Closed Bug 1468542 Opened 8 years ago Closed 7 years ago

BLRG-PT-18-004: Off-By-One Write in SECU_FilePasswd()

Categories

(Toolkit :: Application Update, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: jvehent, Assigned: jewilde)

References

Details

(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main65-])

Attachments

(1 file)

In file sign/nss_secutil.c the function SECU_FilePasswd() iterated over the phrases array which was stored on the heap. The length of the array was stored in nb. In case the while loop existed because i == nb, the zero-termination which followed wrote past the end of the array. This led to a memory corruption, which is likely hard to exploit, but off by one writes on the heap have been exploited in the past [1]. The affected component is only used locally and the password input data can be considered trusted to a certain degree. Therefore the impact is limited. X41 D-Sec GmbH advises to check for i ==nb before terminating the phrases buffer. [1] CVE-2018-6789-en/">https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
Assignee: nobody → jewilde
Status: NEW → ASSIGNED
Priority: -- → P1
Adds some missing braces on if structures Adds a check for i being larger or equal to nb
Keywords: checkin-needed
Group: toolkit-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main65-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: