Bug 1260698

Summary: nss: SSL_ImplementedCiphers ABI incompatibility may lead to incorrect cipher suites
Product: [Other] Security Response Reporter: Florian Weimer <fweimer>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:43:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1260693    

Description Florian Weimer 2015-09-07 13:16:04 UTC 
It was discovered that the global SSL_ImplementedCiphers variable
increased its size as a result of nss package updates, an ABI
incompatibility.  Due to the way ELF dynamic linking works, if the main
program was linke dagainst an older version of nss, then too little
space for the SSL_ImplementedCiphers variable is allocated, and its
contents is truncated.  As a result, applications using the
SSL_ImplementedCiphers variables may not enable the intended set of a
TLS cipher suites.
Comment 1 Florian Weimer 2015-09-07 13:17:34 UTC 
External references:

https://lists.fedoraproject.org/pipermail/devel/2015-September/214132.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18924
https://bugzilla.mozilla.org/show_bug.cgi?id=1201900
Comment 5 Florian Weimer 2015-12-08 07:26:30 UTC 
(In reply to Huzaifa S. Sidhpurwala from comment #4)
> Florian,
> 
> Looking at:
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/
> sslfnc.html it seems that "Using the external array SSL_ImplementedCiphers[]
> directly is deprecated...."
> 
> Based on the above, i think this should be closed as NOTABUG

This was added *after* we made the ABI promise for RHEL 7.  It was deprecated in response to this report, before it was more or less a supported interface (lack of documentation for NSS as a whole makes such things difficult to determine, though).
Comment 6 Huzaifa S. Sidhpurwala 2016-06-17 04:39:24 UTC 
I am going to defer this flaw to upstream. We will pull in the upstream fixes when they are committed. Closing this as wontfix for now, will re-open when required.