Issue metadata
Sign in to add a comment
|
Security: Out of Bounds write in NSS (used on ChromeOS) |
||||||||||||||||||||||
Issue descriptionMozilla released https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461 on April 19, and I just saw it. There's an out-of-bounds write with Base64 decoding in NSS. We base64 decode hostile data in the browser process when importing certificates (by users clicking a download or by importing the cert directly). Since the bug is in NSS, it affects Linux and ChromeOS users. On Linux, this would require upreving the minimum version of NSS required, which historically has been very difficult to do (e.g. we haven't required NSS versions take security patches). On ChromeOS, we'd need to uprev the system. I believe it may also be triggered by AIA fetching due to a fallback path in that code, which would not require user interaction, but I haven't confirmed. Note the MFSA is weird because it says encoding in the title, decoding in the bug, and it appears my NSS security bug clearance has expired, so I'm not sure the details. RHEL has https://rhn.redhat.com/errata/RHSA-2017-1100.html for this bug This release also fixes a flaw in the RNG. However, we should not be using that for any security-critical functions now that BoringSSL is the primary library for TLS, and NSS is just used for certificates. The change is https://hg.mozilla.org/projects/nss/rev/4dbfcefed2cc and it looks like an integer overflow in the decoding allocation, which is probably minor (requires extremely large inputs, which we'd cap for AIA at 64K) and bug in the encoding calculations (which would apply to OCSP requests, except those aren't bounded)
,
May 1 2017
Can I assign this to a network friend to get it out of the security triage queue? Who might be a good person?
,
May 1 2017
Yeah, I would own it, wanted y'all to triage for priority based on that impact & mitigations so I know how best to prioritize (and for which release), since it'll involve a CrOS NSS uprev :)
,
May 2 2017
Discussed this with palmer offline, and I agree with a medium P-1 here since importing a cert seems like a reasonably high mitigating factor (critical -> medium) and the AIA fetching case is most likely unexploitable. rsleevi, I'll assign this to you since you volunteered :)
,
May 3 2017
,
May 16 2017
rsleevi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers? If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one? If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 16 2017
Working on getting the CrOS chroot setup on the new machine. It's in progress :)
,
May 19 2017
,
May 30 2017
Issue 724574 has landed, looks like it landed just after 60 branch. I've set M-R for 60, and would like SecurityTeam's advice on whether to set M-R for 59, given the timing.
,
May 31 2017
Given this is mitigated by user interaction required, I'm willing to forego the M-59 merge.
,
Jun 1 2017
ChromeOS M60 is now running NSS 3.30.2 (as noted in Issue 724574 ). Linux users can still be affected, but that's the responsibility of the OS vendor/distro, unfortunately.
,
Jun 2 2017
,
Jul 24 2017
,
Sep 8 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by palmer@chromium.org
, Apr 28 2017