Bug 862300 (CVE-2014-1490) - VUL-0: CVE-2014-1490: mozilla-nss: TOCTOU - potential use-after-free in libssl's session ticket processing
Summary: VUL-0: CVE-2014-1490: mozilla-nss: TOCTOU - potential use-after-free in libss...
Status: RESOLVED FIXED
Alias: CVE-2014-1490
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-05 09:30 UTC by Victor Pereira
Modified: 2016-04-27 18:59 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-02-05 09:30:10 UTC 
CVE-2014-1490

It appear there are race conditions (TOCTOU, potentially use-after-free) to lack of locking around reads and updates of the sessionTicket field of sslSessionIDStr. For example, these races can happen when thread A is trying to resume a session concurrently with thread B that has already started resuming session that same session, and where thread B has received a NewSessionTicket extension that will cause it to update the sessionTicket field of the sid that thread A is trying to read. This may cause a use-after-free when ssl3_SetSIDSessionTicket calls SECITEM_FreeItem to free the session ticket data when ssl3_SendSessionTicketXtn is trying to read it. There are probably other similar problems.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1490
https://bugzilla.redhat.com/show_bug.cgi?id=1060953
Comment 1 Swamp Workflow Management 2014-02-05 23:05:16 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2014-03-11 14:26:34 UTC 
we already released 3.15.4 mozilla nss where this is fixed.