about CVE-2023-6125 in nss 3.42.1 in Debian Buster

36 views
Skip to first unread message

Arturo Borrero Gonzalez

unread,
Jun 24, 2024, 2:55:33 AMJun 24
to dev-tec...@mozilla.org, art...@debian.org
Hi there,

I am exploring how to fix CVE-2023-6125 in the nss package (version 3.42.1) in
Debian Buster.

There is a note from a Debian college saying that we should wait until you have
backported the fix to the 3.90 series, but scanning your releases did not
immediately showed to me where (if any) can I find a patch that I could cherry
pick for 3.42.1.

My college also tried to manually backport the published patches for nss Debian
version 3.42.1, find them here:

* part 1
https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part1.patch?ref_type=heads
* part 2
https://salsa.debian.org/lts-team/packages/nss/-/blob/debian/buster/debian/patches/CVE-2023-6135-part2.patch?ref_type=heads

But I would like to be cautious before shipping them, given how sensitive the
matter is.

Do you have any advice on how to move forward with this?

If the answer is 'forget about CVE-2023-6125 for such an older nss version',
then I guess that's also a valid answer. Maybe I could try to backport an nss
ESR version into older Debian versions, if you have any ESR version with
CVE-2023-6125 fixed.

thanks, regards.

Dana Keeler

unread,
Jun 24, 2024, 12:25:28 PMJun 24
to Arturo Borrero Gonzalez, dev-tec...@mozilla.org, art...@debian.org
To save others from potential confusion, the CVE in question is CVE-2023-6135, not 6125.

--
You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/92cbadfa-0a9e-4f13-a096-0c7b2fe70d62%40gmail.com.

Arturo Borrero Gonzalez

unread,
Jun 25, 2024, 6:43:25 AMJun 25
to Dana Keeler, dev-tec...@mozilla.org, art...@debian.org
On 6/24/24 18:25, Dana Keeler wrote:
> To save others from potential confusion, the CVE in question is CVE-2023-6135,
> not 6125.
>

Correct, there was a typo on my side.

John Schanck

unread,
Jun 27, 2024, 3:12:31 PMJun 27
to Arturo Borrero Gonzalez, Dana Keeler, dev-tec...@mozilla.org, art...@debian.org
Hi Arturo,

we don't plan on backporting any of the patches for CVE-2023-6135 to
the NSS 3.90 branch at this time. The patches you linked to are,
unfortunately, not sufficient to fix the issue. Short of copying the
entire lib/freebl/ecl directory from NSS 3.101 (along with its
dependencies in lib/freebl/verified, and the build system changes), I
don't see a straightforward way to fix the 3.90 branch, much less
3.42.

Best,
John
> --
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/e5661ab0-e0f0-42da-9827-a394e4bdb633%40gmail.com.

Arturo Borrero Gonzalez

unread,
Jun 27, 2024, 3:58:37 PMJun 27
to John Schanck, Dana Keeler, dev-tec...@mozilla.org, art...@debian.org, to...@debian.org
On 6/27/24 21:12, John Schanck wrote:
> Hi Arturo,
>
> we don't plan on backporting any of the patches for CVE-2023-6135 to
> the NSS 3.90 branch at this time. The patches you linked to are,
> unfortunately, not sufficient to fix the issue. Short of copying the
> entire lib/freebl/ecl directory from NSS 3.101 (along with its
> dependencies in lib/freebl/verified, and the build system changes), I
> don't see a straightforward way to fix the 3.90 branch, much less
> 3.42.
>

Hi John,

this analysis you made is very valuable for us.

thanks for this information, really appreciated.

regards.

Reply all
Reply to author
Forward
0 new messages