Closed
Bug 334277
Opened 19 years ago
Closed 19 years ago
double free in [@ sftk_FreeAttribute - sftk_DeleteAttributeType]
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: timeless, Assigned: alvolkov.bgs)
References
()
Details
(4 keywords, Whiteboard: CID 675)
Crash Data
Attachments
(1 file)
894 bytes,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
found by coverity
sftk_FreeAttribute
sftk_DeleteAttribute
sftk_DeleteAttributeType
sftk_FreeAttribute
sftk_DeleteAttributeType
Updated•19 years ago
|
Assignee: kengert → nobody
Updated•19 years ago
|
Severity: blocker → critical
Priority: -- → P2
Target Milestone: --- → 3.11.1
Version: 4.0 → 3.11
Updated•19 years ago
|
Hardware: PC → All
Assignee | ||
Comment 1•19 years ago
|
||
Assignee: nobody → alexei.volkov.bugs
Status: NEW → ASSIGNED
Attachment #219649 -
Flags: review?(nelson)
Comment 2•19 years ago
|
||
Adding Bob to CC list
Comment 3•19 years ago
|
||
Comment on attachment 219649 [details] [diff] [review]
fix
r=relyea.
Attachment #219649 -
Flags: review?(nelson) → review+
Assignee | ||
Updated•19 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 5•18 years ago
|
||
should this fix get picked up for the 2.0.0.4 firefox release?
Flags: blocking1.8.1.4?
Comment 6•18 years ago
|
||
I just did a quick review of the code. All the useds of sftk_DeleteAttributeType() are in pkcs11c.c. In all these cases, the attribute in question is tied to a PKCS #11 session object and is never freed actually freed by the call, so there should be no vulnerability (the attributes are all freed when the object goes away).
The fix silences the coverity warning, and would protect against possible future uses of sftk_DeleteAttributeType against other a potential double free.
All that being said, it looks like this patch has been in FF for quite a while. FF 2.0.0.3 is on NSS 3.11.4 or 3.11.5 and this fix has been in since 3.11.3 Beta.
Comment 7•18 years ago
|
||
FF2.0.0.1 used NSS 3.11.4 (FF1.5.0.9 still NSS 3.10.3 plus some patches)
FF2.0.0.2/3 use NSS 3.11.5 (also FF1.5.0.10/11)
Flags: blocking1.8.1.4?
Keywords: fixed1.8.0.10,
fixed1.8.1.1
Updated•18 years ago
|
Group: security
Updated•14 years ago
|
Crash Signature: [@ sftk_FreeAttribute - sftk_DeleteAttributeType]
You need to log in
before you can comment on or make changes to this bug.
Description
•