Bug 1774831 (CVE-2019-11745) - CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate
Summary: CVE-2019-11745 nss: Out-of-bounds write when passing an output buffer smaller...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1775913 1775909 1775910 1775911 1775912 1781446
Blocks: 1774832
TreeView+ depends on / blocked
 
Reported: 2019-11-21 04:54 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-01-13 10:41 UTC (History)
16 users (show)

Fixed In Version: nss 3.44.3, nss 3.47.1
Doc Type: If docs needed, set a value
Doc Text:
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function in Mozilla nss. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss). While the attack complexity is high, the impact to confidentiality, integrity, and availability are high as well.
Clone Of:
Environment:
Last Closed: 2019-12-09 19:24:01 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4203 None None None 2019-12-11 00:55:33 UTC
Red Hat Product Errata RHBA-2019:4214 None None None 2019-12-11 15:28:07 UTC
Red Hat Product Errata RHBA-2019:4218 None None None 2019-12-11 19:50:44 UTC
Red Hat Product Errata RHBA-2019:4219 None None None 2019-12-11 19:36:59 UTC
Red Hat Product Errata RHBA-2019:4220 None None None 2019-12-11 19:55:43 UTC
Red Hat Product Errata RHBA-2019:4221 None None None 2019-12-11 21:12:40 UTC
Red Hat Product Errata RHBA-2019:4223 None None None 2019-12-11 21:36:35 UTC
Red Hat Product Errata RHBA-2019:4226 None None None 2019-12-12 08:36:16 UTC
Red Hat Product Errata RHBA-2019:4227 None None None 2019-12-12 08:26:47 UTC
Red Hat Product Errata RHBA-2019:4228 None None None 2019-12-12 08:33:53 UTC
Red Hat Product Errata RHBA-2019:4235 None None None 2019-12-13 07:07:57 UTC
Red Hat Product Errata RHBA-2019:4241 None None None 2019-12-16 13:03:25 UTC
Red Hat Product Errata RHBA-2019:4257 None None None 2019-12-17 09:24:38 UTC
Red Hat Product Errata RHBA-2019:4306 None None None 2019-12-18 11:40:30 UTC
Red Hat Product Errata RHBA-2019:4307 None None None 2019-12-18 11:41:59 UTC
Red Hat Product Errata RHBA-2019:4308 None None None 2019-12-18 11:44:14 UTC
Red Hat Product Errata RHBA-2019:4309 None None None 2019-12-18 11:44:52 UTC
Red Hat Product Errata RHBA-2019:4310 None None None 2019-12-18 11:49:55 UTC
Red Hat Product Errata RHBA-2019:4311 None None None 2019-12-18 11:48:51 UTC
Red Hat Product Errata RHBA-2019:4312 None None None 2019-12-18 11:48:54 UTC
Red Hat Product Errata RHBA-2019:4313 None None None 2019-12-18 11:47:30 UTC
Red Hat Product Errata RHBA-2019:4314 None None None 2019-12-18 13:13:19 UTC
Red Hat Product Errata RHBA-2019:4315 None None None 2019-12-18 14:05:41 UTC
Red Hat Product Errata RHBA-2019:4318 None None None 2019-12-20 17:24:41 UTC
Red Hat Product Errata RHBA-2019:4322 None None None 2019-12-19 13:07:48 UTC
Red Hat Product Errata RHBA-2019:4323 None None None 2019-12-19 13:41:19 UTC
Red Hat Product Errata RHBA-2019:4324 None None None 2019-12-19 13:07:42 UTC
Red Hat Product Errata RHBA-2019:4332 None None None 2019-12-19 15:16:35 UTC
Red Hat Product Errata RHBA-2020:0001 None None None 2020-01-02 07:19:44 UTC
Red Hat Product Errata RHBA-2020:0021 None None None 2020-01-03 07:21:24 UTC
Red Hat Product Errata RHBA-2020:0034 None None None 2020-01-07 05:44:04 UTC
Red Hat Product Errata RHBA-2020:0035 None None None 2020-01-07 05:42:05 UTC
Red Hat Product Errata RHBA-2020:0039 None None None 2020-01-07 12:51:28 UTC
Red Hat Product Errata RHBA-2020:0040 None None None 2020-01-07 12:53:28 UTC
Red Hat Product Errata RHBA-2020:0044 None None None 2020-01-07 13:21:54 UTC
Red Hat Product Errata RHBA-2020:0052 None None None 2020-01-08 06:32:16 UTC
Red Hat Product Errata RHBA-2020:0075 None None None 2020-01-13 07:40:44 UTC
Red Hat Product Errata RHBA-2020:0080 None None None 2020-01-13 10:41:03 UTC
Red Hat Product Errata RHSA-2019:4114 None None None 2019-12-09 13:34:52 UTC
Red Hat Product Errata RHSA-2019:4152 None None None 2019-12-10 12:15:51 UTC
Red Hat Product Errata RHSA-2019:4190 None None None 2019-12-10 16:21:23 UTC

Description Huzaifa S. Sidhpurwala 2019-11-21 04:54:57 UTC
A heap-based buffer overflow was found in the NSC_EncryptUpdate() function. A remote attacker could trigger this flaw via SRTP encrypt or decrypt operations, to execute arbitrary code with the permissions of the user running the application (compiled with nss)

Comment 1 Huzaifa S. Sidhpurwala 2019-11-21 04:55:01 UTC
Acknowledgments:

Name: the Mozilla Project

Comment 2 Huzaifa S. Sidhpurwala 2019-11-23 15:02:45 UTC
Upstream bug: (currently non-public) https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
Upstream patch: https://hg.mozilla.org/releases/mozilla-esr68/rev/ea1bc0fb2dda

Comment 4 Huzaifa S. Sidhpurwala 2019-11-23 15:04:11 UTC
This issue is fixed in Fedora by rebasing to 3.47.1 via the following updates:
http://koji.fedoraproject.org/packages/nss/3.47.1/1.fc30
http://koji.fedoraproject.org/packages/nss/3.47.1/1.fc31

Comment 9 Doran Moppert 2019-12-05 10:55:04 UTC
Statement:

Firefox and Thunderbird on Red Hat Enterprise Linux are built against the system nss library.

Comment 10 errata-xmlrpc 2019-12-09 13:34:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4114 https://access.redhat.com/errata/RHSA-2019:4114

Comment 11 Product Security DevOps Team 2019-12-09 19:24:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11745

Comment 13 errata-xmlrpc 2019-12-10 12:15:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:4152 https://access.redhat.com/errata/RHSA-2019:4152

Comment 14 errata-xmlrpc 2019-12-10 16:21:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:4190 https://access.redhat.com/errata/RHSA-2019:4190


Note You need to log in before you can comment on or make changes to this bug.