Old CVEs

45 views
Skip to first unread message

Charles Robertson

unread,
Nov 7, 2019, 5:16:48 PM11/7/19
to dev-se...@lists.mozilla.org
Hi,

What is the status of the following CVEs on NSS? I've searched through all your MFSAs and did not find these.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360782

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360900

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

Are they ever going to be fixed?

Charles Robertson
Firefox Maintainer
SUSE LLC

J.C. Jones

unread,
Nov 7, 2019, 6:40:47 PM11/7/19
to Charles Robertson, dev-se...@lists.mozilla.org
Hi Charles,

It looks like all of these are in the legacy BerkleyDB. In NSS 3.12
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html>
(2008) we began shipping a newer database implementation based on SQLite,
and made it the default in NSS 3.35
<https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes>
in 2018.

I'm afraid these hadn't risen to my attention, but the legacy DB is
unmaintained and will be removed in the future when all migrations are
completed. I believe final removal would be end of 2020, corresponding to
retirement of RHEL6, but I would need to double-check that with my
colleagues at RedHat. This does remind me that we should stop building DBM
by default soon, as January will mark two years since we changed the
default to SQLite.

I've opened bug 1594931
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594931> to disable building
DBM entirely for Firefox builds, which I believe we can do at any time.
I've also opened bug 1594933
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594933> to disable building
DBM by default in future versions of NSS, leaving it to maintainers to
handle exceptions for now.

J.C.


On Thu, Nov 7, 2019 at 3:16 PM Charles Robertson <CGRob...@suse.com>
wrote:
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Reply all
Reply to author
Forward
0 new messages