When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.
Name: the Mozilla project
Upstream: Henry Corrigan-Gibbs
Firefox on Red Hat Enterprise Linux is built against the system nss library.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2019:1951 https://access.redhat.com/errata/RHSA-2019:1951
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This vulnerability is out of security support scope for the following product:
* Red Hat Enterprise Application Platform 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
The library nss-altfiles does not share any import and/or certificate code with nss.
* nss-altfiles only reads information from files in same format as /etc/passwd and /etc/group