info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Old CVEs
47 views
Skip to first unread message
Charles Robertson
Nov 7, 2019, 5:16:48 PM11/7/19
to dev-se...@lists.mozilla.org
Hi,
What is the status of the following CVEs on NSS? I've searched through all your MFSAs and did not find these.
CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782
CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778
CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900
CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779
Are they ever going to be fixed?
Charles Robertson
Firefox Maintainer
SUSE LLC
What is the status of the following CVEs on NSS? I've searched through all your MFSAs and did not find these.
CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782
CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778
CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900
CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779
Are they ever going to be fixed?
Charles Robertson
Firefox Maintainer
SUSE LLC
J.C. Jones
Nov 7, 2019, 6:40:47 PM11/7/19
to Charles Robertson, dev-se...@lists.mozilla.org
Hi Charles,
It looks like all of these are in the legacy BerkleyDB. In NSS 3.12
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html>
(2008) we began shipping a newer database implementation based on SQLite,
and made it the default in NSS 3.35
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes>
in 2018.
I'm afraid these hadn't risen to my attention, but the legacy DB is
unmaintained and will be removed in the future when all migrations are
completed. I believe final removal would be end of 2020, corresponding to
retirement of RHEL6, but I would need to double-check that with my
colleagues at RedHat. This does remind me that we should stop building DBM
by default soon, as January will mark two years since we changed the
default to SQLite.
I've opened bug 1594931
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594931> to disable building
DBM entirely for Firefox builds, which I believe we can do at any time.
I've also opened bug 1594933
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594933> to disable building
DBM by default in future versions of NSS, leaving it to maintainers to
handle exceptions for now.
J.C.
On Thu, Nov 7, 2019 at 3:16 PM Charles Robertson <CGRob...@suse.com>
wrote:
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
It looks like all of these are in the legacy BerkleyDB. In NSS 3.12
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html>
(2008) we began shipping a newer database implementation based on SQLite,
and made it the default in NSS 3.35
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes>
in 2018.
I'm afraid these hadn't risen to my attention, but the legacy DB is
unmaintained and will be removed in the future when all migrations are
completed. I believe final removal would be end of 2020, corresponding to
retirement of RHEL6, but I would need to double-check that with my
colleagues at RedHat. This does remind me that we should stop building DBM
by default soon, as January will mark two years since we changed the
default to SQLite.
I've opened bug 1594931
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594931> to disable building
DBM entirely for Firefox builds, which I believe we can do at any time.
I've also opened bug 1594933
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594933> to disable building
DBM by default in future versions of NSS, leaving it to maintainers to
handle exceptions for now.
J.C.
On Thu, Nov 7, 2019 at 3:16 PM Charles Robertson <CGRob...@suse.com>
wrote:
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
0 new messages