Bug 1053420 - (CVE-2017-11696) VUL-1: CVE-2017-11696: mozilla-nss: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
(CVE-2017-11696)
VUL-1: CVE-2017-11696: mozilla-nss: heap-buffer-overflow (write of size 65544...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Charles Robertson
Security Team bot
https://smash.suse.de/issue/190267/
CVSSv2:SUSE:CVE-2017-11696:4.9:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-11 12:17 UTC by Marcus Meissner
Modified: 2020-06-26 09:41 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
cert8.db (32.50 KB, application/octet-stream)
2017-08-14 07:15 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-08-11 12:17:21 UTC
CVE-2017-11696

http://seclists.org/fulldisclosure/2017/Aug/17

 Multiple unpatched flaws exist in NSS (CVE-2017-11695, CVE-2017-11696, CVE-2017-11697, CVE-2017-11698) From: geeknik via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 09 Aug 2017 15:56:22 -0400

Good afternoon. Multiple flaws in NSS were reported to Mozilla on or around 28 April 2017 and as of this notification 
have not been resolved and as such, I am disclosing them to the public so that anyone making use of NSS is aware that 
these exist. Please note that as I send this, the bugs remain hidden on the Mozilla Bugzilla tracker.

What is NSS? Network Security Services (NSS) comprises a set of libraries designed to support cross-platform 
development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration 
on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of 
cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME.

All of the following flaws were triggered with changeset 13315:769f9ae07b10 in Mozilla's Mercurial repository 
(https://hg.mozilla.org/projects/nss) and can all be triggered using the NSS tool `certutil` and malformed `cert8.db` 
files which I have uploaded to https://github.com/geeknik/cve-fuzzing-poc.



CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11696
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11696
http://seclists.org/fulldisclosure/2017/Aug/17
https://bugzilla.mozilla.org/show_bug.cgi?id=1360778
https://github.com/geeknik/cve-fuzzing-poc
Comment 1 Marcus Meissner 2017-08-14 07:15:53 UTC
Created attachment 736428 [details]
cert8.db

QA REPRODUCER:

download attachment as cert8.db into a directory.

run:

certutil -d $DIRECTORY -L

it should not crash or show a fortify backtrace
Comment 2 Charles Robertson 2019-12-10 21:28:09 UTC
The following CVEs are no longer valid:

* CVE-2017-11698: mozilla-nss: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
* CVE-2017-11697: mozilla-nss: Floating Point Exception in __hash_open (hash.c:229)
* CVE-2017-11696: mozilla-nss: heap-buffer-overflow (write of size 65544) in __hash_open (lib/dbm/src/hash.c:241)
* CVE-2017-11695: mozilla-nss: heap-buffer-overflow (write of size 8) in alloc_segs (lib/dbm/src/hash.c:1105)

Since these security issues were logged Mozilla has removed the offending DBM code. They began shipping a newer database implementation based on SQLite, and made it the default in NSS 3.35 in 2018.

The legacy DBM is unmaintained and will be removed when all migrations are completed.

https://bugzilla.mozilla.org/show_bug.cgi?id=1594931
https://bugzilla.mozilla.org/show_bug.cgi?id=1594933