Closed
Bug 1348767
Opened 7 years ago
Closed 7 years ago
logical rather than bitwise OR operator used in OCSP requests
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.31
People
(Reporter: hrosik, Assigned: franziskus)
Details
(Keywords: sec-other)
Attachments
(1 file)
|
862 bytes,
patch
|
franziskus
:
review+
|
Details | Diff | Splinter Review |
Richard Biener of the SUSE compiler team noticed a warning while testing GCC7, which pointed to NSS incorrectly using logical OR operator instead of the bitwise version in the OCSP requests code. Patch against NSS trunk attached CC: Marcus Meissner from the SUSE Security Team, who also reported this issue via email to <security@mozilla.org>.
|
Assignee | |
Comment 1•7 years ago
|
||
Comment on attachment 8849033 [details] [diff] [review] use bitwise OR instead of logical in OCSP requests Review of attachment 8849033 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for the patch!
Attachment #8849033 -
Flags: review+
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → franziskuskiefer
|
|
Assignee | |
Comment 2•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/0dca14409fefa9090db2a382d2dbfdc6d800852e
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.31
|
||
Comment 3•7 years ago
|
||
What's the severity of this? Do we need to consider backporting this to stable branches?
Flags: needinfo?(franziskuskiefer)
|
|
Assignee | |
Comment 4•7 years ago
|
||
The issue is in libpkix, which isn't used by Firefox (and really shouldn't be used by anyone at this point). So no backporting necessary.
Flags: needinfo?(franziskuskiefer)
|
||
Updated•7 years ago
|
Group: crypto-core-security → core-security-release
|
||
Comment 5•7 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #4) > The issue is in libpkix, which isn't used by Firefox (and really shouldn't > be used by anyone at this point). So no backporting necessary. Other applications might still use it.
|
|
||
Comment 6•7 years ago
|
||
It seems this hash isn't used as part of the hash request that's sent out to the network. If I'm reading the code correctly, this hash is simply used for an internal HashTable, so the function currently is using worse hashes than the code was trying to. If correct, then the only effect might be slowdown, as linear searches in that HashTable would occurr frequently.
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•