Bug 1311126 - (CVE-2016-1951) CVE-2016-1951 nspr: Memory allocation issue related to PR_*printf functions
CVE-2016-1951 nspr: Memory allocation issue related to PR_*printf functions
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160531,repor...
: Security
Depends On:
Blocks: 1311127
  Show dependency treegraph
 
Reported: 2016-02-23 07:56 EST by Adam Mariš
Modified: 2017-01-17 17:12 EST (History)
4 users (show)

See Also:
Fixed In Version: nspr 4.12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-23 07:56:55 EST
It was reported that unspecified memory allocation bug related to PR_*printf functions was fixed in nspr 4.12.

External Reference:

https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/dV4MyMsg6jw
Comment 1 Huzaifa S. Sidhpurwala 2016-03-14 01:17:55 EDT
Upstream bug report:

https://bugzilla.mozilla.org/show_bug.cgi?id=1174015

Upstream commit:

https://hg.mozilla.org/projects/nspr/rev/96381e3aaae2
Comment 2 Huzaifa S. Sidhpurwala 2016-06-10 01:23:11 EDT
This issue was fixed in nspr-4.12

Fedora 22 and Fedora 23 currently ship nspr-4.12 and therefore is not affected by this flaw.
Comment 4 Martin Prpič 2016-08-29 07:56:23 EDT
This issue will be fixed in the next nspr rebase in minor versions of RHEL 6 and 7.
Comment 5 Huzaifa S. Sidhpurwala 2016-10-21 04:50:05 EDT
Analysis:

There is an integer overflow followed by a heap-buffer overflow in the functions PR_vsmprintf() and PR_vsprintf_append(). Both of these functions internally use GrowStuff() which uses 32-bit integers to calculate string sizes which results in overflow at different places depending on 32-bit or 64-bit architecture. 

Applications compiled against NSS library, in which very large untrusted  strings are passed to the above functions are vulnerable to this flaw.

Note You need to log in before you can comment on or make changes to this bug.