Red Hat Bugzilla – Bug 1311126
CVE-2016-1951 nspr: Memory allocation issue related to PR_*printf functions
Last modified: 2017-01-17 17:12:35 EST
It was reported that unspecified memory allocation bug related to PR_*printf functions was fixed in nspr 4.12.
Upstream bug report:
This issue was fixed in nspr-4.12
Fedora 22 and Fedora 23 currently ship nspr-4.12 and therefore is not affected by this flaw.
This issue will be fixed in the next nspr rebase in minor versions of RHEL 6 and 7.
There is an integer overflow followed by a heap-buffer overflow in the functions PR_vsmprintf() and PR_vsprintf_append(). Both of these functions internally use GrowStuff() which uses 32-bit integers to calculate string sizes which results in overflow at different places depending on 32-bit or 64-bit architecture.
Applications compiled against NSS library, in which very large untrusted strings are passed to the above functions are vulnerable to this flaw.