[arch-security] [ASA-201412-18] nss: signature forgery

Levente Polyak anthraxx at archlinux.org
Tue Dec 16 12:58:21 UTC 2014


Arch Linux Security Advisory ASA-201412-18
==========================================

Severity: High
Date    : 2014-12-16
CVE-ID  : CVE-2014-1569
Package : nss
Type    : signature forgery
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package nss before version 3.17.3-1 is vulnerable to signature forgery.

Resolution
==========

Upgrade to 3.17.3-1.

# pacman -Syu "nss>=3.17.3-1"

The problem has been fixed upstream in version 3.17.3.

Workaround
==========

None.

Description
===========

The definite_length_decoder function in lib/util/quickder.c in Mozilla
Network Security Services (NSS) does not ensure that the DER encoding of
an ASN.1 length is properly formed, which allows remote attackers to
conduct data-smuggling attacks by using a long byte sequence for an
encoding, as demonstrated by the SEC_QuickDERDecodeItem function's
improper handling of an arbitrary-length encoding of 0x00.

This update also adds support for the TLS Fallback Signaling Cipher
Suite Value (TLS_FALLBACK_SCSV) in NSS, which can be used to prevent
protocol downgrade attacks against applications which re-connect using a
lower SSL/TLS protocol version when the initial connection indicating
the highest supported protocol version fails. This can prevent a
forceful downgrade of the communication to SSL 3.0, mitigating
CVE-2014-3566, also known as POODLE. SSL 3.0 support has also been
disabled by default in this Firefox and Thunderbird update, further
mitigating POODLE.

Impact
======

A remote attacker is able to smuggle arbitrary data into an ASN.1 object
in order to forge certificates that are considered trusted.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1569
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
https://hg.mozilla.org/projects/nss/rev/e9a7991380db
https://bugzilla.mozilla.org/show_bug.cgi?id=1064670
https://bugs.archlinux.org/task/42760

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141216/2147b04c/attachment.bin>


More information about the arch-security mailing list