Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200703-22 ] Mozilla Network Security Service: Remote execution of arbitrary code
Date: Wed, 21 Mar 2007 06:13:41
Message-Id: 20070320215100.GH24559@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200703-22
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla Network Security Service: Remote execution of
9 arbitrary code
10 Date: March 20, 2007
11 Bugs: #165555
12 ID: 200703-22
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 The Mozilla Network Security Services libraries are vulnerable to two
20 buffer overflows that could result in the remote execution of arbitrary
21 code.
22
23 Background
24 ==========
25
26 The Mozilla Network Security Service is a library implementing security
27 features like SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
28 S/MIME and X.509 certificates.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 dev-libs/nss < 3.11.5 >= 3.11.5
37
38 Description
39 ===========
40
41 iDefense has reported two potential buffer overflow vulnerabilities
42 found by researcher "regenrecht" in the code implementing the SSLv2
43 protocol.
44
45 Impact
46 ======
47
48 A remote attacker could send a specially crafted SSL master key to a
49 server using NSS for the SSLv2 protocol, or entice a user to connect to
50 a malicious server with a client-side application using NSS like one of
51 the Mozilla products. This could trigger the vulnerabilities and result
52 in the possible execution of arbitrary code with the rights of the
53 vulnerable application.
54
55 Workaround
56 ==========
57
58 Disable the SSLv2 protocol in the applications using NSS.
59
60 Resolution
61 ==========
62
63 All NSS users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-libs/nss-3.11.5"
67
68 References
69 ==========
70
71 [ 1 ] CVE-2007-0008
72 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
73 [ 2 ] CVE-2007-0009
74 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
75
76 Availability
77 ============
78
79 This GLSA and any updates to it are available for viewing at
80 the Gentoo Security Website:
81
82 http://security.gentoo.org/glsa/glsa-200703-22.xml
83
84 Concerns?
85 =========
86
87 Security is a primary focus of Gentoo Linux and ensuring the
88 confidentiality and security of our users machines is of utmost
89 importance to us. Any security concerns should be addressed to
90 security@g.o or alternatively, you may file a bug at
91 http://bugs.gentoo.org.
92
93 License
94 =======
95
96 Copyright 2007 Gentoo Foundation, Inc; referenced text
97 belongs to its owner(s).
98
99 The contents of this document are licensed under the
100 Creative Commons - Attribution / Share Alike license.
101
102 http://creativecommons.org/licenses/by-sa/2.5