Closed Bug 1591742 Opened 2 years ago Closed 2 years ago

DES IV buffer overread if IV is undersized

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: guidovranken, Unassigned)

Details

(Keywords: sec-other)

Attachments

(2 files)

pocdesiv.cpp
1.74 KB, text/x-c++src
Details
Bug 1591742 - check des iv length and add test for it, r?jcj
47 bytes, text/x-phabricator-request
Details | Review
Attached file pocdesiv.cpp

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

See attached proof of concept.
Compile NSS with AddressSanitizer and this file for a clear indication of what's happening.

This bug was not fixed by the commits associated with https://bugzilla.mozilla.org/show_bug.cgi?id=1576307

Actual results:

The 'ivvec' vector is read beyond bounds in DES_InitContext() COPY8BTOHALF

Expected results:

No overread.

Group: crypto-core-security
Flags: needinfo?(franziskuskiefer)

Let's make sure the DES IV has the length we expect it to have.

Flags: needinfo?(franziskuskiefer)

"sec-other" for Firefox because we don't use DES, but maybe this is more severe for other NSS clients?

Keywords: sec-other

https://hg.mozilla.org/projects/nss/rev/35857ae98190c590ae00a01cb1a2ed48def3915f

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.48
Group: crypto-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.