Closed Bug 1774654 (CVE-2022-3479) Opened 2 years ago Closed 1 year ago

tstclnt crashes when accessing gnutls server without a user cert in the database.


(NSS :: Libraries, defect, P5)



(Not tracked)



(Reporter: rrelyea, Assigned: rrelyea)


(Whiteboard: [nss-nofx])


(2 files)

The patch for bug 1552254 contains an error where we check for a empty list, but the list is NULL. This can happen if the server requests a client auth cert, but the client has no certs in it's database. The crash happens in the default auth cert handler, which firefox overrides, so firefox does not have this issue, but other client applications (like tstclient) can crash. I'm including the upstream patch. I'll attach a phabricator patch shortly.

Assignee: nobody → rrelyea
Severity: -- → S3
Priority: -- → P5
Whiteboard: [nss-nofx]
Target Milestone: --- → 3.81

Trivy reports a high CVE-2022-3479 for this.

Even though the target milestone is tagged to 3.81, I don't see this fix even on 3.84. It would also be great to have an ESR release with this in, if possible. From a quick glance the codebase looks to match.

What is the plan to get this fixed?

Alias: CVE-2022-3479

Bob can you submit your patch through phab? FWIW, I think the null check needs to be immediately after CERT_FindUserCertsByUsage, or we can crash in CERT_FilterCertListByCANames in the !chosenNickName case. Probably CERT_FilterCertListByCANames should also have a null check.

Flags: needinfo?(rrelyea)
Target Milestone: 3.81 → 3.85

john, You are correct. The patch attached to this bug is old and incomplete. I have a better patch I'll push to fabricator.

Flags: needinfo?(rrelyea)
Target Milestone: 3.85 → 3.87

The filter functions do not handle NULL CERTCertLists, but CERT_FindUserCertsByUsage can return a NULL cert list. If it returns a NULL list, we should just
fail at the point (there are no certs available).

Closed: 1 year ago
Resolution: --- → FIXED

Shouldn't this also get uplifted to ESR?

Flags: needinfo?(rrelyea)

It doesn't need to be. It doesn't affect Firefox. The code in question is a default get UserCert handler which isn't used by Firefox.

Flags: needinfo?(rrelyea)

The patch applies cleanly to ESR. We've patched the version ourselves now, so we're fine.

But I think in principle, NSS ESR is also supported standalone? Therefore it should also get all security fixes that don't affect Firefox.

You need to log in before you can comment on or make changes to this bug.