Bugzilla – Bug 1053420
VUL-1: CVE-2017-11696: mozilla-nss: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
Last modified: 2020-06-26 09:41:44 UTC
Multiple unpatched flaws exist in NSS (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698) From: geeknik via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 09 Aug 2017 15:56:22 -0400
Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification
have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that
these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.
What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform
development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration
on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of
cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.
All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository
(https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db`
files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.
CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
Created attachment 736428 [details]
download attachment as cert8.db into a directory.
certutil -d $DIRECTORY -L
it should not crash or show a fortify backtrace
The following CVEs are no longer valid:
* CVE-2017-11698: mozilla-nss: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
* CVE-2017-11697: mozilla-nss: Floating Point Exception in __hash_open (hash.c:229)
* CVE-2017-11696: mozilla-nss: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
* CVE-2017-11695: mozilla-nss: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)
Since these security issues were logged Mozilla has removed the offending DBM code. They began shipping a newer database implementation based on SQLite, and made it the default in NSS 3.35 in 2018.
The legacy DBM is unmaintained and will be removed when all migrations are completed.