Also please note that we are unable to built the latest versions of NSS on Visual Studio 2010.
Is it the case that the latest versions makefiles are compatible with Visual Studio 2015?
From: Franziskus Kiefer [mailto:
fki...@mozilla.com]
Sent: 13 December 2017 00:49
To: Rao, Pankaj <
Panka...@bmc.com>
Cc:
dev-se...@lists.mozilla.org
Subject: Re: Vulnerability detected in Mozilla NSS.
Hi Pankaj,
thanks for pointing out the vulnerabilities in the version of sqlite in the NSS source tree.
We'll look into updating the sqlite copy in NSS.
But note that the sqlite code in the NSS source tree is meant for development not production. Release builds of NSS should be built with --system-sqlite (when building with gyp) or NSS_USE_SYSTEM_SQLITE=1 (when building with make) to use the system sqlite library, which hopefully gets updated regularly.
Cheers,
Franziskus
On Tue, Dec 12, 2017 at 6:20 AM, Rao, Pankaj <
Panka...@bmc.com<mailto:
Panka...@bmc.com>> wrote:
Hi All,
We are using Mozilla NSS within our product. While scanning our product with OWASP we found vulnerability in Mozilla NSS.
* CVE-2017-10989 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
* CVE-2015-3717 - CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Multiple buffer overflows in the printf functionality in SQLite, as used in Apple iOS before 8.4 and OS X before 10.10.4, allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.
Both these vulnerabilities are in sqlite dll which gets compiled with Mozilla NSS source code.
We had downloaded the most recent version of NSS source code that gets build successfully on Visual Studio 2010 (3.27) and found the vulnerability is still present.
Please let us know when these vulnerabilities will get addressed.
Thanks and Regards,
Pankaj Rao
_______________________________________________
dev-security mailing list