about CVE-2024-6609 for nss 3.61 in Debian Bullseye

[Arturo Borrero Gonzalez]

Hi there,

I'm interested in having a patch for CVE-2024-6609 available for the nss version we have in Debian Bullseye (nss 3.61).

We have a note [0] that mentions this:

=== 8< ===

To address CVE in older versions of src:nss what is needed is to add the error
handling code (confirmed by upstream):
https://searchfox.org/nss/rev/ba9330537e6e94971de8b9bc49460891b23afd4f/lib/freebl/ec.c#379-382
to the ec_NewKey function, in the cleanup section, after mp_clear and
before `if (rv)`.

=== 8< ===

I was hoping that you could provide this patch yourself, because I don't think just a copy/paste (like the note seems to suggest), would be enough.

Please, let me know if you can help with this.

thanks, regards.

[0] https://security-tracker.debian.org/tracker/CVE-2024-6609

[John Schanck]

Hi Arturo, the note is correct. Here's the patch:

diff --git lib/freebl/ec.c lib/freebl/ec.c
--- lib/freebl/ec.c
+++ lib/freebl/ec.c
@@ -297,6 +297,10 @@ done:

cleanup:
mp_clear(&k);
+ if (err < MP_OKAY) {
+ MP_TO_SEC_ERROR(err);
+ rv = SECFailure;
+ }
if (rv) {
PORT_FreeArena(arena, PR_TRUE);
}

Cheers,
John

> --
> You received this message because you are subscribed to the Google Groups "dev-tec...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-tech-cryp...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/66071e21-a687-49f2-a709-5244a06438b6n%40mozilla.org.