2022-10-15 02:19 UTC by John Helmert III
Modified: 2022-11-22 18:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-15 02:19:55 UTC
CVE-2022-3479 (https://bugzilla.redhat.com/show_bug.cgi?id=2134331):

A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.
Comment 1 Larry the Git Cow gentoo-dev 2022-11-01 08:49:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04b9c445ff45199ad6440a218d015bf58f02b72b

commit 04b9c445ff45199ad6440a218d015bf58f02b72b
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-11-01 08:39:27 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-01 08:49:14 +0000

    dev-libs/nss: add 3.79.2
    
    Bug: https://bugs.gentoo.org/877169
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest                              |   1 +
 .../nss/files/nss-3.79-fix-client-cert-crash.patch |  23 ++
 dev-libs/nss/nss-3.79.2.ebuild                     | 391 +++++++++++++++++++++
 3 files changed, 415 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-01 15:21:24 UTC
Thanks! Please stable when ready.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 20:17:22 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-11-03 08:08:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b81b79032324ae209aac26bfafaed78a47ea18

commit 26b81b79032324ae209aac26bfafaed78a47ea18
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-11-03 08:07:09 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-03 08:07:58 +0000

    dev-libs/nss: drop 3.79.1
    
    Bug: https://bugs.gentoo.org/877169
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/Manifest          |   1 -
 dev-libs/nss/nss-3.79.1.ebuild | 390 -----------------------------------------
 2 files changed, 391 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1aceed34097d9899e80a6567576304a208eb817

commit d1aceed34097d9899e80a6567576304a208eb817
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-11-03 08:06:36 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-03 08:07:58 +0000

    dev-libs/nss: include the fix-client-cert-crash.patch in 3.84
    
    Bug: https://bugs.gentoo.org/877169
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 dev-libs/nss/{nss-3.84.ebuild => nss-3.84-r1.ebuild} | 1 +
 1 file changed, 1 insertion(+)
Comment 5 tt_1 2022-11-03 11:44:52 UTC
Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable, so that should be fixed in more recent version than 3.81, isn't it?
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-03 13:10:38 UTC
(In reply to tt_1 from comment #5)
> Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable,
> so that should be fixed in more recent version than 3.81, isn't it?

A patch is at URL. I suspect Mozilla will handle it eventually.

Don't trust the versioning in CVEs. We've patched it downstream, so we're fixed on an earlier version now.
Comment 7 Joonas Niilola gentoo-dev 2022-11-04 08:45:16 UTC
(In reply to tt_1 from comment #5)
> Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable,
> so that should be fixed in more recent version than 3.81, isn't it?

Beats me :) I guess they're still waiting on the patch contribution through Phabricator. Or that the CVE is misunderstood / not realized by upstream. The milestone was an attempt, then I imagine the bug was forgotten / left to wait feedback from the original author.

But yes, at least we have it covered in Gentoo now.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:11:57 UTC
GLSA request filed