Debian Bug report logs -
#873259
nss: CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page (lib/dbm/src/h_page.c:704)
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
:
Bug#873259
; Package src:nss
.
(Fri, 25 Aug 2017 20:54:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
.
(Fri, 25 Aug 2017 20:54:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nss
Version: 2:3.26-1
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.mozilla.org/show_bug.cgi?id=1360779
Hi,
the following vulnerability was published for nss.
CVE-2017-11698[0]:
|heap-buffer-overflow (write of size 2) in __get_page
|(lib/dbm/src/h_page.c:704)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-11698
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11698
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.12.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
:
Bug#873259
; Package src:nss
.
(Fri, 08 Sep 2017 19:30:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Ola Lundqvist <ola@inguza.com>
:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
.
(Fri, 08 Sep 2017 19:30:11 GMT) (full text, mbox, link).
Message #10 received at 873259@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
I have not been able to confirm this statement as I do not have access to
the bugzilla entries but Redhat advisory claims that in order to exploit
this you actually need to create crafted NDB DBM files which is very likely
to be a problem in practice. Typically you need write access for the user
running the service and then there are easier ways to cause problems than
this. This means that this is really a minor security problem if any. It
would however be good if someone could confirm the statement from Redhat.
I have marked the issue as no-dsa for wheezy but if someone have
information that proove redhat to be wrong then we should change that
statement.
Best regards
// Ola
--
--- Inguza Technology AB --- MSc in Information Technology ----
/ ola@inguza.com Folkebogatan 26 \
| opal@debian.org 654 68 KARLSTAD |
| http://inguza.com/ Mobile: +46 (0)70-332 1551 |
\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /
---------------------------------------------------------------
[Message part 2 (text/html, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:20:53 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.