Closed
Bug 1591742
Opened 6 years ago
Closed 6 years ago
DES IV buffer overread if IV is undersized
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.48
People
(Reporter: guidovranken, Unassigned)
Details
(Keywords: sec-other)
Attachments
(2 files)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Steps to reproduce:
See attached proof of concept.
Compile NSS with AddressSanitizer and this file for a clear indication of what's happening.
This bug was not fixed by the commits associated with https://bugzilla.mozilla.org/show_bug.cgi?id=1576307
Actual results:
The 'ivvec' vector is read beyond bounds in DES_InitContext() COPY8BTOHALF
Expected results:
No overread.
Updated•6 years ago
|
Group: crypto-core-security
Updated•6 years ago
|
Flags: needinfo?(franziskuskiefer)
Comment 1•6 years ago
|
||
Let's make sure the DES IV has the length we expect it to have.
Updated•6 years ago
|
Flags: needinfo?(franziskuskiefer)
Comment 2•6 years ago
|
||
"sec-other" for Firefox because we don't use DES, but maybe this is more severe for other NSS clients?
Keywords: sec-other
Comment 3•6 years ago
|
||
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
Updated•6 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•