Bug 11512

Summary: nss - Avoid uninitialized data read in the event of a decryption failure (CVE-2013-1739)
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: 3   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/570149/
Whiteboard: MGA2TOO
Source RPM: nss CVE:
Status comment:
Bug Depends on: 11370    
Bug Blocks:    

Description Oden Eriksson 2013-10-23 07:36:21 CEST 
======================================================
Name: CVE-2013-1739
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1739
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130213
Category: 
Reference: CONFIRM:https://bugzilla.mozilla.org/show_bug.cgi?id=894370
Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=1012656
Reference: CONFIRM:https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.2_release_notes

Mozilla Network Security Services (NSS) before 3.15.2 does not ensure
that data structures are initialized before read operations, which
allow remote attackers to cause a denial of service or possibly have
unspecified other impact via vectors that trigger a decryption
failure.


Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2013-10-23 15:05:06 CEST 
Yep, I mentioned this one here:
https://bugs.mageia.org/show_bug.cgi?id=11370#c2

I was thinking we could wait and push this when we do the FF/TB 24 updates.  Any reason to do it sooner?

URL: (none) => http://lwn.net/Vulnerabilities/570149/
Version: 2 => 3
Depends on: (none) => 11370
Summary: CVE-2013-1739: nss - Avoid uninitialized data read in the event of a decryption failure. => nss - Avoid uninitialized data read in the event of a decryption failure (CVE-2013-1739)
Whiteboard: (none) => MGA2TOO

Comment 3 Oden Eriksson 2013-10-23 15:08:49 CEST 
Ãou could, but I chose not to wait as I don't know when there's a new security release of ff 24.
Comment 4 David Walser 2013-11-10 00:54:25 CET 
Fixed now that the Firefox update has been pushed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED