Closed
Bug 1468542
Opened 8 years ago
Closed 7 years ago
BLRG-PT-18-004: Off-By-One Write in SECU_FilePasswd()
Categories
(Toolkit :: Application Update, defect, P1)
Toolkit
Application Update
Tracking
()
RESOLVED
FIXED
mozilla65
People
(Reporter: jvehent, Assigned: jewilde)
References
Details
(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main65-])
Attachments
(1 file)
In file sign/nss_secutil.c the function SECU_FilePasswd() iterated over the phrases array which was stored on the heap. The length of the array was stored in nb. In case the while loop existed because i == nb, the zero-termination which followed wrote past the end of the array.
This led to a memory corruption, which is likely hard to exploit, but off by one writes on the heap have been exploited in the past [1].
The affected component is only used locally and the password input data can be considered trusted to a certain degree. Therefore the impact is limited.
X41 D-Sec GmbH advises to check for i ==nb before terminating the phrases buffer.
[1] CVE-2018-6789-en/">https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
| Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Priority: -- → P1
| Assignee | ||
Comment 1•7 years ago
|
||
Adds some missing braces on if structures
Adds a check for i being larger or equal to nb
| Assignee | ||
Updated•7 years ago
|
Keywords: checkin-needed
Comment 2•7 years ago
|
||
Keywords: checkin-needed
Comment 3•7 years ago
|
||
Group: toolkit-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Updated•7 years ago
|
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•