Old CVEs

Skip to first unread message

Charles Robertson

Nov 7, 2019, 5:16:48 PM11/7/19
to dev-se...@lists.mozilla.org

What is the status of the following CVEs on NSS? I've searched through all your MFSAs and did not find these.

CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)

CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)

CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229)

CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)

Are they ever going to be fixed?

Charles Robertson
Firefox Maintainer

J.C. Jones

Nov 7, 2019, 6:40:47 PM11/7/19
to Charles Robertson, dev-se...@lists.mozilla.org
Hi Charles,

It looks like all of these are in the legacy BerkleyDB. In NSS 3.12
(2008) we began shipping a newer database implementation based on SQLite,
and made it the default in NSS 3.35
in 2018.

I'm afraid these hadn't risen to my attention, but the legacy DB is
unmaintained and will be removed in the future when all migrations are
completed. I believe final removal would be end of 2020, corresponding to
retirement of RHEL6, but I would need to double-check that with my
colleagues at RedHat. This does remind me that we should stop building DBM
by default soon, as January will mark two years since we changed the
default to SQLite.

I've opened bug 1594931
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594931> to disable building
DBM entirely for Firefox builds, which I believe we can do at any time.
I've also opened bug 1594933
<https://bugzilla.mozilla.org/show_bug.cgi?id=1594933> to disable building
DBM by default in future versions of NSS, leaving it to maintainers to
handle exceptions for now.


On Thu, Nov 7, 2019 at 3:16 PM Charles Robertson <CGRob...@suse.com>
> _______________________________________________
> dev-security mailing list
> dev-se...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
Reply all
Reply to author
0 new messages