[ASA-202112-4] lib32-nss: arbitrary code execution
diabonas at archlinux.org
Mon Dec 6 14:48:36 UTC 2021
Arch Linux Security Advisory ASA-202112-4
Date : 2021-12-03
CVE-ID : CVE-2021-43527
Package : lib32-nss
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-2597
The package lib32-nss before version 3.73-1 is vulnerable to arbitrary
Upgrade to 3.73-1.
# pacman -Syu "lib32-nss>=3.73-1"
The problem has been fixed upstream in version 3.73.
NSS (Network Security Services) versions prior to 3.73 are vulnerable
to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures.
Applications using NSS for handling signatures encoded within CMS,
S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. Applications
using NSS for certificate validation or other TLS, X.509, OCSP or CRL
functionality may be impacted, depending on how they configure NSS.
Note: This vulnerability does NOT impact Mozilla Firefox. However,
email clients and PDF viewers that use NSS for signature verification,
such as Thunderbird, LibreOffice, Evolution and Evince are believed to
A remote attacker could execute arbitrary code through crafted
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security