Closed Bug 1735028 (CVE-2022-22747) Opened 3 years ago Closed 2 years ago

CERT_DecodeCertPackage() crash with empty pkcs7 sequence

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.70
Type:
defect

Tracking

(firefox-esr9196+ fixed, firefox94 wontfix, firefox95 wontfix, firefox96+ fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 96+ fixed
firefox94 --- wontfix
firefox95 --- wontfix
firefox96 + fixed

People

(Reporter: taviso, Assigned: jschanck)

Details

(Keywords: csectype-dos, sec-low, Whiteboard: [nss-fx](worse for server consumers of NSS, where availability is a more important security trait) [post-critsmash-triage] [adv-main96+][adv-ESR91.5+])

Attachments

(3 files)

nss-empty-pkcs7.der
17 bytes, application/x-x509-ca-cert
Details
Bug 1735028 - check for missing signedData field r=keeler
48 bytes, text/x-phabricator-request
Details | Review
advisory.txt
188 bytes, text/plain
Details
Attached file nss-empty-pkcs7.der

This is similar to bug 1533216, I found another case where CERT_DecodeCertPackage() can fail. As far as I know, this can crash any client or server that accepts untrusted certificates because this is the standard entrypoint for getting a CERT object from some data read off the wire.

I'm surprised this wasn't caught by fuzzing, but if you put an indefinite sequence containing just a pkcs7 signedData OID, followed by a NULL or EOC or something similar, SEC_ReadPKCS7Certs() will dump core.

$ certutil -d "." -A -n test -t "p,p,p" -i nss-empty-pkcs7.der 
Segmentation fault
Group: crypto-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-dos, sec-low
Whiteboard: (worse for server consumers of NSS, where availability is a more important security trait)

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)
Assignee: nobody → jschanck
Severity: -- → S3
Status: NEW → ASSIGNED
Priority: -- → P1
Whiteboard: (worse for server consumers of NSS, where availability is a more important security trait) → [nss-fx](worse for server consumers of NSS, where availability is a more important security trait)
Target Milestone: --- → 3.73

Updating the Firefox status fields: It looks like this was included in NSS 3.68.1 so it'll be fixed in Firefox ESR91.4. Also fixed in NSS 3.73 which means Firefox release 96 will be the fixed one.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox95: --- → affected
status-firefox96: --- → fixed
status-firefox-esr91: --- → fixed
tracking-firefox-esr91: --- → 95+
Resolution: --- → FIXED

Technically these won't be checked in until tomorrow. I'll reopen until we have a commit link to add to the bug

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

We're also not planning to respin the Firefox 91.4.0esr build for NSS 3.68.1, just TB 91.4.0.

status-firefox94: --- → wontfix
status-firefox95: affectedwontfix
tracking-firefox96: --- → +
tracking-firefox-esr91: 95+96+
Group: crypto-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [nss-fx](worse for server consumers of NSS, where availability is a more important security trait) → [nss-fx](worse for server consumers of NSS, where availability is a more important security trait) [post-critsmash-triage]
Whiteboard: [nss-fx](worse for server consumers of NSS, where availability is a more important security trait) [post-critsmash-triage] → [nss-fx](worse for server consumers of NSS, where availability is a more important security trait) [post-critsmash-triage] [adv-main96+][adv-ESR91.5+]
Attached file advisory.txt

Are we sure this here was really just a crash?

I think so. It's a null pointer dereference where we explicitly initialize the pointer to NULL. I don't see a way to trigger anything more severe---like dereferencing an uninitialized pointer or an attacker controlled pointer.

Alias: CVE-2022-22747
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: