Bug 1031457 (CVE-2013-5606)

Summary: CVE-2013-5606 nss: CERT_VerifyCert returns SECSuccess (saying certificate is good) even for bad certificates (MFSA 2013-103)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: barry.gestwicki.ctr, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nss 3.15.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1031463, 1031897, 1032466, 1032468, 1032470, 1032472    
Bug Blocks: 1030811    

Description Huzaifa S. Sidhpurwala 2013-11-18 03:06:13 UTC 
Mozilla developer Camilo Viecco discovered that if the verifylog feature was used when validating certificates then certificates with incompatible key usage constraints were not rejected. This did not directly affect Firefox but might affect other software using the NSS library

Upstream bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=910438

Upstream patch:
http://hg.mozilla.org/projects/nss/rev/d29898e0981c

Release notes:
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes

External Reference:

http://www.mozilla.org/security/announce/2013/mfsa2013-103.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Camilo Viecco as the original reporter of this issue.
Comment 2 Huzaifa S. Sidhpurwala 2013-11-19 05:32:28 UTC 
Created nss tracking bugs for this issue:

Affects: fedora-all [bug 1031897]
Comment 5 errata-xmlrpc 2013-12-05 16:17:07 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1791 https://rhn.redhat.com/errata/RHSA-2013-1791.html
Comment 6 errata-xmlrpc 2013-12-12 19:03:51 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1829 https://rhn.redhat.com/errata/RHSA-2013-1829.html
Comment 7 errata-xmlrpc 2014-01-21 17:03:42 UTC 
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2014:0041 https://rhn.redhat.com/errata/RHSA-2014-0041.html