Vulnerability detected in Mozilla NSS.

[Rao, Pankaj]

Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


* CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


* CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao

[Franziskus Kiefer]

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the
NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for
development not production. Release builds of NSS should be built with
--system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when
building with make) to use the system sqlite library, which hopefully gets
updated regularly.

Cheers,
Franziskus

> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>

[Rao, Pankaj]

Thanks Franziskus for the quick response.
Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?

Thanks,
Pankaj Rao

From: Franziskus Kiefer [mailto:fki...@mozilla.com]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <Panka...@bmc.com>
Cc: dev-se...@lists.mozilla.org
Subject: Re: Vulnerability detected in Mozilla NSS.

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <Panka...@bmc.com<mailto:Panka...@bmc.com>> wrote:
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


* CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


* CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list

dev-se...@lists.mozilla.org<mailto:dev-se...@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>

[Franziskus Kiefer]

I think Visual Studio 2015 is the oldest version support to build NSS. I
would recommend using VS 2015 or VS 2017 to build NSS.

Cheers

On Tue, Dec 12, 2017 at 11:08 PM, Rao, Pankaj <Panka...@bmc.com> wrote:

> Thanks Franziskus for the quick response.
>
> Also please note that we are unable to built the latest versions of NSS on
> Visual Studio 2010.
>
> Is it the case that the latest versions makefiles are compatible with
> Visual Studio 2015?
>
>
>
> Thanks,
>
> Pankaj Rao
>
>
>
>
>

> *From:* Franziskus Kiefer [mailto:fki...@mozilla.com]
> *Sent:* 13 December 2017 00:49
> *To:* Rao, Pankaj <Panka...@bmc.com>
> *Cc:* dev-se...@lists.mozilla.org
> *Subject:* Re: Vulnerability detected in Mozilla NSS.

> https://lists.mozilla.org/listinfo/dev-security
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>
>
>
>

[Rao, Pankaj]

In that case can we backport the vulnerability fix on previous version of NSS source code (3.27/3.28) so that it gets compiled with VS 2010.

Thanks and Regards,
Pankaj Rao

From: Franziskus Kiefer [mailto:fki...@mozilla.com]
Sent: 14 December 2017 19:11
To: Rao, Pankaj <Panka...@bmc.com>
Cc: dev-se...@lists.mozilla.org

Subject: Re: Vulnerability detected in Mozilla NSS.

I think Visual Studio 2015 is the oldest version support to build NSS. I would recommend using VS 2015 or VS 2017 to build NSS.

Cheers

On Tue, Dec 12, 2017 at 11:08 PM, Rao, Pankaj <Panka...@bmc.com<mailto:Panka...@bmc.com>> wrote:
Thanks Franziskus for the quick response.
Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?

Thanks,
Pankaj Rao

From: Franziskus Kiefer [mailto:fki...@mozilla.com<mailto:fki...@mozilla.com>]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <Panka...@bmc.com<mailto:Panka...@bmc.com>>
Cc: dev-se...@lists.mozilla.org<mailto:dev-se...@lists.mozilla.org>
Subject: Re: Vulnerability detected in Mozilla NSS.

Hi Pankaj,

thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.

Cheers,
Franziskus

On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <Panka...@bmc.com<mailto:Panka...@bmc.com>> wrote:
Hi All,

We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.


* CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.


* CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.

We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.

Please let us know when these vulnerabilities will get addressed.

Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list

dev-se...@lists.mozilla.org<mailto:dev-se...@lists.mozilla.org>
https://lists.mozilla.org/listinfo/dev-security<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mozilla.org_listinfo_dev-2Dsecurity&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=MwwrDN2L0u9N_oBe-L5A93ijg5toVklW5X8ADKhfNwA&m=b4wgGEnyjc4m0r-QafA5mMTk9jFy0fc0JnQUnbF9OVM&s=u3zBf9kWlfXcuCLbyKmkrt9dm9cI6RkX_0BMDsW0MWk&e=>

[Rao, Pankaj]

Hi Franziskus,
Could you please let us know whether the below mentioned vulnerabilities are addressed in NSS code?
Thanks,
Pankaj

[Khandelwal, Kushal]

Hello Mozilla Team

We are using Mozilla NSS in our product for TLS 1.2 implementation. Recently our clients have enquired about vulnerability VU#144389 with following description:

Summary : TLS implementations may disclose side channel information via discrepencies between valid and invalid PKCS#1 padding

Link to vulnerability details:
https://www.kb.cert.org/vuls/id/144389


Is Mozilla code affected with this vulnerability?

Thanks
Kushal