A security flaw was found in the way nss, the Network Security Services (NSS) set of libraries, performed their initialization (the file path for "pkcs11.txt" configuration file was constructed incorrectly). When that configuration file was loaded from remote WebDAV or Samba CIFS share, it could lead to arbitrary security module load, potentially leading to execution of arbitrary code (execution of code from untrusted security module). Upstream bug report: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=641052 Other references: [2] https://secunia.com/advisories/46557/ [3] https://bugs.gentoo.org/show_bug.cgi?id=388045 [4] http://code.google.com/p/chromium/issues/detail?id=97426#c8
This issue did NOT affect the versions of the nss package, as shipped with Red Hat Enterprise Linux 4 and 5. This issue affects the version of the nss package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the nss package, as shipped with Fedora release of 14 and 15. Please schedule an update.
Created nss tracking bugs for this issue Affects: fedora-all [bug 748385]
CVE Request: [5] http://www.openwall.com/lists/oss-security/2011/10/24/4
The CVE identifier of CVE-2011-3640 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2011/10/25/1
Note that upstream seems to dispute this as per: Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3640 to the following vulnerability: Name: CVE-2011-3640 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3640 Assigned: 20110921 Reference: http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html Reference: http://code.google.com/p/chromium/issues/detail?id=97426 Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=641052 ** DISPUTED ** Untrusted search path vulnerability in Mozilla Network Security Services (NSS), as used in Google Chrome before 17 on Windows and Mac OS X, might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory. NOTE: the vendor's response was "Strange behavior, but we're not treating this as a security bug."
The core problem of this flaw was that nss package tried to open certain configuration files from root directory "/". On operating systems, where unprivileged users are allowed to change content of "/" directory, this could lead to nss executing code from untrusted security module. Since Linux operating system does not allow an unprivileged users to modify content of the root directory, it is not a security issue on this platform.
(In reply to comment #10) > Since Linux operating system does not allow an unprivileged users to modify > content of the root directory, it is not a security issue on this platform. Even though this is not a security issue on Linux, this problem was corrected as non-security bug in nss update released in Red Hat Enterprise Linux 6.2: https://rhn.redhat.com/errata/RHBA-2011-1584.html