CVE-2022-3479 (https://bugzilla.redhat.com/show_bug.cgi?id=2134331): A vulnerability found in nss. By this security vulnerability, nss client auth crash without a user certificate in the database and this can lead us to a segmentation fault or crash.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=04b9c445ff45199ad6440a218d015bf58f02b72b commit 04b9c445ff45199ad6440a218d015bf58f02b72b Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-11-01 08:39:27 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-11-01 08:49:14 +0000 dev-libs/nss: add 3.79.2 Bug: https://bugs.gentoo.org/877169 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 + .../nss/files/nss-3.79-fix-client-cert-crash.patch | 23 ++ dev-libs/nss/nss-3.79.2.ebuild | 391 +++++++++++++++++++++ 3 files changed, 415 insertions(+)
Thanks! Please stable when ready.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=26b81b79032324ae209aac26bfafaed78a47ea18 commit 26b81b79032324ae209aac26bfafaed78a47ea18 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-11-03 08:07:09 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-11-03 08:07:58 +0000 dev-libs/nss: drop 3.79.1 Bug: https://bugs.gentoo.org/877169 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 - dev-libs/nss/nss-3.79.1.ebuild | 390 ----------------------------------------- 2 files changed, 391 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1aceed34097d9899e80a6567576304a208eb817 commit d1aceed34097d9899e80a6567576304a208eb817 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2022-11-03 08:06:36 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-11-03 08:07:58 +0000 dev-libs/nss: include the fix-client-cert-crash.patch in 3.84 Bug: https://bugs.gentoo.org/877169 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/{nss-3.84.ebuild => nss-3.84-r1.ebuild} | 1 + 1 file changed, 1 insertion(+)
Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable, so that should be fixed in more recent version than 3.81, isn't it?
(In reply to tt_1 from comment #5) > Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable, > so that should be fixed in more recent version than 3.81, isn't it? A patch is at URL. I suspect Mozilla will handle it eventually. Don't trust the versioning in CVEs. We've patched it downstream, so we're fixed on an earlier version now.
(In reply to tt_1 from comment #5) > Why is this fix not yet upstreamed? The CVE lists <=nss-3.81 as vulnerable, > so that should be fixed in more recent version than 3.81, isn't it? Beats me :) I guess they're still waiting on the patch contribution through Phabricator. Or that the CVE is misunderstood / not realized by upstream. The milestone was an attempt, then I imagine the bug was forgotten / left to wait feedback from the original author. But yes, at least we have it covered in Gentoo now.
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=300d0a6989f134e6228f91cb9ea405db485ee8f0 commit 300d0a6989f134e6228f91cb9ea405db485ee8f0 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-12-19 02:01:58 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-19 02:04:29 +0000 [ GLSA 202212-05 ] Mozilla Network Security Service (NSS): Multiple Vulnerabilities Bug: https://bugs.gentoo.org/827946 Bug: https://bugs.gentoo.org/836386 Bug: https://bugs.gentoo.org/848984 Bug: https://bugs.gentoo.org/877169 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202212-05.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)
GLSA released, all done.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8487503498098091d880814aa69e29bfd8c86f16 commit 8487503498098091d880814aa69e29bfd8c86f16 Author: Joonas Niilola <juippis@gentoo.org> AuthorDate: 2023-01-06 08:35:06 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2023-01-06 08:35:06 +0000 dev-libs/nss: add 3.87 Bug: https://bugs.gentoo.org/877169 Signed-off-by: Joonas Niilola <juippis@gentoo.org> dev-libs/nss/Manifest | 1 + dev-libs/nss/nss-3.87.ebuild | 394 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 395 insertions(+)