GNU bug report logs - #52228
NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"

Previous Next

Package: guix;

Reported by: Leo Famulari <leo <at> famulari.name>

Date: Wed, 1 Dec 2021 17:35:02 UTC

Severity: normal

Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 52228 in the body.
You can then email your comments to 52228 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#52228; Package guix. (Wed, 01 Dec 2021 17:35:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Leo Famulari <leo <at> famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 01 Dec 2021 17:35:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss
 signatures"
Date: Wed, 1 Dec 2021 12:34:27 -0500

An attacker-controlled memory corruption vulnerability was discovered in
NSS:

https://bugs.chromium.org/p/project-zero/issues/detail?id=2237
Information forwarded to bug-guix <at> gnu.org:
bug#52228; Package guix. (Fri, 03 Dec 2021 02:09:02 GMT) Full text and rfc822 format available.

Message #8 received at 52228 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>, 52228 <at> debbugs.gnu.org
Subject: Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating
 dsa/rsa-pss signatures"
Date: Thu, 02 Dec 2021 21:07:41 -0500

Hi Leo,

Leo Famulari <leo <at> famulari.name> writes:
> An attacker-controlled memory corruption vulnerability was discovered in
> NSS:
>
> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237

Thanks for bringing this to our attention.  I just pushed a new
'gnuzilla-updates' branch, which is 'master' plus two new commits:

--8<---------------cut here---------------start------------->8---
commit 0863c665ebc54046baac7db1fde1f1f0e24476d0
Author: Mark H Weaver <mhw <at> netris.org>
Date:   Thu Dec 2 20:23:16 2021 -0500

  UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft.
  
  * gnu/packages/patches/nss-CVE-2021-43527.patch: New file.
  * gnu/local.mk (dist_patch_DATA): Add it.
  * gnu/packages/nss.scm (nss/fixed): New variable
  (nss)[replacement]: New field.

commit bc6afae2466017d1a19725a86e69e666249a1b71
Author: Mark H Weaver <mhw <at> netris.org>
Date:   Thu Dec 2 20:14:05 2021 -0500

  UNTESTED: gnu: icecat: Fix CVE-2021-43527.
  
  * gnu/packages/patches/icecat-CVE-2021-43527.patch: New file.
  * gnu/local.mk (dist_patch_DATA): Add it.
  * gnu/packages/gnuzilla.scm (icecat-source): Apply it.
--8<---------------cut here---------------end--------------->8---

As the summary lines indicate, I haven't yet tested these patches, apart
from verifying that the patched sources are built correctly.

If I'm not mistaken, ci.guix.gnu.org will soon evaluate the
'gnuzilla-updates' branch and perform the necessary rebuilds.
If all goes well, I'll cherry-pick these commits to 'master'.

If someone else verifies that the commits are good before I get to it,
please feel free to cherry-pick them to 'master' on my behalf (with the
"UNTESTED: " prefixes removed, of course).

     Regards,
       Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.
Information forwarded to bug-guix <at> gnu.org:
bug#52228; Package guix. (Sat, 04 Dec 2021 00:30:02 GMT) Full text and rfc822 format available.

Message #11 received at 52228 <at> debbugs.gnu.org (full text, mbox):

From: Mark H Weaver <mhw <at> netris.org>
To: Leo Famulari <leo <at> famulari.name>, 52228 <at> debbugs.gnu.org
Subject: Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating
 dsa/rsa-pss signatures"
Date: Fri, 03 Dec 2021 19:28:18 -0500

Hi,

For the record, I've pushed commits
080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
believe should fix this issue in our 'nss', 'icecat', 'icedove',
'icedove-wayland', and 'geierlein' packages.

Does anyone know if there are other packages in Guix that include a
bundled copy of NSS?  If not, I guess this bug can be closed.

      Thanks,
        Mark

-- 
Disinformation flourishes because many people care deeply about injustice
but very few check the facts.  Ask me about <https://stallmansupport.org>.
Information forwarded to bug-guix <at> gnu.org:
bug#52228; Package guix. (Sun, 05 Dec 2021 04:44:02 GMT) Full text and rfc822 format available.

Message #14 received at 52228 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Mark H Weaver <mhw <at> netris.org>
Cc: 52228 <at> debbugs.gnu.org
Subject: Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating
 dsa/rsa-pss signatures"
Date: Sat, 4 Dec 2021 23:43:23 -0500

On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
> Hi,
> 
> For the record, I've pushed commits
> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
> believe should fix this issue in our 'nss', 'icecat', 'icedove',
> 'icedove-wayland', and 'geierlein' packages.

Thanks for working on it, Mark.

> Does anyone know if there are other packages in Guix that include a
> bundled copy of NSS?  If not, I guess this bug can be closed.

Personally I don't know... I hope not. Let's wait a couple more days
before closing.
Reply sent to Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility. (Wed, 23 Mar 2022 02:35:01 GMT) Full text and rfc822 format available.
Notification sent to Leo Famulari <leo <at> famulari.name>:
bug acknowledged by developer. (Wed, 23 Mar 2022 02:35:02 GMT) Full text and rfc822 format available.

Message #19 received at 52228-done <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 52228-done <at> debbugs.gnu.org, Mark H Weaver <mhw <at> netris.org>
Subject: Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating
 dsa/rsa-pss signatures"
Date: Tue, 22 Mar 2022 22:34:36 -0400

Hello,

Leo Famulari <leo <at> famulari.name> writes:

> On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
>> Hi,
>> 
>> For the record, I've pushed commits
>> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
>> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
>> believe should fix this issue in our 'nss', 'icecat', 'icedove',
>> 'icedove-wayland', and 'geierlein' packages.
>
> Thanks for working on it, Mark.
>
>> Does anyone know if there are other packages in Guix that include a
>> bundled copy of NSS?  If not, I guess this bug can be closed.
>
> Personally I don't know... I hope not. Let's wait a couple more days
> before closing.

It's been 15 weeks :-).

Closing.

Maxim
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 20 Apr 2022 11:24:09 GMT) Full text and rfc822 format available.
This bug report was last modified 2 years ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.