bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767

From:	Maxim Cournoyer
Subject:	bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767
Date:	Tue, 21 Feb 2023 08:25:16 -0500
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)

Hi Leo,

Leo Famulari <leo@famulari.name> writes:

> There's a serious vulnerability in NSS:
>
> "An attacker could construct a PKCS 12 cert bundle in such a way that
> could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes
> being mishandled."
>
> https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-0767
>
> Apparently it is fixed in NSS, but they don't seem to say in which
> version:
>
> https://www.mozilla.org/en-US/security/known-vulnerabilities/nss/
>
> Help wanted to fix this bug!

That's been fixed by myself for nss-next
(246a3d90eac82966b691bdca4660ab9c5d802631) and by Tobias for nss itself,
via a graft to the latest 3.88.1 version
(b04ee227a47419291391a2b6e857e41ed1c32155).

Closing.

-- 
Thanks,
Maxim

[Prev in Thread]

Current Thread

[Next in Thread]

bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767, Leo Famulari, 2023/02/17
- bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767, Maxim Cournoyer <=

Prev by Date: bug#61676: package transformations not honored working from a manifest
Next by Date: bug#61684: can't compose 'with-patch' with 'with-source'
Previous by thread: bug#61573: Arbitrary memory write vulnerability in NSS CVE-2023-0767
Next by thread: bug#57742: QT plugins from profile not found (QT_PLUGIN_PATH)
Index(es):
- Date
- Thread