Closed Bug 1705325 Opened 5 years ago Closed 2 years ago

Upgrade SQLite in NSS to latest or atleast 3.34.1

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1815683

People

(Reporter: sunny4saurabh, Unassigned)

Details

(Whiteboard: [nss-nofx])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36

Steps to reproduce:

Nss uses sqlite 3.29 which has security vulnerabilities.

Actual results:

SQLite 3.34.1 addressed CVE-2021-20227. CVE-2021-20227 is a vulnerability
that allows an attacker who is capable of running SQL queries locally on the
SQLite database to cause a denial of service or possible code execution by
triggering a use-after-free. Its CVSSv3.1 score is 5.5 in NVD.

Fixes to SQLite were released in version 3.34.1 publicly on January 20, 2021.
Products should always upgrade to the most recent version of a third party
product. The latest SQLite releases can be found at
https://www.sqlite.org/download.html

Expected results:

No security vulnerabilities

Firefox isn't affected by this - attackers can't cause arbitrary SQL queries to be run on the NSS SQL DBs.

Severity: -- → S4
Whiteboard: [nss-nofx]

it is not only firefox which uses nss runtime libs, when we use nss as a third party runtime libs for our product to create certificate db, it is impacted and below security vulnerability is tracked by analyzer tool

SQLite 3.34.1 addressed CVE-2021-20227. CVE-2021-20227 is a vulnerability
that allows an attacker who is capable of running SQL queries locally on the
SQLite database to cause a denial of service or possible code execution by
triggering a use-after-free. Its CVSSv3.1 score is 5.5 in NVD.

Why NSS is not using latest Sqlite which has resolved all these vulnerabilities

So the version of sqlite that is included in NSS only exists so that NSS can be compiled and run - for testing purposes - without an external dependency. People deploying NSS should be using a different version of sqlite: either one they provide or one that is provided by the operating system. This is what Linux distributions do, for example.

That all said, if someone were to provide a patch, I'd probably just land it. It's not particularly hard to do.

Priority: -- → P3
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1815683
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.