1615298 - Uninitialized memory issue in AddNscpCertType in certutil

Status: RESOLVED FIXED

(NSS :: Tools, defect, P3)

Description

[:Gijs (he/him)]

Splitting this from bug bug 1614250:

(In reply to mlfbrown from bug 1614250 comment #0)

In AddNscpCertType, value appears to used without being defined.
I can't determine any invariants that should make this safe, but apologies if
I have missed some.

Function here
https://searchfox.org/mozilla-central/source/security/nss/cmd/certutil/certext.c#662

int value;                                                                                     
if (parseNextCmdInput(nsCertTypeKeyWordArray, &value, &nextPos, &isCriticalExt) == SECFailure) 
  return SECFailure

--> within parseNextCmdInput
--> (https://searchfox.org/mozilla-central/source/security/nss/cmd/certutil/certext.c#272)
--> if (!strncmp("critical", thisPos, keyLen))
--> ... if (*nextPos == NULL)
--> return SECSuccess without setting value

keyUsage |= (0x80 >> value);
(https://searchfox.org/mozilla-central/source/security/nss/cmd/certutil/certext.c#706)

Comment 1

[Daniel Veditz [:dveditz]]

certutil is not covered by the bug bounty program

Comment 2

[John Schanck [:jschanck]]

There's no attacker controlled input here, so it's a stretch to call it a security bug.

Comment 3

[John Schanck [:jschanck]]

Attachment: Bug 1615298 - improve certutil keyUsage, extKeyUsage, and nsCertType keyword handling. r=#nss-reviewers

Comment 4

[John Schanck [:jschanck]]

https://hg.mozilla.org/projects/nss/rev/d98dbabd0936bd2f6cf2f7f835e8201fdd1db3ae