A security flaw was found in the way nss, the Network Security Services (NSS) set of libraries, performed their initialization (the file path for "pkcs11.txt" configuration file was constructed incorrectly). When that configuration file was loaded from remote WebDAV or Samba CIFS share, it could lead to arbitrary security module load, potentially leading to execution of arbitrary code (execution of code from untrusted security module).
Upstream bug report:
This issue did NOT affect the versions of the nss package, as shipped with Red Hat Enterprise Linux 4 and 5.
This issue affects the version of the nss package, as shipped with Red Hat
Enterprise Linux 6.
This issue affects the versions of the nss package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Created nss tracking bugs for this issue
Affects: fedora-all [bug 748385]
The CVE identifier of CVE-2011-3640 has been assigned to this issue:
Note that upstream seems to dispute this as per:
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3640 to
the following vulnerability:
** DISPUTED ** Untrusted search path vulnerability in Mozilla Network
Security Services (NSS), as used in Google Chrome before 17 on Windows
and Mac OS X, might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory. NOTE: the vendor's
response was "Strange behavior, but we're not treating this as a
The core problem of this flaw was that nss package tried to open certain configuration files from root directory "/". On operating systems, where unprivileged users are allowed to change content of "/" directory, this could lead to nss executing code from untrusted security module.
Since Linux operating system does not allow an unprivileged users to modify content of the root directory, it is not a security issue on this platform.
(In reply to comment #10)
> Since Linux operating system does not allow an unprivileged users to modify
> content of the root directory, it is not a security issue on this platform.
Even though this is not a security issue on Linux, this problem was corrected as non-security bug in nss update released in Red Hat Enterprise Linux 6.2: