StarlingX

CVE-2021-43527: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS)

Bug #1957929 reported by Ghada Khalil
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Joe Slater

Bug Description

CVE-2021-43527: nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS)

Score:
CVSSv2: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Description:
NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. Note: This vulnerability does NOT impact Mozilla Firefox. However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

References:
http://nvd.nist.gov/vuln/detail/CVE-2021-43527
https://access.redhat.com/errata/RHSA-2021:4904
https://access.redhat.com/security/cve/CVE-2021-43527
https://lists.centos.org/pipermail/centos-announce/2021-December/060972.html

Required package version:
nspr-4.32.0-1.el7_9.x86_64.rpm
nspr-devel-4.32.0-1.el7_9.x86_64.rpm
nss-3.67.0-4.el7_9.x86_64.rpm
nss-devel-3.67.0-4.el7_9.x86_64.rpm
nss-softokn-3.67.0-3.el7_9.x86_64.rpm
nss-softokn-devel-3.67.0-3.el7_9.x86_64.rpm
nss-softokn-freebl-3.67.0-3.el7_9.x86_64.rpm
nss-softokn-freebl-devel-3.67.0-3.el7_9.x86_64.rpm
nss-sysinit-3.67.0-4.el7_9.x86_64.rpm
nss-tools-3.67.0-4.el7_9.x86_64.rpm
nss-util-3.67.0-1.el7_9.x86_64.rpm
nss-util-devel-3.67.0-1.el7_9.x86_64.rpm

Packages:
nspr, nss, nss-softokn, nss-softokn, nss-util

Found during January 2022 CVE Scan

See original description

CVE References

Ghada Khalil (gkhalil)
information type: Public → Public Security
tags: added: stx.security
Ghada Khalil (gkhalil)
Changed in starlingx:
assignee: nobody → Joe Slater (jslater0wind)
tags: added: stx.7.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/825375

Changed in starlingx:
status: New → In Progress
Joe Slater (jslater0wind)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/825375
Committed: https://opendev.org/starlingx/tools/commit/4840fc1bda693acec52e89a7cbb6d162bd226709
Submitter: "Zuul (22348)"
Branch: master

commit 4840fc1bda693acec52e89a7cbb6d162bd226709
Author: Joe Slater <email address hidden>
Date: Tue Jan 18 14:16:18 2022 -0500

    nss: fix CVE-2021-43527

    nss is vulnerable to a heap overflow when handling DER-encoded
    DSA or RSA-PSS signatures. We update nss packages and nspr to
    the latest centos7 versions.

    *** Testing ***
    To be sure we will work with existing databases, before updating,
    create a database.

    $ mkdir arf
    $ echo "Pword22*" > arf/pass.
    $ certutil -N -d arf -f arf/pass
    $ certutil -G -d arf -f arf/pass # put a key pair in the database

    Save the arf directory. Install an iso with the updated nss packages.
    Import arf. Then...

    $ certutil -K -d arf -f arf/pass # display the keyID
    $ certutil -G -d arf -f arf/pass # add a key
    $ certutil -K -d arf -f arf/pass # display both keyID's
    ***

    Closes-bug: 1957929
    Change-Id: I960e42d1e361dace4443d6a052fe06206c6675dd
    Signed-off-by: Joe Slater <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.