Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 827946 (CVE-2021-43527, MFSA-2021-51) - <dev-libs/nss-{3.68.1, 3.73}: Heap overflow when verifying DSA/RSA-PSS DER-encoded signatures (CVE-2021-43527)
Summary: <dev-libs/nss-{3.68.1, 3.73}: Heap overflow when verifying DSA/RSA-PSS DER-en...
Status: IN_PROGRESS
Alias: CVE-2021-43527, MFSA-2021-51
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A1 [glsa? cleanup]
Keywords:
Depends on: 827951
Blocks:
  Show dependency tree
 
Reported: 2021-12-01 16:55 UTC by Sam James
Modified: 2021-12-31 11:00 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:55:53 UTC
From https://marc.info/?l=oss-security&m=163837712525728&w=2:

"NSS (Network Security Services) versions prior to 3.73 are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS
signatures. Applications using NSS for handling signatures encoded
within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted.
Applications using NSS for certificate validation or other TLS, X.509,
OCSP or CRL functionality may be impacted, depending on how they
configure NSS.

This vulnerability does NOT impact Mozilla Firefox, Tor Browser or
Chromium. However, other applications that use NSS for signature
verification are likely to be impacted."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 16:56:21 UTC
"NSS 3.73 [1] and NSS ESR 3.68.1 [2] have been released and contain the
fix. A patch suitable for backporting is also attached (patch.diff)."
Comment 2 Hanno Böck gentoo-dev 2021-12-01 17:24:15 UTC
We should check which other packages may be affected by this.

According to the advisory this can affect thunderbird. The thunderbird-bin package ships its own libnss copy, so at least thunderbird-bin should be bumped as well.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-01 17:58:28 UTC
From MFSA-2021-51 (https://www.mozilla.org/en-US/security/advisories/mfsa2021-51/):
"Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted."