Closed Bug 1176293 Opened 9 years ago Closed 8 years ago

global-buffer-overflow in certutil running dbupgrade tests

Categories

(NSS :: Tools, defect)

defect
Not set
normal

Tracking

(firefox41 affected)

RESOLVED FIXED
Tracking Status
firefox41 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Attached file asan log
This happens in the sqlite3 code that is bundled with NSS. It is likely no big deal if we don't ship that code. On the other hand I don't know if this is also present in productions code.

Steps to reproduce:
1) build nss test suite with address sanitizer
2) run test suite, dbupgrade.sh specifically

I'm marking as security just in case.
Summary: global-buffer-overflow on address in certutil running dbupgrade tests → global-buffer-overflow in certutil running dbupgrade tests
Thanks Tyson.
Do you know if this issue has already been fixed in the more recent sqlite code?
If it is, then we can update the copy of sqlite that's part of NSS.

I believe Firefox has its own copy of sqlite, and at the time Firefox builds NSS, the NSS copy of sqlite will be ignored.
Hey Kai,

It looks like this issue was fixed in 3.7.16 (3.7.14.1 is bundled). This version is still pretty old, it is from April 2013. 3.8.10.2 is the latest release.

I found some information here: https://github.com/ViennaRSS/vienna-rss/issues/179
Blocks: nss-fuzz
Tyson:

This is a SQLite bug fixed in SQLite 3.7.16 as you noted:
  2013-03-18 (3.7.16)
  ...
  * Change to use strncmp() or the equivalent instead of memcmp() when
    comparing non-zero-terminated strings.

To work around this bug, add strict_memcmp=0 to the ASAN_OPTIONS
environment variable before running AddressSanitizer. See
https://code.google.com/p/address-sanitizer/wiki/Flags.
I'd be happy to close this issue as is. If there are plans to update the bundled version of sqlite I can wait.
Let's not close it, but I believe we can open up the bug. The shipped version of sqlite in NSS is there as a convenience. Most NSS users use an external sqlite (linux distributions ship a system sqlite which NSS uses there, firefox provides their own sqlite. I suspect chrome does as well).

As such, I think keeping this bug private is counter productive. We should open this up and make turn it into a request to upgrade sqlite to something newer.

bob
Group: core-security
Mass cc to get some NSS eyes on these bugs.
See Also: → 1234698
We're using SQLite 3.10.2 now for a while (since 3.23) and I can't reproduce this anymore. Let's close it.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: