global-buffer-overflow in certutil running dbupgrade tests

RESOLVED FIXED

Status

NSS
Tools
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: tsmith, Unassigned)

Tracking

(Blocks: 1 bug)

trunk

Firefox Tracking Flags

(firefox41 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8624803 [details]
asan log

This happens in the sqlite3 code that is bundled with NSS. It is likely no big deal if we don't ship that code. On the other hand I don't know if this is also present in productions code.

Steps to reproduce:
1) build nss test suite with address sanitizer
2) run test suite, dbupgrade.sh specifically

I'm marking as security just in case.
(Reporter)

Updated

3 years ago
Summary: global-buffer-overflow on address in certutil running dbupgrade tests → global-buffer-overflow in certutil running dbupgrade tests

Comment 1

3 years ago
Thanks Tyson.
Do you know if this issue has already been fixed in the more recent sqlite code?
If it is, then we can update the copy of sqlite that's part of NSS.

I believe Firefox has its own copy of sqlite, and at the time Firefox builds NSS, the NSS copy of sqlite will be ignored.
(Reporter)

Comment 2

3 years ago
Hey Kai,

It looks like this issue was fixed in 3.7.16 (3.7.14.1 is bundled). This version is still pretty old, it is from April 2013. 3.8.10.2 is the latest release.

I found some information here: https://github.com/ViennaRSS/vienna-rss/issues/179
(Reporter)

Updated

3 years ago
Blocks: 1177759

Comment 3

3 years ago
Tyson:

This is a SQLite bug fixed in SQLite 3.7.16 as you noted:
  2013-03-18 (3.7.16)
  ...
  * Change to use strncmp() or the equivalent instead of memcmp() when
    comparing non-zero-terminated strings.

To work around this bug, add strict_memcmp=0 to the ASAN_OPTIONS
environment variable before running AddressSanitizer. See
https://code.google.com/p/address-sanitizer/wiki/Flags.
(Reporter)

Comment 4

3 years ago
I'd be happy to close this issue as is. If there are plans to update the bundled version of sqlite I can wait.

Comment 5

3 years ago
Let's not close it, but I believe we can open up the bug. The shipped version of sqlite in NSS is there as a convenience. Most NSS users use an external sqlite (linux distributions ship a system sqlite which NSS uses there, firefox provides their own sqlite. I suspect chrome does as well).

As such, I think keeping this bug private is counter productive. We should open this up and make turn it into a request to upgrade sqlite to something newer.

bob
(Reporter)

Updated

3 years ago
Group: core-security
Mass cc to get some NSS eyes on these bugs.
We're using SQLite 3.10.2 now for a while (since 3.23) and I can't reproduce this anymore. Let's close it.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.