[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Analysis of nss CVE-2016-2834

Hi LTS Team

I have gone through what I can find about CVE-2016-2834 listed in the
security tracker for nss.

The most interesting information can be found here:
"Mozilla has updated the version of Network Security Services (NSS) library used in Firefox to NSS 3.23. This addresses four moderate rated networking security issues reported by Mozilla engineers Tyson Smith and Jed Davis."

The most detailed description is here:
"In addition, multiple unspecified security issues were discovered in NSS.

So I have now gone through the ~7 MB diff between nss and found changes regarding the following:
- ASN1 parsing issue. See also CVE-2016-1950
- A lot of changes from getenv to some secure variant.
- A change in sslinfo.c that could potentially be the change.
- Downgrade fixes. Good but not this CVE.

Do anyone know more about this CVE?

There are a few references to mozilla bugzilla bugs but I do not have access to them. Anyone who have?

The potential correction looks like this:
diff -uNrw nss-3.22/nss/lib/ssl/sslinfo.c nss-3.23/nss/lib/ssl/sslinfo.c
--- nss-3.22/nss/lib/ssl/sslinfo.c 2016-01-29 11:30:10.000000000 +0100
+++ nss-3.23/nss/lib/ssl/sslinfo.c 2016-02-26 21:51:11.000000000 +0100
@@ -27,7 +27,10 @@
     SSLChannelInfo   inf;
     sslSessionID *   sid;
-    if (!info || len < sizeof inf.length) { 
+    /* Check if we can properly return the length of data written and that
+     * we're not asked to return more information than we know how to provide.
+     */
+    if (!info || len < sizeof inf.length || len > sizeof inf) {
  return SECFailure;

// Ola

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: