Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1174492 - (CVE-2014-1569) CVE-2014-1569 nss: QuickDER decoder length issue
CVE-2014-1569 nss: QuickDER decoder length issue
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20141201,reported=2...
: Security
Depends On: 1174493
Blocks: 1174495
  Show dependency treegraph
 
Reported: 2014-12-15 18:34 EST by Murray McAllister
Modified: 2015-08-19 04:38 EDT (History)
8 users (show)

See Also:
Fixed In Version: nss 3.17.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-25 08:51:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-12-15 18:34:27 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-1569 to
the following vulnerability:

Name: CVE-2014-1569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1569
Assigned: 20140116
Reference: http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf
Reference: https://www.imperialviolet.org/2014/09/26/pkcs1.html
Reference: https://www.reddit.com/r/netsec/comments/2hd1m8/rsa_signature_forgery_in_nss/cksnr02
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
Reference: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes

The definite_length_decoder function in lib/util/quickder.c in Mozilla
Network Security Services (NSS) before 3.16.2.4 and 3.17.x before
3.17.3 does not ensure that the DER encoding of an ASN.1 length is
properly formed, which allows remote attackers to conduct
data-smuggling attacks by using a long byte sequence for an encoding,
as demonstrated by the SEC_QuickDERDecodeItem function's improper
handling of an arbitrary-length encoding of 0x00.

We believe the CVE-2014-1568 issue is required to trigger this bug, and that issue has already been resolved in Red Hat Enterprise Linux:

https://access.redhat.com/security/cve/CVE-2014-1568
Comment 1 Murray McAllister 2014-12-15 18:34:57 EST 
Created nss tracking bugs for this issue:

Affects: fedora-all [bug 1174493]
Comment 5 David Sirrine 2015-05-12 16:01:09 EDT 
As RHEL seems to have rebased to nss 3.18.0, are they still vulnerable to this CVE? Given the text of the advisory from Mozilla, it appears as though it only affects 3.17.x before 3.17.3. Thanks in advance.
Comment 6 Fabio Olive Leite 2015-05-12 16:13:14 EDT 
Changing needinfo from s-r-t@ to Huzaifa. He should be able to answer that.
Comment 7 Simon Atwater 2015-06-29 16:03:58 EDT 
I am also interested in the answer to David Sirrine's question. Has Huzaifa weighed in?
Comment 8 Huzaifa S. Sidhpurwala 2015-07-25 08:51:20 EDT 
This issue was fixed in upstream nss-3.17.3 as described in the release notes at:

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes

Consequently nss packages shipped with Red Hat Enterprise Linux 5, 6 and 7 were rebased to 3.18.0 via the following advisories.

Red Hat Enterprise Linux 5:
https://rhn.redhat.com/errata/RHBA-2015-0925.html

Red Hat Enterprise Linux 6:
https://rhn.redhat.com/errata/RHBA-2015-0926.html

Red Hat Enterprise Linux 7:
https://rhn.redhat.com/errata/RHBA-2015-0965.html

This particular rebase fixed this security flaw.
Comment 9 Huzaifa S. Sidhpurwala 2015-07-25 08:55:06 EDT 
Statement:

(none)
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.