850148 – (CVE-2013-5605) VUL-0: mozilla-nss 3.15.3 security fix (CVE-2013-5605)

Bug 850148 (CVE-2013-5605) - VUL-0: mozilla-nss 3.15.3 security fix (CVE-2013-5605)

Summary: VUL-0: mozilla-nss 3.15.3 security fix (CVE-2013-5605)

Status:	RESOLVED FIXED

Alias:	CVE-2013-5605

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Deadline:	2013-11-27
Assignee:	Petr Cerny
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp1:55187 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-11-12 20:13 UTC by Wolfgang Rosenauer
Modified:	2013-12-03 08:14 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Wolfgang Rosenauer 2013-11-12 20:13:07 UTC

Details about that bug are not public yet

The implementation of Null_Cipher uses PORT_Mempcy to copy data from the input buffer to the output buffer, as seen at http://mxr.mozilla.org/nss/source/lib/ssl/ssl3con.c#819

However, it does not validate or cap inputLen to be <= maxOutputLen. As a result, an attacker that sends a malformed SSL record may overwrite memory, including potentially memory on the stack.

Google fixed it silently in some Chrome update while Mozilla will provide a patch level release of Firefox to fix it soon (probably end of this week).

Comment 1 Wolfgang Rosenauer 2013-11-12 20:21:26 UTC

I will provide updates for openSUSE and would include a mozilla-nspr patch level update which contains two fixes (not very security relevant but NSS and NSPR is mainly released as a combo and NSPR needs an update at least when Firefox 26 is coming anyway.

Comment 2 Swamp Workflow Management 2013-11-13 23:00:20 UTC

bugbot adjusting priority

Comment 3 Wolfgang Rosenauer 2013-11-17 10:31:36 UTC

NSPR got a CVE assigned too (announced on the NSPR newsgroup and therefore public)
NSPR 4.10.2 has the following bug fixes:
* Bug 770534: Possible pointer overflow in PL_ArenaAllocate().
  Fixed by Pascal Cuoq and Kamil Dudka.
* Bug 888546: ptio.c:PR_ImportUDPSocket doesn't work. Fixed by
  Miloslav Trmač.
* Bug 915522: VS2013 support for NSPR. Fixed by Makoto Kato.
* Bug 927687: (CVE-2013-5607) Avoid unsigned integer wrapping in
  PL_ArenaAllocate.

NSS 3.15.3 announcement from the NSS crypto newsgroup (public):
Network Security Services (NSS) 3.15.3 is a patch release for NSS 3.15.

No new major functionality is introduced in this release.

The following security-relevant bugs have been resolved in NSS 3.15.3.
Users are encouraged to upgrade immediately.
* Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum
               PRUint32 value
* Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
* Bug 910438 - (CVE-2013-5606) Return the correct result in 
               CERT_VerifyCert on failure, if a verifyLog isn't used

Upstream Firefox release (25.0.1) to fix their internal NSS has been shipped.

Comment 4 Marcus Meissner 2013-11-19 08:56:02 UTC

make public, adjust product.

Comment 5 Marcus Meissner 2013-11-19 08:56:25 UTC

http://www.mozilla.org/security/announce/2013/mfsa2013-103.html

Comment 6 Swamp Workflow Management 2013-11-19 15:04:29 UTC

openSUSE-SU-2013:1730-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 850148
CVE References: CVE-2013-5605
Sources used:
openSUSE 13.1 (src):    mozilla-nspr-4.10.2-4.1, mozilla-nss-3.15.3-4.2
openSUSE 12.3 (src):    mozilla-nspr-4.10.2-1.22.1, mozilla-nss-3.15.3-1.20.2
openSUSE 12.2 (src):    mozilla-nspr-4.10.2-1.24.1, mozilla-nss-3.15.3-2.31.2

Comment 7 Bernhard Wiedemann 2013-11-19 16:00:22 UTC

This is an autogenerated message for OBS integration:
This bug (850148) was mentioned in
https://build.opensuse.org/request/show/206762 Factory / mozilla-nss

Comment 8 Swamp Workflow Management 2013-11-19 16:04:22 UTC

openSUSE-SU-2013:1732-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 850148
CVE References: CVE-2013-1741,CVE-2013-5605,CVE-2013-5606,CVE-2013-5607
Sources used:
openSUSE 11.4 (src):    mozilla-nspr-4.10.2-36.1, mozilla-nss-3.15.3-70.1

Comment 9 Bernhard Wiedemann 2013-11-19 18:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (850148) was mentioned in
https://build.opensuse.org/request/show/207616 Evergreen:11.2 / mozilla-nss

Comment 10 Swamp Workflow Management 2013-11-20 17:41:01 UTC

The SWAMPID for this issue is 55185.
This issue was rated as important.
Please submit fixed packages until 2013-11-27.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 11 Marcus Meissner 2013-11-20 17:42:30 UTC

I would do this update seperately to Firefox ESR24.

can you please submit?

Comment 14 Marcus Meissner 2013-11-21 08:31:52 UTC

can you sbumit mozilla-nss and -snpr to sle11-sp1 please

Comment 17 Marcus Meissner 2013-12-02 11:52:12 UTC

released

Comment 18 Swamp Workflow Management 2013-12-02 12:05:31 UTC

Update released for: libfreebl3, libfreebl3-32bit, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 19 Swamp Workflow Management 2013-12-02 13:58:50 UTC

Update released for: libfreebl3, libfreebl3-32bit, libfreebl3-x86, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debuginfo-x86, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 20 Swamp Workflow Management 2013-12-02 14:57:35 UTC

Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-devel, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-devel, mozilla-nss-tools
Products:
SLE-SERVER 10-SP4-LTSS (i386, s390x, x86_64)

Comment 21 Swamp Workflow Management 2013-12-02 15:05:50 UTC

Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-devel, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-devel, mozilla-nss-tools
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)

Comment 22 Swamp Workflow Management 2013-12-02 15:22:36 UTC

Update released for: libfreebl3, libfreebl3-32bit, libfreebl3-x86, libsoftokn3, libsoftokn3-32bit, libsoftokn3-x86, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debuginfo-x86, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nspr-x86, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debuginfo-x86, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools, mozilla-nss-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 23 Swamp Workflow Management 2013-12-02 15:25:25 UTC

Update released for: libfreebl3, libfreebl3-32bit, mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-debuginfo-32bit, mozilla-nspr-debugsource, mozilla-nspr-devel, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-debuginfo-32bit, mozilla-nss-debugsource, mozilla-nss-devel, mozilla-nss-tools
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)

Comment 24 Swamp Workflow Management 2013-12-02 16:04:48 UTC

Update released for: mozilla-nspr, mozilla-nspr-32bit, mozilla-nspr-debuginfo, mozilla-nspr-devel, mozilla-nss, mozilla-nss-32bit, mozilla-nss-debuginfo, mozilla-nss-devel, mozilla-nss-tools
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)