Closed Bug 1468542 Opened 2 years ago Closed 2 years ago

BLRG-PT-18-004: Off-By-One Write in SECU_FilePasswd()

Categories

(Toolkit :: Application Update, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: jvehent, Assigned: jewilde)

References

(Blocks 1 open bug)

Details

(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main65-])

Attachments

(1 file)

In file sign/nss_secutil.c the function SECU_FilePasswd() iterated over the phrases array which was stored on the heap. The length of the array was stored in nb. In case the while loop existed because i == nb, the zero-termination which followed wrote past the end of the array.

This led to a memory corruption, which is likely hard to exploit, but off by one writes on the heap have been exploited in the past [1].

The affected component is only used locally and the password input data can be considered trusted to a certain degree. Therefore the impact is limited.

X41 D-Sec GmbH advises to check for i ==nb before terminating the phrases buffer.


[1] CVE-2018-6789-en/">https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Priority: -- → P1
Adds some missing braces on if structures
Adds a check for i being larger or equal to nb
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/97613730a99f
Group: toolkit-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.