From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oDB/HlF8qWFYVgAAgWs5BA (envelope-from ) for ; Fri, 03 Dec 2021 03:09:21 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id KMtCGlF8qWHsHAAA1q6Kng (envelope-from ) for ; Fri, 03 Dec 2021 02:09:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1BF4CFD5E for ; Fri, 3 Dec 2021 03:09:21 +0100 (CET) Received: from localhost ([::1]:33396 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1msy0m-0008Az-Aq for larch@yhetil.org; Thu, 02 Dec 2021 21:09:20 -0500 Received: from eggs.gnu.org ([209.51.188.92]:58776) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msy0Y-0008Ar-EJ for bug-guix@gnu.org; Thu, 02 Dec 2021 21:09:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:38251) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1msy0U-0003QE-Dq for bug-guix@gnu.org; Thu, 02 Dec 2021 21:09:06 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1msy0U-0003Qx-9Q for bug-guix@gnu.org; Thu, 02 Dec 2021 21:09:02 -0500 X-Loop: help-debbugs@gnu.org Subject: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 03 Dec 2021 02:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari , 52228@debbugs.gnu.org Received: via spool by 52228-submit@debbugs.gnu.org id=B52228.163849731613167 (code B ref 52228); Fri, 03 Dec 2021 02:09:02 +0000 Received: (at 52228) by debbugs.gnu.org; 3 Dec 2021 02:08:36 +0000 Received: from localhost ([127.0.0.1]:49797 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msxzz-0003QE-8z for submit@debbugs.gnu.org; Thu, 02 Dec 2021 21:08:36 -0500 Received: from world.peace.net ([64.112.178.59]:55656) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msxzu-0003Pw-JT for 52228@debbugs.gnu.org; Thu, 02 Dec 2021 21:08:29 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1msxzn-0007EK-7B; Thu, 02 Dec 2021 21:08:19 -0500 From: Mark H Weaver In-Reply-To: References: Date: Thu, 02 Dec 2021 21:07:41 -0500 Message-ID: <87ee6uo2yf.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1638497361; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post; bh=HSWTDvZW6zDbQfDyhRqD4h7bwq9H/pYIAsnuIU+C1HM=; b=l6d3NrNLMW6zI4vAdph/qey20Q5iL9GcaIXLnh8lgRVgx1iT4jeCHN2i7J7++MJ5hLKrFt lkIgpHXgQPfI6YXz7Ix2sZFZrjM7z3YPUyEcXf5rbRJMOVFFAQFx/WFseg6bNBSJn+o+0Q zF6M7XqNLle1oX/xGXwoDWbnsQPRiHNoAc/wR80wx5ckYoZfQ3FKx6hr2EK6ERDfYPDQ32 INlpZDFPu9nTotdyUvUuzOxuLjYvjlRx3H9pWf97ukC1OzVtDnzbzMDl1QT/V0854ryBPt eqgxixP8oiFAr932irM2ArutU5vzKGI4KHHNtPaPvylGW7Ip7z0Jxe7Xrvv3Mg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1638497361; a=rsa-sha256; cv=none; b=Ffn+DyEdqR9VipcmtZxgd7p1cKAKsiBLh4uxPad6vXS4UvpApSE1MBeThSNrPWi/+Z4eHK 431vs8E2b6sYPnM07DlzH69XjDtY/IBIOwoyA3bzbRczcjGYq3i06Gt/gLdoGmunTvbO/B laDxlDVrYa3K5v3zJV0lNhLeQQ0LKCgiBlvxiXtyDO1QstsesKtGfdaMv8y4hKsy2zW+Zb nKLOkrrTOq6NfpUZnaN4on7ZkfdJaV3TctWzMV0i0v2XVknH55qgblFK1czewZA4UegyGR PjQ8L91t1WqjZU8oMl0VQJ7oPzjQtyi0lY6uKci3aBvHgaHwCq/OyWK0MeV2Ug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 1BF4CFD5E X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: MQBinrsHtW84 Hi Leo, Leo Famulari writes: > An attacker-controlled memory corruption vulnerability was discovered in > NSS: > > https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 Thanks for bringing this to our attention. I just pushed a new 'gnuzilla-updates' branch, which is 'master' plus two new commits: --8<---------------cut here---------------start------------->8--- commit 0863c665ebc54046baac7db1fde1f1f0e24476d0 Author: Mark H Weaver Date: Thu Dec 2 20:23:16 2021 -0500 UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft. * gnu/packages/patches/nss-CVE-2021-43527.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/nss.scm (nss/fixed): New variable (nss)[replacement]: New field. commit bc6afae2466017d1a19725a86e69e666249a1b71 Author: Mark H Weaver Date: Thu Dec 2 20:14:05 2021 -0500 UNTESTED: gnu: icecat: Fix CVE-2021-43527. * gnu/packages/patches/icecat-CVE-2021-43527.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (icecat-source): Apply it. --8<---------------cut here---------------end--------------->8--- As the summary lines indicate, I haven't yet tested these patches, apart from verifying that the patched sources are built correctly. If I'm not mistaken, ci.guix.gnu.org will soon evaluate the 'gnuzilla-updates' branch and perform the necessary rebuilds. If all goes well, I'll cherry-pick these commits to 'master'. If someone else verifies that the commits are good before I get to it, please feel free to cherry-pick them to 'master' on my behalf (with the "UNTESTED: " prefixes removed, of course). Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about .