Closed
Bug 633063
Opened 13 years ago
Closed 12 years ago
Uninitialized memory read in CertDB common_FindCertByNicknameOrEmailAddrForUsage
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(firefox-esr10 wontfix)
RESOLVED
FIXED
3.13.2
Tracking | Status | |
---|---|---|
firefox-esr10 | --- | wontfix |
People
(Reporter: briansmith, Assigned: KaiE)
References
Details
(Whiteboard: [sg:nse] might be critical for other uses)
Attachments
(1 file)
1.01 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
The variable "cert" might be read without having been assigned. If the unintialized value is non-NULL then the memory it points to will be corrupted by the call to CERT_DestroyCertificate. common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, const char *name, PRBool anyUsage, SECCertUsage lookingForUsage) { [...] CERTCertificate *cert; [...] if (anyUsage) { cert = PK11_FindCertFromNickname(name, NULL); } else { [...] certlist = PK11_FindCertsFromNickname(name, NULL); if (certlist) { SECStatus rv = CERT_FilterCertListByUsage(certlist, lookingForUsage, PR_FALSE); if (SECSuccess == rv && !CERT_LIST_END(CERT_LIST_HEAD(certlist), certlist)) { cert = CERT_DupCertificate(CERT_LIST_HEAD(certlist)->cert); } CERT_DestroyCertList(certlist); } } if (cert) { c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert)); CERT_DestroyCertificate(cert); if (ct) { CERT_DestroyCertificate(STAN_GetCERTCertificateOrRelease(ct)); [...] }
Comment 1•13 years ago
|
||
I can't find any uses of the public entry point CERT_FindCertByNicknameOrEmailAddrForUsage anywhere in the Mozilla tree so it doesn't seem like it could be a security problem that affects us, but could be a problem for any NSS-using app that calls it.
Whiteboard: [sg:nse] might be critical for other uses
Assignee | ||
Comment 2•13 years ago
|
||
This issue has been reported publicly by :decoder in bug 714992, so we could open up this one, too.
Assignee | ||
Comment 4•13 years ago
|
||
Assignee: nobody → kaie
Attachment #587755 -
Flags: review?(rrelyea)
Comment 5•12 years ago
|
||
Comment on attachment 587755 [details] [diff] [review] Patch v1 r+ rrelyea
Attachment #587755 -
Flags: review?(rrelyea) → review+
Assignee | ||
Comment 6•12 years ago
|
||
can we open this bug? Checking in stanpcertdb.c; /cvsroot/mozilla/security/nss/lib/certdb/stanpcertdb.c,v <-- stanpcertdb.c new revision: 1.89; previous revision: 1.88 done
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.13.2
Updated•12 years ago
|
status-firefox-esr10:
--- → wontfix
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•