Bug 11669 - firefox update & rootcerts new certificate data available, nss new security issues fixed in 3.15.3
Summary: firefox update & rootcerts new certificate data available, nss new security i...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: http://lwn.net/Vulnerabilities/574311/
Whiteboard: MGA2TOO has_procedure advisory mga2-3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-11-14 17:23 CET by David Walser
Modified: 2013-11-20 22:02 CET (History)
5 users (show)

See Also:
Source RPM: rootcerts-20130411.0-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2013-11-14 17:23:12 CET
Upstream has updated certdata.txt as of 2013-11-11:
https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt

I've updated it in SVN, but not requested a freeze push yet.

I went looking for this because I noticed that omdv had updated their rootcerts package:
https://abf.rosalinux.ru/openmandriva/rootcerts/commits/master

Their version tag is actually incorrect, as the certdata.txt that they uploaded is the 2013-04-11 version that we already have.  Besides updating that, they've also added three other certs local to their package, cacert_class3.der (which appears to be related to the cacert.org.der that we already have), rootca_der.crt, and publicxca_der.crt.  I don't know if we should add these, especially since we already have one request in bugzilla to remove the existing cacert.org one that we have.

Assigning to Oden for advice on how to proceed.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-11-16 00:14:13 CET
As you might expect, new nspr and nss releases were also released on November 11.  I've checked them into SVN for Mageia 2, Mageia 3, and Cauldron.  I'll request a push once we decide what to do with rootcerts.
Comment 2 Oden Eriksson 2013-11-18 12:06:07 CET
Someone should bump rootcerts, NSPR (4.10.2) and NSS (3.15.3) for cauldron, in that order.

https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes

    Bug 925100 - (CVE-2013-1741) Ensure a size is <= half of the maximum PRUint32 value
    Bug 934016 - (CVE-2013-5605) Handle invalid handshake packets
    Bug 910438 - (CVE-2013-5606) Return the correct result in CERT_VerifyCert on failure, if a verifyLog isn't used
Comment 3 David Walser 2013-11-18 23:29:12 CET
rootcerts, nspr, and nss have all been uploaded for Cauldron.

Updated packages have also been uploaded for Mageia 2 and Mageia 3.

RedHat's bugzilla doesn't have any additional information on the nss CVEs, other than categorizing CVE-2013-5605 as critical severity.

We should also provide an update to Firefox bugfix release 24.1.1.

Are there any release notes out there for Firefox 24.1.1 BTW?

Assigning these packages (rootcerts, nspr, and nss) to QA for now.

Feel free to provide a better advisory than I have if you want :o)

Advisory:
========================

Updated nss packages fix security vulnerabilities:

This updates to the latest root certificate data from Mozilla, updates the nspr
library to the latest version, and updates the nss library to the latest
version which fixes multiple security issues (CVE-2013-1741, CVE-2013-5605, CVE-2013-5606).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes
========================

Updated packages in core/updates_testing:
========================
rootcerts-20131111.00-1.mga2
rootcerts-java-20131111.00-1.mga2
libnspr4-4.10.2-1.mga2
libnspr-devel-4.10.2-1.mga2
nss-3.15.3-1.mga2
nss-doc-3.15.3-1.mga2
libnss3-3.15.3-1.mga2
libnss-devel-3.15.3-1.mga2
libnss-static-devel-3.15.3-1.mga2
rootcerts-20131111.00-1.mga3
rootcerts-java-20131111.00-1.mga3
libnspr4-4.10.2-1.mga3
libnspr-devel-4.10.2-1.mga3
nss-3.15.3-1.mga3
nss-doc-3.15.3-1.mga3
libnss3-3.15.3-1.mga3
libnss-devel-3.15.3-1.mga3
libnss-static-devel-3.15.3-1.mga3

from SRPMS:
rootcerts-20131111.00-1.mga2.src.rpm
nspr-4.10.2-1.mga2.src.rpm
nss-3.15.3-1.mga2.src.rpm
rootcerts-20131111.00-1.mga3.src.rpm
nspr-4.10.2-1.mga3.src.rpm
nss-3.15.3-1.mga3.src.rpm

CC: (none) => oe
Version: Cauldron => 3
Assignee: oe => qa-bugs
Summary: rootcerts new certificate data available => rootcerts new certificate data available, nss new security issues fixed in 3.15.3
Whiteboard: (none) => MGA2TOO
Severity: normal => critical

David Walser 2013-11-18 23:29:30 CET

Component: RPM Packages => Security

Comment 4 David Walser 2013-11-19 02:01:04 CET
(In reply to David Walser from comment #3)
> We should also provide an update to Firefox bugfix release 24.1.1.
> 
> Are there any release notes out there for Firefox 24.1.1 BTW?

So I found them:
https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/

So, it only fixes three things, two of which are updating nspr and nss (and rootcerts which is a part of nss technically).  The other is a minor firefox-l10n issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=932310

I don't know if we *need* to provide an update for 24.1.1, but we can.  Thoughts?

firefox and firefox-l10n are building in updates_testing if they're wanted.
Comment 5 claire robinson 2013-11-19 09:24:42 CET
People would likely question why they don't have the latest firefox. 
We should probably release an update.
Comment 6 David Walser 2013-11-19 12:47:39 CET
Thanks for the feedback Claire.  Since Firefox is the mechanism for testing these other packages anyway, we might as well.

Addendum to the advisory:
------------------------

The latest Firefox ESR version, which fixes an issue with translated strings
not being used in some cases, is also being provided.

References:
https://bugzilla.mozilla.org/show_bug.cgi?id=932310
https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/

from SRPMS:
firefox-24.1.1-1.mga2.src.rpm
firefox-l10n-24.1.1-1.mga2.src.rpm
firefox-24.1.1-1.mga3.src.rpm
firefox-l10n-24.1.1-1.mga3.src.rpm
Comment 7 David Walser 2013-11-19 16:31:39 CET
There is an MFSA for this now, and the nspr 4.10.2 update actually fixes a security issue as well (CVE-2013-5607):
http://www.mozilla.org/security/announce/2013/mfsa2013-103.html

There was also another CVE for nss fixed (CVE-2013-2566).

Advisory:
========================

Updated nspr and nss packages fix security vulnerabilities:

Potentially exploitable buffer overflow in NSS before 3.15.3 that allows
remote attackers to cause a denial of service or possibly have unspecified
other impact via invalid handshake packets (CVE-2013-5605).

The CERT_VerifyCert function in lib/certhigh/certvfy.c in NSS before 3.15.3
provides an unexpected return value for an incompatible key-usage certificate
when the CERTVerifyLog argument is valid, which might allow remote attackers
to bypass intended access restrictions via a crafted certificate
(CVE-2013-5606).

Runaway memset due to an integer truncation in certificate parsing on 64-bit
computers in NSS before 3.15.3 leading to a crash by attempting to write 4Gb
of nulls (CVE-2013-1741).

Integer overflow in NSPR before 4.10.2 due to unsigned integer wrapping in
PL_ArenaAllocate (CVE-2013-5607).

NSS lowered the priority of RC4 in cipher suite advertisement so that more
secure ciphers instead of RC4 are likely to be chosen by the server, because
of plaintext recovery attacks possible with RC4 (CVE-2013-2566).

This also updates to the latest root certificate data from Mozilla.

Additionally, The latest Firefox ESR version, which fixes an issue with
translated strings not being used in some cases, is also being provided.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1741
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5605
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5607
https://groups.google.com/forum/#!topic/mozilla.dev.tech.nspr/_8AcygMEjSA
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes
http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
https://bugzilla.mozilla.org/show_bug.cgi?id=932310
https://www.mozilla.org/en-US/firefox/24.1.1/releasenotes/
========================

Updated packages in core/updates_testing:
========================
rootcerts-20131111.00-1.mga2
rootcerts-java-20131111.00-1.mga2
libnspr4-4.10.2-1.mga2
libnspr-devel-4.10.2-1.mga2
nss-3.15.3-1.mga2
nss-doc-3.15.3-1.mga2
libnss3-3.15.3-1.mga2
libnss-devel-3.15.3-1.mga2
libnss-static-devel-3.15.3-1.mga2
firefox-24.1.1-1.mga2
firefox-devel-24.1.1-1.mga2
firefox-af-24.1.1-1.mga2
firefox-ar-24.1.1-1.mga2
firefox-as-24.1.1-1.mga2
firefox-ast-24.1.1-1.mga2
firefox-be-24.1.1-1.mga2
firefox-bg-24.1.1-1.mga2
firefox-bn_IN-24.1.1-1.mga2
firefox-bn_BD-24.1.1-1.mga2
firefox-br-24.1.1-1.mga2
firefox-bs-24.1.1-1.mga2
firefox-ca-24.1.1-1.mga2
firefox-cs-24.1.1-1.mga2
firefox-csb-24.1.1-1.mga2
firefox-cy-24.1.1-1.mga2
firefox-da-24.1.1-1.mga2
firefox-de-24.1.1-1.mga2
firefox-el-24.1.1-1.mga2
firefox-en_GB-24.1.1-1.mga2
firefox-en_ZA-24.1.1-1.mga2
firefox-eo-24.1.1-1.mga2
firefox-es_AR-24.1.1-1.mga2
firefox-es_CL-24.1.1-1.mga2
firefox-es_ES-24.1.1-1.mga2
firefox-es_MX-24.1.1-1.mga2
firefox-et-24.1.1-1.mga2
firefox-eu-24.1.1-1.mga2
firefox-fa-24.1.1-1.mga2
firefox-ff-24.1.1-1.mga2
firefox-fi-24.1.1-1.mga2
firefox-fr-24.1.1-1.mga2
firefox-fy-24.1.1-1.mga2
firefox-ga_IE-24.1.1-1.mga2
firefox-gd-24.1.1-1.mga2
firefox-gl-24.1.1-1.mga2
firefox-gu_IN-24.1.1-1.mga2
firefox-he-24.1.1-1.mga2
firefox-hi-24.1.1-1.mga2
firefox-hr-24.1.1-1.mga2
firefox-hu-24.1.1-1.mga2
firefox-hy-24.1.1-1.mga2
firefox-id-24.1.1-1.mga2
firefox-is-24.1.1-1.mga2
firefox-it-24.1.1-1.mga2
firefox-ja-24.1.1-1.mga2
firefox-kk-24.1.1-1.mga2
firefox-ko-24.1.1-1.mga2
firefox-km-24.1.1-1.mga2
firefox-kn-24.1.1-1.mga2
firefox-ku-24.1.1-1.mga2
firefox-lg-24.1.1-1.mga2
firefox-lij-24.1.1-1.mga2
firefox-lt-24.1.1-1.mga2
firefox-lv-24.1.1-1.mga2
firefox-mai-24.1.1-1.mga2
firefox-mk-24.1.1-1.mga2
firefox-ml-24.1.1-1.mga2
firefox-mr-24.1.1-1.mga2
firefox-nb_NO-24.1.1-1.mga2
firefox-nl-24.1.1-1.mga2
firefox-nn_NO-24.1.1-1.mga2
firefox-nso-24.1.1-1.mga2
firefox-or-24.1.1-1.mga2
firefox-pa_IN-24.1.1-1.mga2
firefox-pl-24.1.1-1.mga2
firefox-pt_BR-24.1.1-1.mga2
firefox-pt_PT-24.1.1-1.mga2
firefox-ro-24.1.1-1.mga2
firefox-ru-24.1.1-1.mga2
firefox-si-24.1.1-1.mga2
firefox-sk-24.1.1-1.mga2
firefox-sl-24.1.1-1.mga2
firefox-sq-24.1.1-1.mga2
firefox-sr-24.1.1-1.mga2
firefox-sv_SE-24.1.1-1.mga2
firefox-ta-24.1.1-1.mga2
firefox-ta_LK-24.1.1-1.mga2
firefox-te-24.1.1-1.mga2
firefox-th-24.1.1-1.mga2
firefox-tr-24.1.1-1.mga2
firefox-uk-24.1.1-1.mga2
firefox-vi-24.1.1-1.mga2
firefox-zh_CN-24.1.1-1.mga2
firefox-zh_TW-24.1.1-1.mga2
firefox-zu-24.1.1-1.mga2
rootcerts-20131111.00-1.mga3
rootcerts-java-20131111.00-1.mga3
libnspr4-4.10.2-1.mga3
libnspr-devel-4.10.2-1.mga3
nss-3.15.3-1.mga3
nss-doc-3.15.3-1.mga3
libnss3-3.15.3-1.mga3
libnss-devel-3.15.3-1.mga3
libnss-static-devel-3.15.3-1.mga3
firefox-24.1.1-1.mga3
firefox-devel-24.1.1-1.mga3
firefox-af-24.1.1-1.mga3
firefox-ar-24.1.1-1.mga3
firefox-as-24.1.1-1.mga3
firefox-ast-24.1.1-1.mga3
firefox-be-24.1.1-1.mga3
firefox-bg-24.1.1-1.mga3
firefox-bn_IN-24.1.1-1.mga3
firefox-bn_BD-24.1.1-1.mga3
firefox-br-24.1.1-1.mga3
firefox-bs-24.1.1-1.mga3
firefox-ca-24.1.1-1.mga3
firefox-cs-24.1.1-1.mga3
firefox-csb-24.1.1-1.mga3
firefox-cy-24.1.1-1.mga3
firefox-da-24.1.1-1.mga3
firefox-de-24.1.1-1.mga3
firefox-el-24.1.1-1.mga3
firefox-en_GB-24.1.1-1.mga3
firefox-en_ZA-24.1.1-1.mga3
firefox-eo-24.1.1-1.mga3
firefox-es_AR-24.1.1-1.mga3
firefox-es_CL-24.1.1-1.mga3
firefox-es_ES-24.1.1-1.mga3
firefox-es_MX-24.1.1-1.mga3
firefox-et-24.1.1-1.mga3
firefox-eu-24.1.1-1.mga3
firefox-fa-24.1.1-1.mga3
firefox-ff-24.1.1-1.mga3
firefox-fi-24.1.1-1.mga3
firefox-fr-24.1.1-1.mga3
firefox-fy-24.1.1-1.mga3
firefox-ga_IE-24.1.1-1.mga3
firefox-gd-24.1.1-1.mga3
firefox-gl-24.1.1-1.mga3
firefox-gu_IN-24.1.1-1.mga3
firefox-he-24.1.1-1.mga3
firefox-hi-24.1.1-1.mga3
firefox-hr-24.1.1-1.mga3
firefox-hu-24.1.1-1.mga3
firefox-hy-24.1.1-1.mga3
firefox-id-24.1.1-1.mga3
firefox-is-24.1.1-1.mga3
firefox-it-24.1.1-1.mga3
firefox-ja-24.1.1-1.mga3
firefox-kk-24.1.1-1.mga3
firefox-ko-24.1.1-1.mga3
firefox-km-24.1.1-1.mga3
firefox-kn-24.1.1-1.mga3
firefox-ku-24.1.1-1.mga3
firefox-lg-24.1.1-1.mga3
firefox-lij-24.1.1-1.mga3
firefox-lt-24.1.1-1.mga3
firefox-lv-24.1.1-1.mga3
firefox-mai-24.1.1-1.mga3
firefox-mk-24.1.1-1.mga3
firefox-ml-24.1.1-1.mga3
firefox-mr-24.1.1-1.mga3
firefox-nb_NO-24.1.1-1.mga3
firefox-nl-24.1.1-1.mga3
firefox-nn_NO-24.1.1-1.mga3
firefox-nso-24.1.1-1.mga3
firefox-or-24.1.1-1.mga3
firefox-pa_IN-24.1.1-1.mga3
firefox-pl-24.1.1-1.mga3
firefox-pt_BR-24.1.1-1.mga3
firefox-pt_PT-24.1.1-1.mga3
firefox-ro-24.1.1-1.mga3
firefox-ru-24.1.1-1.mga3
firefox-si-24.1.1-1.mga3
firefox-sk-24.1.1-1.mga3
firefox-sl-24.1.1-1.mga3
firefox-sq-24.1.1-1.mga3
firefox-sr-24.1.1-1.mga3
firefox-sv_SE-24.1.1-1.mga3
firefox-ta-24.1.1-1.mga3
firefox-ta_LK-24.1.1-1.mga3
firefox-te-24.1.1-1.mga3
firefox-th-24.1.1-1.mga3
firefox-tr-24.1.1-1.mga3
firefox-uk-24.1.1-1.mga3
firefox-vi-24.1.1-1.mga3
firefox-zh_CN-24.1.1-1.mga3
firefox-zh_TW-24.1.1-1.mga3
firefox-zu-24.1.1-1.mga3

from SRPMS:
rootcerts-20131111.00-1.mga2.src.rpm
nspr-4.10.2-1.mga2.src.rpm
nss-3.15.3-1.mga2.src.rpm
firefox-24.1.1-1.mga2.src.rpm
firefox-l10n-24.1.1-1.mga2.src.rpm
rootcerts-20131111.00-1.mga3.src.rpm
nspr-4.10.2-1.mga3.src.rpm
nss-3.15.3-1.mga3.src.rpm
firefox-24.1.1-1.mga3.src.rpm
firefox-l10n-24.1.1-1.mga3.src.rpm
Comment 8 Marja Van Waes 2013-11-19 17:40:02 CET
Mga2, 64 bits
Installed:
  firefox                        24.1.1       1.mga2        x86_64
  firefox-es_CL                  24.1.1       1.mga2        noarch
  firefox-fr                     24.1.1       1.mga2        noarch
  firefox-nl                     24.1.1       1.mga2        noarch
  firefox-pt_BR                  24.1.1       1.mga2        noarch
  lib64nspr4                     4.10.2       1.mga2        x86_64
  lib64nss3                      3.15.3       1.mga2        x86_64
  firefox-en_GB                  24.1.1       1.mga2        noarch
  firefox-es_AR                  24.1.1       1.mga2        noarch
  firefox-it                     24.1.1       1.mga2        noarch
  firefox-el                     24.1.1       1.mga2        noarch
  firefox-en_ZA                  24.1.1       1.mga2        noarch
  firefox-es_MX                  24.1.1       1.mga2        noarch
  firefox-pt_PT                  24.1.1       1.mga2        noarch
  firefox-cs                     24.1.1       1.mga2        noarch
  firefox-de                     24.1.1       1.mga2        noarch
  firefox-es_ES                  24.1.1       1.mga2        noarch
  firefox-sl                     24.1.1       1.mga2        noarch
  firefox-tr                     24.1.1       1.mga2        noarch
  rootcerts                      20131111.00  1.mga2        x86_64
  nss                            3.15.3       1.mga2        x86_64
  rootcerts-java                 20131111.00  1.mga2        x86_64

Browsing, including to secure pages, works fine. Youtube works ok, but Calenco's Javascript is a disaster for FF (as it already was in Mga 2 and 3, since Calenco's last upgrade, so that shouldn't stop this update)

Can't think of anything else to check

CC: (none) => marja11

claire robinson 2013-11-19 18:27:27 CET

Summary: rootcerts new certificate data available, nss new security issues fixed in 3.15.3 => firefox update & rootcerts new certificate data available, nss new security issues fixed in 3.15.3
Whiteboard: MGA2TOO => MGA2TOO has_procedure

Comment 9 Samuel Verschelde 2013-11-19 18:32:46 CET
For new users with FR locale, firefox opens https://www.mozilla.org/fr/firefox/24.1.1/firstrun/ which doesn't exist. Problem was present in previous firefox update too.

CC: (none) => stormi

Comment 10 claire robinson 2013-11-19 18:40:51 CET
Advisory uploaded. Please remove the 'advisory' whiteboard tag if anything changes.

Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure advisory

Comment 11 David Walser 2013-11-19 19:39:16 CET
Ubuntu has issued an advisory for this on November 18:
http://www.ubuntu.com/usn/usn-2030-1/

URL: (none) => http://lwn.net/Vulnerabilities/574311/

Comment 13 Oden Eriksson 2013-11-20 10:39:47 CET
FYI. For NSS this is the only change in firefox-17.0.11esr:

--- firefox-17.0.10esr/security/nss/lib/ssl/ssl3con.c   2013-10-23 01:53:06.000000000 +0000
+++ firefox-17.0.11esr/security/nss/lib/ssl/ssl3con.c   2013-11-13 23:36:00.000000000 +0000
@@ -5,7 +5,7 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-/* $Id: ssl3con.c,v 1.201.2.1 2013/10/22 20:34:00 kaie%kuix.de Exp $ */
+/* $Id: ssl3con.c,v 1.201.2.1.2.1 2013/11/10 20:38:30 kaie%kuix.de Exp $ */
 
 /* TODO(ekr): Implement HelloVerifyRequest on server side. OK for now. */
 
@@ -740,6 +740,11 @@ static SECStatus
 Null_Cipher(void *ctx, unsigned char *output, int *outputLen, int maxOutputLen,
            const unsigned char *input, int inputLen)
 {
+    if (inputLen > maxOutputLen) {
+        *outputLen = 0;  /* Match PK11_CipherOp in setting outputLen */
+        PORT_SetError(SEC_ERROR_OUTPUT_LEN);
+        return SECFailure;
+    }
     *outputLen = inputLen;
     if (input != output)
        PORT_Memcpy(output, input, inputLen);


Quite peculiar...
Comment 14 David Walser 2013-11-20 12:37:51 CET
(In reply to Oden Eriksson from comment #13)
> FYI. For NSS this is the only change in firefox-17.0.11esr:

Yeah, IIRC 17.0.11esr was updated to 3.14.5 while all other products were updated to 3.15.3, and some of these security issues (if not all but one of them) only affected 3.15.
Comment 15 claire robinson 2013-11-20 14:50:37 CET
Adding mga2 64 ok from Marja's tests in comment 8

Whiteboard: MGA2TOO has_procedure advisory => MGA2TOO has_procedure advisory mga2-64-ok

Comment 16 claire robinson 2013-11-20 15:08:38 CET
Testing complete mga2 32

Whiteboard: MGA2TOO has_procedure advisory mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok

Comment 17 claire robinson 2013-11-20 15:25:08 CET
Testing complete mga3 32 & 64

Validating.

Could sysadmin please push from 2&3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok => MGA2TOO has_procedure advisory mga2-32-ok mga2-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 18 Thomas Backlund 2013-11-20 22:02:20 CET
Update pushed:
http://advisories.mageia.org/MGASA-2013-0337.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.