Bug 748379 (CVE-2011-3640) - CVE-2011-3640 nss: /pkcs11.txt and /secmod.db files read on initialization
Summary: CVE-2011-3640 nss: /pkcs11.txt and /secmod.db files read on initialization
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2011-3640
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 748385 748524 877413
Blocks: 748381
TreeView+ depends on / blocked
 
Reported: 2011-10-24 10:22 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-29 16:35:28 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2011-10-24 10:22:33 UTC
A security flaw was found in the way nss, the Network Security Services (NSS) set of libraries, performed their initialization (the file path for "pkcs11.txt" configuration file was constructed incorrectly). When that configuration file was loaded from remote WebDAV or Samba CIFS share, it could lead to arbitrary security module load, potentially leading to execution of arbitrary code (execution of code from untrusted security module).

Upstream bug report:
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=641052

Other references:
[2] https://secunia.com/advisories/46557/
[3] https://bugs.gentoo.org/show_bug.cgi?id=388045
[4] http://code.google.com/p/chromium/issues/detail?id=97426#c8

Comment 1 Jan Lieskovsky 2011-10-24 10:31:23 UTC
This issue did NOT affect the versions of the nss package, as shipped with Red Hat Enterprise Linux 4 and 5.


This issue affects the version of the nss package, as shipped with Red Hat
Enterprise Linux 6.

--

This issue affects the versions of the nss package, as shipped with Fedora release of 14 and 15. Please schedule an update.

Comment 2 Jan Lieskovsky 2011-10-24 10:32:37 UTC
Created nss tracking bugs for this issue

Affects: fedora-all [bug 748385]

Comment 3 Jan Lieskovsky 2011-10-24 10:33:29 UTC
CVE Request:
[5] http://www.openwall.com/lists/oss-security/2011/10/24/4

Comment 4 Jan Lieskovsky 2011-10-25 15:41:30 UTC
The CVE identifier of CVE-2011-3640 has been assigned to this issue:
http://www.openwall.com/lists/oss-security/2011/10/25/1

Comment 5 Vincent Danen 2011-10-28 16:03:17 UTC
Note that upstream seems to dispute this as per:


Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3640 to
the following vulnerability:

Name: CVE-2011-3640
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3640
Assigned: 20110921
Reference: http://blog.acrossecurity.com/2011/10/google-chrome-pkcs11txt-file-planting.html
Reference: http://code.google.com/p/chromium/issues/detail?id=97426
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=641052

** DISPUTED ** Untrusted search path vulnerability in Mozilla Network
Security Services (NSS), as used in Google Chrome before 17 on Windows
and Mac OS X, might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory.  NOTE: the vendor's
response was "Strange behavior, but we're not treating this as a
security bug."

Comment 10 Jan Lieskovsky 2011-11-25 10:34:49 UTC
The core problem of this flaw was that nss package tried to open certain configuration files from root directory "/". On operating systems, where unprivileged users are allowed to change content of "/" directory, this could lead to nss executing code from untrusted security module.

Since Linux operating system does not allow an unprivileged users to modify content of the root directory, it is not a security issue on this platform.

Comment 13 Tomas Hoger 2011-12-29 16:35:28 UTC
(In reply to comment #10)
> Since Linux operating system does not allow an unprivileged users to modify
> content of the root directory, it is not a security issue on this platform.

Even though this is not a security issue on Linux, this problem was corrected as non-security bug in nss update released in Red Hat Enterprise Linux 6.2:

https://rhn.redhat.com/errata/RHBA-2011-1584.html


Note You need to log in before you can comment on or make changes to this bug.