[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767
From: |
Maxim Cournoyer |
Subject: |
bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767 |
Date: |
Tue, 21 Feb 2023 08:25:16 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) |
Hi Leo,
Leo Famulari <leo@famulari.name> writes:
> There's a serious vulnerability in NSS:
>
> "An attacker could construct a PKCS 12 cert bundle in such a way that
> could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes
> being mishandled."
>
> https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-0767
>
> Apparently it is fixed in NSS, but they don't seem to say in which
> version:
>
> https://www.mozilla.org/en-US/security/known-vulnerabilities/nss/
>
> Help wanted to fix this bug!
That's been fixed by myself for nss-next
(246a3d90eac82966b691bdca4660ab9c5d802631) and by Tobias for nss itself,
via a graft to the latest 3.88.1 version
(b04ee227a47419291391a2b6e857e41ed1c32155).
Closing.
--
Thanks,
Maxim