Bugzilla – Bug 48771
VUL-0: CVE-2003-0564: mozilla S/MIME overflow
Last modified: 2017-08-22 07:00:29 UTC
From: Mark J Cox <mjc@redhat.com> To: vendor-sec@lst.de Cc: blizzard@redhat.com Subject: [vendor-sec] Mozilla S/Mime issues Cameron from NISCC asked me to foward this on to everyone here; the S/MIME vulnerability research they have been doing has found flaws in Mozilla. No date has been set for this yet, no CVE name yet. ---------- Forwarded message ---------- http://bugzilla.mozilla.org/show_bug.cgi?id=229242 Summary: mozilla will crash when receiving S/MIME message (Detached Signed Data with CA and client certs) Product: NSS Version: unspecified Platform: PC OS/Version: Linux Status: NEW Severity: normal Priority: -- Component: Libraries AssignedTo: wchang0222@aol.com ReportedBy: Louie.Zhao@sun.com QAContact: bishakhabanerjee@aol.com NISCC (http://www.uniras.gov.uk/vuls/) developed some testcases to detect vulnerability in S/MIME implementation. Unfortuately, mozilla will crash when receiving one kind of S/MIME message (Detached Signed Data with CA and client certs). Below is the stack when crashing: #0 0x40799771 in nanosleep () from /lib/i686/libc.so.6 #1 0x40799639 in sleep () from /lib/i686/libc.so.6 #2 0x0806db06 in ah_crap_handler(int) (signum=11) at nsSigHandlers.cpp:149 #3 0x421a885c in nsProfileLock::FatalSignalHandler(int) (signo=11) at nsProfileLock.cpp:195 #4 0x400f7a6a in pthread_sighandler () from /lib/i686/libpthread.so.0 #5 <signal handler called> #6 0x42bb81d2 in NSS_CMSSignedData_GetDigestByAlgTag (sigd=0x80c99e0, algtag=SEC_OID_UNKNOWN) at cmssigdata.c:765 #7 0x42bb7daf in NSS_CMSSignedData_VerifySignerInfo (sigd=0x80c99e0, i=0, 0x42b7ff47 in nsCMSMessage::CommonVerifySignature(unsigned char*, unsigned) (this=0xbfffe74c, aDigestData=0x0, aDigestDataLen=0) at nsCMS.cpp:371 #9 0x42b7f67f in nsCMSMessage::VerifySignature() (this=0x8bd1438) at nsCMS.cpp:174 #10 0x43117545 in MimeCMS_eof (crypto_closure=0x8972fa0, abort_p=0) at mimecms.cpp:606 #11 0x43115ee8 in MimeEncrypted_parse_eof (obj=0x85470e0, abort_p=0) at mimecryp.cpp:240 #12 0x430e434a in MimeContainer_parse_eof (object=0x8bbfe00, abort_p=0) at mimecont.cpp:141 #13 0x430f0e68 in MimeMessage_parse_eof (obj=0x8bbfe00, abort_p=0) at mimemsg.cpp:544 #14 0x430fdbad in mime_display_stream_complete (stream=0xfffffffc) at mimemoz2.cpp:928 #15 0x4310c410 in nsStreamConverter::OnStopRequest(nsIRequest*, nsISupports*, unsigned) (this=0x875c1e0, request=0x893dfc0, aCtxt=0x0, aStatus=0) at nsURILoader.cpp:251 #17 0x41035e78 in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, unsigned) (this=0x886d9d8, request=0x893dfc0, context=0x0, status=0) at nsStreamListenerTee.cpp:65 #18 0x41006150 in nsOnStopRequestEvent0::HandleEvent() (this=0x8b023f8) at nsAsyncStreamListener.cpp:319 #19 0x41005965 in nsStreamListenerEvent0::HandlePLEvent(PLEvent*) ( aEvent=0x8b02408) at nsAsyncStreamListener.cpp:113
<!-- SBZ_reproduce --> I will ask them to send me these "testcases"
It would be interesting in which mozilla versions this bug was discovered. Because this is a very vague information I will wait for more input for now.
any news?
From vendor-sec: Date: Mon, 19 Jan 2004 11:25:25 +0000 (GMT) From: Mark J Cox <mjc@redhat.com> To: vendor-sec@lst.de Cc: blizzard@redhat.com, Cameron <Cameronr@niscc.gov.uk> Subject: [vendor-sec] Mozilla S/MIME vulnerabilities Looks like the Mozilla folks have done some updates to fix security issues in S/MIME parsing; now semi-public: http://groups.google.com/groups?q=niscc&hl=en&lr=&ie=UTF-8&oe=utf-8&scoring=d&se lm=bu22ub%24d861%40ripley.netscape.com&rnum=2 http://groups.google.com/groups?q=niscc&hl=en&lr=&ie=UTF-8&oe=utf-8&scoring=d&se lm=mailman.1072205941.26375.mozilla-reviewers%40mozilla.org&rnum=3 I'd probably class these issues as critical since a carefully crafted S/MIME message can cause Mozilla to crash and, I'd bet, run arbitrary code. I don't have CVE names for these issues; Cameron did you get any for this? .... I asked for fixes and their testprogram, but I fear mozilla will only fix this in their newest version.
they promised to maintain the 1.4 tree, which is at least used on SLES SP3 and for newest SLEC updates. So we can still hope.
At vendor-sec we have been told that theres little chance to have it fixed in 1.4. * Is it possible that we can update to the newest version (1.6 ?). * If not, we might can hope and wait for RH to backport the fixes but the chance is little.
We got some new message from vendor-sec telling that it seems they have backported some patches. However I do not know whether it applies to 1.4. Have you asked whether it is possible to update to 1.6? I think it would safe us a lot of headache.
I don't think that project managers will do it and I can understand it. Mozilla.org stated that 1.4 is a stable branch and will be maintained. This should really include security-fixes. Update to 1.6 will break almost all APIs and need more packages to be updated. At least for SLEC. We just did an update to 1.4.1 on SLEC because we can hopefully make updates to 1.4.2 and so on without breaking too much. From my point of view an update to 1.6 or newer is no option. But you are specialist for security. If it has enough impact and is not solvable without updating to a newer "unmaintained" version you should discuss this with corresponding project managers.
As your a talking about a version update on a maintained product - especially SLEC i put the project manager into CC. I would also say - a version update is a NO GO! We have to fix the problem anotherway!
OK, here is some more information. The problem has been fixed in 1.4 branch and is included now. Mozilla 1.4.2 is not released yet but the branch had its version bumped to 1.4.2. There are some minor changes too in the tree and the "fix" was an update of the internal NSS (network security services) code in Mozilla. Now the project-managers have to decide what to do. This affects SLES and SLEC, so adding rf to the CC list. A reminder note for all: The 1.4 branch is a maintained tree from mozilla.org. Only critical fixes and no API changes go in here usually.
Any decision yet what to do?
Chris, would you please make a decision for SLEC what we should do here? I see no risk to update to 1.4.2. (We still could name it 1.4.1 ;-) Holger, do you expect problems with depending packages on SLEC?
After several request for an decision by the maintainer and no reaction of any prjmgr nor the security-team it set the bug to critical. My suggestion upgrade to Version 1.4.2. 1.4.x is the mozilla maintenance line, that should garuantee a stable api. Even so there are some not security-related bugfixes in 1.4.2, it is IMHO the best solution for SUSE: - we could build SLES and SLES from one source
"- we could build SLES and SLES from one source" I don't understand this sentence, but the rest sounds reasonable. Wolfgang, please update.
I will provide test-packages for first inclusion-tests with galeon. Holger, you can find them in Hygiea-stark-162 when it's finished. Please check if we get problems with galeon (are there others?)
Ok, I'll quick build and test galeon with these packages. I suspect no problems.
Which dists exactly are involved? SLEC uses Galeon 1.2.13 -> no problems building your mozilla with it. This will work -> tested. original 8.1, SLES uses Galeon 1.2.5, it has no support for the Mozilla 1.4 branch. It must be updated to version 1.2.13 (at least), and I currently don't know how much dependencies are involved (will see tommorrow).
Wolfgang, go ahead for SLES8 too. I got the ok from Thorsten Kukuk by proxy of Ralf. But we should check against galeon before submitting it to abuild
Focus is on maintained products. SLEC is tested by Holger and SLES8 doesn't contain galeon IMHO. So for this we should be on the safe side. I'm not sure about our consumer products. It seems that all Mozilla packages before 1.6 are affected. So we would have to update 8.0 - 9.0 ? Security-Team? In the past we mentioned mozilla updates in a security announcement to be on pub/projects/mozilla.
Yes, makes sense. I think this issue can be put into a section 2. Would all of SL 8.0-9.0 then have 1.4.2 packages?
adding aj for box-products to CC Andreas, how should we handle updates for box products from 8.0 to 9.0? Only Mozilla 1.4.2 or >= 1.6 will fix these issues. A backport is almost impossible to some versions and would make very much work. We have on 8.0: 0.9.8 8.1: 1.0.1 8.2: 1.2.1 9.0: 1.4 The dependencies for version upgrades besides the 1.4 branch are like hell (Holger?). One possibility would be to make an announcement as in http://www.suse.com/de/security/2002_22_apache.html (section 2) Andreas, please clarify what to do with security-team. THX
8.1 can be updated to galeon 1.2.13 / moz 1.4.2 without further dependencies, no problem there. 8.0 has galeon 1.0.5 (really old), checking update possibility...
8.0 can be updated to galeon 1.2.13 /moz 1.4.2 too. Now please decide what to do.
Comment to#21: Yes, make an announcement like section 2 and only update 9.0.
Ok, then let's do try it...
OK, will check in version for UL / SLEC / 9.0 soon. And one additional note (please tell me if someone doesn't want it that way): As Mozilla 1.4.2 is not officially released yet (and I don't know when) I want to name the RPM version 1.4.1 while Mozilla is talking internally (about) as version 1.4.2. Any objections?
No problem with the versioning
packages and patchinfos have been submitted
CVE-2003-0564: Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite.
CVE-2003-0564: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)