Bug 1774831 (CVE-2019-11745) - CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
Summary: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1775909 1775910 1775911 1775912 1775913 1781446 1795918 1804373 1804374 1804375 1862440
Blocks: 1774832
TreeView+ depends on / blocked
 
Reported: 2019-11-21 04:54 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 21:02 UTC (History)
16 users (show)

Fixed In Version: nss 3.44.3, nss 3.47.1
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well.
Clone Of:
Environment:
Last Closed: 2019-12-09 19:24:01 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4203 0 None None None 2019-12-11 00:55:33 UTC
Red Hat Product Errata RHBA-2019:4214 0 None None None 2019-12-11 15:28:07 UTC
Red Hat Product Errata RHBA-2019:4218 0 None None None 2019-12-11 19:50:44 UTC
Red Hat Product Errata RHBA-2019:4219 0 None None None 2019-12-11 19:36:59 UTC
Red Hat Product Errata RHBA-2019:4220 0 None None None 2019-12-11 19:55:43 UTC
Red Hat Product Errata RHBA-2019:4221 0 None None None 2019-12-11 21:12:40 UTC
Red Hat Product Errata RHBA-2019:4223 0 None None None 2019-12-11 21:36:35 UTC
Red Hat Product Errata RHBA-2019:4226 0 None None None 2019-12-12 08:36:16 UTC
Red Hat Product Errata RHBA-2019:4227 0 None None None 2019-12-12 08:26:47 UTC
Red Hat Product Errata RHBA-2019:4228 0 None None None 2019-12-12 08:33:53 UTC
Red Hat Product Errata RHBA-2019:4235 0 None None None 2019-12-13 07:07:57 UTC
Red Hat Product Errata RHBA-2019:4241 0 None None None 2019-12-16 13:03:25 UTC
Red Hat Product Errata RHBA-2019:4257 0 None None None 2019-12-17 09:24:38 UTC
Red Hat Product Errata RHBA-2019:4306 0 None None None 2019-12-18 11:40:30 UTC
Red Hat Product Errata RHBA-2019:4307 0 None None None 2019-12-18 11:41:59 UTC
Red Hat Product Errata RHBA-2019:4308 0 None None None 2019-12-18 11:44:14 UTC
Red Hat Product Errata RHBA-2019:4309 0 None None None 2019-12-18 11:44:52 UTC
Red Hat Product Errata RHBA-2019:4310 0 None None None 2019-12-18 11:49:55 UTC
Red Hat Product Errata RHBA-2019:4311 0 None None None 2019-12-18 11:48:51 UTC
Red Hat Product Errata RHBA-2019:4312 0 None None None 2019-12-18 11:48:54 UTC
Red Hat Product Errata RHBA-2019:4313 0 None None None 2019-12-18 11:47:30 UTC
Red Hat Product Errata RHBA-2019:4314 0 None None None 2019-12-18 13:13:19 UTC
Red Hat Product Errata RHBA-2019:4315 0 None None None 2019-12-18 14:05:41 UTC
Red Hat Product Errata RHBA-2019:4318 0 None None None 2019-12-20 17:24:41 UTC
Red Hat Product Errata RHBA-2019:4322 0 None None None 2019-12-19 13:07:48 UTC
Red Hat Product Errata RHBA-2019:4323 0 None None None 2019-12-19 13:41:19 UTC
Red Hat Product Errata RHBA-2019:4324 0 None None None 2019-12-19 13:07:42 UTC
Red Hat Product Errata RHBA-2019:4332 0 None None None 2019-12-19 15:16:35 UTC
Red Hat Product Errata RHBA-2020:0001 0 None None None 2020-01-02 07:19:44 UTC
Red Hat Product Errata RHBA-2020:0021 0 None None None 2020-01-03 07:21:24 UTC
Red Hat Product Errata RHBA-2020:0034 0 None None None 2020-01-07 05:44:04 UTC
Red Hat Product Errata RHBA-2020:0035 0 None None None 2020-01-07 05:42:05 UTC
Red Hat Product Errata RHBA-2020:0039 0 None None None 2020-01-07 12:51:28 UTC
Red Hat Product Errata RHBA-2020:0040 0 None None None 2020-01-07 12:53:28 UTC
Red Hat Product Errata RHBA-2020:0044 0 None None None 2020-01-07 13:21:54 UTC
Red Hat Product Errata RHBA-2020:0052 0 None None None 2020-01-08 06:32:16 UTC
Red Hat Product Errata RHBA-2020:0075 0 None None None 2020-01-13 07:40:44 UTC
Red Hat Product Errata RHBA-2020:0080 0 None None None 2020-01-13 10:41:03 UTC
Red Hat Product Errata RHBA-2020:0211 0 None None None 2020-01-23 12:58:10 UTC
Red Hat Product Errata RHSA-2019:4114 0 None None None 2019-12-09 13:34:52 UTC
Red Hat Product Errata RHSA-2019:4152 0 None None None 2019-12-10 12:15:51 UTC
Red Hat Product Errata RHSA-2019:4190 0 None None None 2019-12-10 16:21:23 UTC
Red Hat Product Errata RHSA-2020:0243 0 None None None 2020-01-27 15:09:03 UTC
Red Hat Product Errata RHSA-2020:0466 0 None None None 2020-02-11 08:33:24 UTC
Red Hat Product Errata RHSA-2020:1267 0 None None None 2020-04-01 08:33:43 UTC
Red Hat Product Errata RHSA-2020:1345 0 None None None 2020-04-07 09:33:12 UTC
Red Hat Product Errata RHSA-2020:1461 0 None None None 2020-04-14 17:39:42 UTC

Description Huzaifa S. Sidhpurwala 2019-11-21 04:54:57 UTC
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss)

Comment 1 Huzaifa S. Sidhpurwala 2019-11-21 04:55:01 UTC
Acknowledgments:

Name: the Mozilla Project

Comment 2 Huzaifa S. Sidhpurwala 2019-11-23 15:02:45 UTC
Upstream bug: (currently non-public) https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
Upstream patch: https://hg.mozilla.org/releases/mozilla-esr68/rev/ea1bc0fb2dda

Comment 4 Huzaifa S. Sidhpurwala 2019-11-23 15:04:11 UTC
This issue is fixed in Fedora by rebasing to 3.47.1 via the following updates:
http://koji.fedoraproject.org/packages/nss/3.47.1/1.fc30
http://koji.fedoraproject.org/packages/nss/3.47.1/1.fc31

Comment 9 Doran Moppert 2019-12-05 10:55:04 UTC
Statement:

Firefox and Thunderbird on Red Hat Enterprise Linux are built against the system nss library.

Comment 10 errata-xmlrpc 2019-12-09 13:34:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4114 https://access.redhat.com/errata/RHSA-2019:4114

Comment 11 Product Security DevOps Team 2019-12-09 19:24:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11745

Comment 13 errata-xmlrpc 2019-12-10 12:15:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:4152 https://access.redhat.com/errata/RHSA-2019:4152

Comment 14 errata-xmlrpc 2019-12-10 16:21:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:4190 https://access.redhat.com/errata/RHSA-2019:4190

Comment 23 errata-xmlrpc 2020-01-27 15:09:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0243 https://access.redhat.com/errata/RHSA-2020:0243

Comment 26 errata-xmlrpc 2020-02-11 08:33:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2020:0466 https://access.redhat.com/errata/RHSA-2020:0466

Comment 36 errata-xmlrpc 2020-04-01 08:33:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2020:1267 https://access.redhat.com/errata/RHSA-2020:1267

Comment 37 errata-xmlrpc 2020-04-07 09:33:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2020:1345 https://access.redhat.com/errata/RHSA-2020:1345

Comment 38 errata-xmlrpc 2020-04-14 17:39:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1461 https://access.redhat.com/errata/RHSA-2020:1461


Note You need to log in before you can comment on or make changes to this bug.