oss-sec mailing list archives
Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization
From: Reed Loden <reed () reedloden com>
Date: Mon, 24 Oct 2011 03:40:27 -0700
On Mon, 24 Oct 2011 12:30:23 +0200 Jan Lieskovsky <jlieskov () redhat com> wrote:
a security flaw was found in the way nss, the Network Security Services (NSS) set of libraries, performed their initialization (the file path for "pkcs11.txt" configuration file was constructed incorrectly). When that configuration file was loaded from remote WebDAV or Samba CIFS share, it could lead to arbitrary security module load, potentially leading to execution of arbitrary code (execution of code from untrusted security module). Upstream bug report: [1] https://bugzilla.mozilla.org/show_bug.cgi?id=641052
Mozilla is a CNA. Any reason you aren't requesting the CVE from them since NSS is a Mozilla product? Also, the upstream bug isn't tagged as a security issue, so Mozilla might not even know about this problem. cc'ing Dan Veditz of the Mozilla Security Group for CVE assignment and notification. ~reed -- Reed Loden reed () reedloden com
Current thread:
- CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Jan Lieskovsky (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Reed Loden (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Jan Lieskovsky (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Robert Relyea (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Elio Maldonado (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Robert Relyea (Oct 24)
- Re: CVE Request -- nss: Did honour /pkcs11.txt and /secmod.db files by initialization Josh Bressers (Oct 25)