bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
@ 2021-12-01 17:34 Leo Famulari
  2021-12-03  2:07 ` Mark H Weaver
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-12-01 17:34 UTC (permalink / raw)
  To: 52228

An attacker-controlled memory corruption vulnerability was discovered in
NSS:

https://bugs.chromium.org/p/project-zero/issues/detail?id=2237




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
  2021-12-01 17:34 bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Leo Famulari
@ 2021-12-03  2:07 ` Mark H Weaver
  2021-12-04  0:28   ` Mark H Weaver
  0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2021-12-03  2:07 UTC (permalink / raw)
  To: Leo Famulari, 52228

Hi Leo,

Leo Famulari <leo@famulari.name> writes:
> An attacker-controlled memory corruption vulnerability was discovered in
> NSS:
>
> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237

Thanks for bringing this to our attention.  I just pushed a new
'gnuzilla-updates' branch, which is 'master' plus two new commits:

--8<---------------cut here---------------start------------->8---
commit 0863c665ebc54046baac7db1fde1f1f0e24476d0
Author: Mark H Weaver <mhw@netris.org>
Date:   Thu Dec 2 20:23:16 2021 -0500

  UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft.

  * gnu/packages/patches/nss-CVE-2021-43527.patch: New file.
  * gnu/local.mk (dist_patch_DATA): Add it.
  * gnu/packages/nss.scm (nss/fixed): New variable
  (nss)[replacement]: New field.

commit bc6afae2466017d1a19725a86e69e666249a1b71
Author: Mark H Weaver <mhw@netris.org>
Date:   Thu Dec 2 20:14:05 2021 -0500

  UNTESTED: gnu: icecat: Fix CVE-2021-43527.

  * gnu/packages/patches/icecat-CVE-2021-43527.patch: New file.
  * gnu/local.mk (dist_patch_DATA): Add it.
  * gnu/packages/gnuzilla.scm (icecat-source): Apply it.
--8<---------------cut here---------------end--------------->8---

As the summary lines indicate, I haven't yet tested these patches, apart
from verifying that the patched sources are built correctly.

If I'm not mistaken, ci.guix.gnu.org will soon evaluate the
'gnuzilla-updates' branch and perform the necessary rebuilds.
If all goes well, I'll cherry-pick these commits to 'master'.

If someone else verifies that the commits are good before I get to it,
please feel free to cherry-pick them to 'master' on my behalf (with the
"UNTESTED: " prefixes removed, of course).

     Regards,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
  2021-12-03  2:07 ` Mark H Weaver
@ 2021-12-04  0:28   ` Mark H Weaver
  2021-12-05  4:43     ` Leo Famulari
  0 siblings, 1 reply; 5+ messages in thread
From: Mark H Weaver @ 2021-12-04  0:28 UTC (permalink / raw)
  To: Leo Famulari, 52228

Hi,

For the record, I've pushed commits
080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
believe should fix this issue in our 'nss', 'icecat', 'icedove',
'icedove-wayland', and 'geierlein' packages.

Does anyone know if there are other packages in Guix that include a
bundled copy of NSS?  If not, I guess this bug can be closed.

      Thanks,
        Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
  2021-12-04  0:28   ` Mark H Weaver
@ 2021-12-05  4:43     ` Leo Famulari
  2022-03-23  2:34       ` Maxim Cournoyer
  0 siblings, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2021-12-05  4:43 UTC (permalink / raw)
  To: Mark H Weaver; +Cc: 52228

On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
> Hi,
> 
> For the record, I've pushed commits
> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
> believe should fix this issue in our 'nss', 'icecat', 'icedove',
> 'icedove-wayland', and 'geierlein' packages.

Thanks for working on it, Mark.

> Does anyone know if there are other packages in Guix that include a
> bundled copy of NSS?  If not, I guess this bug can be closed.

Personally I don't know... I hope not. Let's wait a couple more days
before closing.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
  2021-12-05  4:43     ` Leo Famulari
@ 2022-03-23  2:34       ` Maxim Cournoyer
  0 siblings, 0 replies; 5+ messages in thread
From: Maxim Cournoyer @ 2022-03-23  2:34 UTC (permalink / raw)
  To: Leo Famulari; +Cc: 52228-done

Hello,

Leo Famulari <leo@famulari.name> writes:

> On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
>> Hi,
>> 
>> For the record, I've pushed commits
>> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
>> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
>> believe should fix this issue in our 'nss', 'icecat', 'icedove',
>> 'icedove-wayland', and 'geierlein' packages.
>
> Thanks for working on it, Mark.
>
>> Does anyone know if there are other packages in Guix that include a
>> bundled copy of NSS?  If not, I guess this bug can be closed.
>
> Personally I don't know... I hope not. Let's wait a couple more days
> before closing.

It's been 15 weeks :-).

Closing.

Maxim




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-03-23  2:35 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-01 17:34 bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Leo Famulari
2021-12-03  2:07 ` Mark H Weaver
2021-12-04  0:28   ` Mark H Weaver
2021-12-05  4:43     ` Leo Famulari
2022-03-23  2:34       ` Maxim Cournoyer

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).