Bug 48771 (CVE-2003-0564)

Summary: VUL-0: CVE-2003-0564: mozilla S/MIME overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Wolfgang Rosenauer <stark>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: aj, hhetter, hmuelle, kukuk, meissner, mls, rf, ro, security-team, stark
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0564: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 47963    

Description Sebastian Krahmer 2003-12-27 17:53:40 UTC 
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Cc: blizzard@redhat.com
Subject: [vendor-sec] Mozilla S/Mime issues

Cameron from NISCC asked me to foward this on to everyone here; the S/MIME 
vulnerability research they have been doing has found flaws in Mozilla.

No date has been set for this yet, no CVE name yet.

---------- Forwarded message ----------
http://bugzilla.mozilla.org/show_bug.cgi?id=229242

           Summary: mozilla will crash when receiving S/MIME message
                    (Detached Signed Data with CA and client certs)
           Product: NSS
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: --
         Component: Libraries
        AssignedTo: wchang0222@aol.com
        ReportedBy: Louie.Zhao@sun.com
         QAContact: bishakhabanerjee@aol.com
NISCC (http://www.uniras.gov.uk/vuls/) developed some testcases to detect
vulnerability in S/MIME implementation. Unfortuately, mozilla will crash
when receiving one kind of S/MIME message (Detached Signed Data with CA and
client certs).

Below is the stack when crashing:

#0  0x40799771 in nanosleep () from /lib/i686/libc.so.6
#1  0x40799639 in sleep () from /lib/i686/libc.so.6
#2  0x0806db06 in ah_crap_handler(int) (signum=11) at nsSigHandlers.cpp:149
#3  0x421a885c in nsProfileLock::FatalSignalHandler(int) (signo=11)
    at nsProfileLock.cpp:195
#4  0x400f7a6a in pthread_sighandler () from /lib/i686/libpthread.so.0 #5
<signal handler called> #6  0x42bb81d2 in
NSS_CMSSignedData_GetDigestByAlgTag (sigd=0x80c99e0,
    algtag=SEC_OID_UNKNOWN) at cmssigdata.c:765
#7  0x42bb7daf in NSS_CMSSignedData_VerifySignerInfo (sigd=0x80c99e0, i=0,
0x42b7ff47 in nsCMSMessage::CommonVerifySignature(unsigned char*, unsigned)
    (this=0xbfffe74c, aDigestData=0x0, aDigestDataLen=0) at nsCMS.cpp:371 #9
0x42b7f67f in nsCMSMessage::VerifySignature() (this=0x8bd1438)
    at nsCMS.cpp:174
#10 0x43117545 in MimeCMS_eof (crypto_closure=0x8972fa0, abort_p=0)
    at mimecms.cpp:606
#11 0x43115ee8 in MimeEncrypted_parse_eof (obj=0x85470e0, abort_p=0)
    at mimecryp.cpp:240
#12 0x430e434a in MimeContainer_parse_eof (object=0x8bbfe00, abort_p=0)
    at mimecont.cpp:141
#13 0x430f0e68 in MimeMessage_parse_eof (obj=0x8bbfe00, abort_p=0)
    at mimemsg.cpp:544
#14 0x430fdbad in mime_display_stream_complete (stream=0xfffffffc)
    at mimemoz2.cpp:928
#15 0x4310c410 in nsStreamConverter::OnStopRequest(nsIRequest*,
nsISupports*,
unsigned) (this=0x875c1e0, request=0x893dfc0, aCtxt=0x0, aStatus=0)
    at nsURILoader.cpp:251
#17 0x41035e78 in nsStreamListenerTee::OnStopRequest(nsIRequest*,
nsISupports*,
unsigned) (this=0x886d9d8, request=0x893dfc0, context=0x0, status=0)
    at nsStreamListenerTee.cpp:65
#18 0x41006150 in nsOnStopRequestEvent0::HandleEvent() (this=0x8b023f8)
    at nsAsyncStreamListener.cpp:319
#19 0x41005965 in nsStreamListenerEvent0::HandlePLEvent(PLEvent*) (
    aEvent=0x8b02408) at nsAsyncStreamListener.cpp:113
Comment 1 Sebastian Krahmer 2003-12-27 17:53:40 UTC 
<!-- SBZ_reproduce  -->
I will ask them to send me these "testcases"
Comment 2 Wolfgang Rosenauer 2003-12-27 23:52:35 UTC 
It would be interesting in which mozilla versions this bug was discovered.
Because this is a very vague information I will wait for more input for now.
Comment 3 Wolfgang Rosenauer 2004-01-21 14:23:52 UTC 
any news?
Comment 4 Sebastian Krahmer 2004-01-21 18:16:26 UTC 
From vendor-sec:

Date: Mon, 19 Jan 2004 11:25:25 +0000 (GMT)
From: Mark J Cox <mjc@redhat.com>
To: vendor-sec@lst.de
Cc: blizzard@redhat.com, Cameron <Cameronr@niscc.gov.uk>
Subject: [vendor-sec] Mozilla S/MIME vulnerabilities

Looks like the Mozilla folks have done some updates to fix security issues 
in S/MIME parsing; now semi-public:

http://groups.google.com/groups?q=niscc&hl=en&lr=&ie=UTF-8&oe=utf-8&scoring=d&se
lm=bu22ub%24d861%40ripley.netscape.com&rnum=2
http://groups.google.com/groups?q=niscc&hl=en&lr=&ie=UTF-8&oe=utf-8&scoring=d&se
lm=mailman.1072205941.26375.mozilla-reviewers%40mozilla.org&rnum=3

I'd probably class these issues as critical since a carefully crafted
S/MIME message can cause Mozilla to crash and, I'd bet, run arbitrary
code.

I don't have CVE names for these issues; Cameron did you get any for this?


....

I asked for fixes and their testprogram, but I fear mozilla will only fix this
in their newest version.
Comment 5 Wolfgang Rosenauer 2004-01-21 18:45:34 UTC 
they promised to maintain the 1.4 tree, which is at least used on SLES SP3 and
for newest SLEC updates. So we can still hope.
Comment 6 Sebastian Krahmer 2004-02-04 22:32:09 UTC 
At vendor-sec we have been told that theres little chance
to have it fixed in 1.4.

* Is it possible that we can update to the newest version (1.6 ?).
*

If not, we might can hope and wait for RH to backport
the fixes but the chance is little.
Comment 7 Sebastian Krahmer 2004-02-12 21:39:06 UTC 
We got some new message from vendor-sec telling that
it seems they have backported some patches. However
I do not know whether it applies to 1.4. Have you
asked whether it is possible to update to 1.6? I
think it would safe us a lot of headache.
Comment 8 Wolfgang Rosenauer 2004-02-12 23:55:22 UTC 
I don't think that project managers will do it and I can understand it.
Mozilla.org stated that 1.4 is a stable branch and will be maintained.
This should really include security-fixes. Update to 1.6 will break almost all
APIs and need more packages to be updated. At least for SLEC. We just did an 
update to 1.4.1 on SLEC because we can hopefully make updates to 1.4.2 and so on
without breaking too much.
From my point of view an update to 1.6 or newer is no option. But you are
specialist for security. If it has enough impact and is not solvable without 
updating to a newer "unmaintained" version you should discuss this with
corresponding project managers.
Comment 9 Harald Mueller-Ney 2004-02-13 00:15:42 UTC 
As your a talking about a version update on a maintained product - especially
SLEC i put the project manager into CC.

I would also say - a version update is a NO GO!
We have to fix the problem anotherway!
Comment 10 Wolfgang Rosenauer 2004-02-16 14:34:12 UTC 
OK, here is some more information.
The problem has been fixed in 1.4 branch and is included now. Mozilla 1.4.2 is
not released yet but the branch had its version bumped to 1.4.2.
There are some minor changes too in the tree and the "fix" was an update of
the internal NSS (network security services) code in Mozilla. 

Now the project-managers have to decide what to do. This affects SLES and SLEC,
so adding rf to the CC list.

A reminder note for all: The 1.4 branch is a maintained tree from mozilla.org.
Only critical fixes and no API changes go in here usually.
Comment 11 Sebastian Krahmer 2004-02-18 20:14:49 UTC 
Any decision yet what to do?
Comment 12 Wolfgang Rosenauer 2004-02-19 04:04:37 UTC 
Chris, would you please make a decision for SLEC what we should do here?
I see no risk to update to 1.4.2. (We still could name it 1.4.1 ;-)
Holger, do you expect problems with depending packages on SLEC?
Comment 13 Harald Mueller-Ney 2004-02-23 21:50:15 UTC 
After several request for an decision by the maintainer and no reaction of any
prjmgr nor the security-team it set the bug to critical.

My suggestion upgrade to Version 1.4.2.
1.4.x is the mozilla maintenance line, that should garuantee a stable api. Even
so there are some not security-related bugfixes in 1.4.2, it is IMHO the best
solution for SUSE:

- we could build SLES and SLES from one source
Comment 14 Chris Schlaeger 2004-02-23 21:53:34 UTC 
"- we could build SLES and SLES from one source" I don't understand this 
sentence, but the rest sounds reasonable. Wolfgang, please update.
Comment 15 Wolfgang Rosenauer 2004-02-23 22:04:34 UTC 
I will provide test-packages for first inclusion-tests with galeon.
Holger, you can find them in Hygiea-stark-162 when it's finished.
Please check if we get problems with galeon (are there others?)
Comment 16 Holger Hetterich 2004-02-23 22:11:09 UTC 
Ok, I'll quick build and test galeon with these packages. I suspect no problems.
Comment 17 Holger Hetterich 2004-02-24 00:19:46 UTC 
Which dists exactly are involved?

SLEC uses Galeon 1.2.13 -> no problems building your mozilla with it. This will
work -> tested.

original 8.1, SLES uses Galeon 1.2.5, it has no support for the Mozilla 1.4
branch. It must be updated to version 1.2.13 (at least), and I currently don't
know how much dependencies are involved (will see tommorrow).
Comment 18 Harald Mueller-Ney 2004-02-24 00:24:56 UTC 
Wolfgang, go ahead for SLES8 too. 
I got the ok from Thorsten Kukuk by proxy of Ralf.

But we should check against galeon before submitting it to abuild
Comment 19 Wolfgang Rosenauer 2004-02-24 03:47:43 UTC 
Focus is on maintained products. SLEC is tested by Holger and SLES8 doesn't
contain galeon IMHO. So for this we should be on the safe side.
I'm not sure about our consumer products. It seems that all Mozilla packages
before 1.6 are affected. So we would have to update 8.0 - 9.0 ?
Security-Team?  In the past we mentioned mozilla updates in a security
announcement to be on pub/projects/mozilla.
Comment 20 Sebastian Krahmer 2004-02-24 18:08:48 UTC 
Yes, makes sense. I think this issue can be put into
a section 2. Would all of SL 8.0-9.0 then
have 1.4.2 packages?
Comment 21 Wolfgang Rosenauer 2004-02-24 18:34:12 UTC 
adding aj for box-products to CC

Andreas, how should we handle updates for box products from 8.0 to 9.0?

Only Mozilla 1.4.2 or >= 1.6 will fix these issues. A backport is almost
impossible to some versions and would make very much work. 
We have on
8.0: 0.9.8
8.1: 1.0.1 
8.2: 1.2.1
9.0: 1.4

The dependencies for version upgrades besides the 1.4 branch are like hell
(Holger?).

One possibility would be to make an announcement as in
http://www.suse.com/de/security/2002_22_apache.html (section 2)

Andreas, please clarify what to do with security-team. THX
Comment 22 Holger Hetterich 2004-02-24 18:38:43 UTC 
8.1 can be updated to galeon 1.2.13 / moz 1.4.2 without further dependencies, no
problem there.

8.0 has galeon 1.0.5 (really old), checking update possibility...
Comment 23 Holger Hetterich 2004-02-24 20:13:40 UTC 
8.0 can be updated to galeon 1.2.13 /moz 1.4.2 too. 
Now please decide what to do.
Comment 24 Andreas Jaeger 2004-02-24 21:00:30 UTC 
Comment to#21: Yes, make an announcement like section 2 and only update 9.0.
Comment 25 Andreas Jaeger 2004-02-24 21:18:53 UTC 
Ok, then let's do try it...
Comment 26 Wolfgang Rosenauer 2004-02-24 21:29:36 UTC 
OK, will check in version for UL / SLEC / 9.0 soon.
And one additional note (please tell me if someone doesn't want it that way):
As Mozilla 1.4.2 is not officially released yet (and I don't know when) I want
to name the RPM version 1.4.1 while Mozilla is talking internally (about) as
version 1.4.2. Any objections?
Comment 27 Andreas Jaeger 2004-02-24 21:55:23 UTC 
No problem with the versioning
Comment 28 Wolfgang Rosenauer 2004-02-26 03:18:21 UTC 
packages and patchinfos have been submitted
Comment 29 Marcus Meissner 2008-01-20 22:11:53 UTC 
CVE-2003-0564: Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.
Comment 30 Thomas Biege 2009-10-13 19:43:20 UTC 
CVE-2003-0564: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)