GNU bug report logs -
#52228
NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures"
Previous Next
Reported by: Leo Famulari <leo <at> famulari.name>
Date: Wed, 1 Dec 2021 17:35:02 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 52228 in the body.
You can then email your comments to 52228 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#52228
; Package
guix
.
(Wed, 01 Dec 2021 17:35:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Leo Famulari <leo <at> famulari.name>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Wed, 01 Dec 2021 17:35:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
An attacker-controlled memory corruption vulnerability was discovered in
NSS:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2237
Information forwarded
to
bug-guix <at> gnu.org
:
bug#52228
; Package
guix
.
(Fri, 03 Dec 2021 02:09:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 52228 <at> debbugs.gnu.org (full text, mbox):
Hi Leo,
Leo Famulari <leo <at> famulari.name> writes:
> An attacker-controlled memory corruption vulnerability was discovered in
> NSS:
>
> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237
Thanks for bringing this to our attention. I just pushed a new
'gnuzilla-updates' branch, which is 'master' plus two new commits:
--8<---------------cut here---------------start------------->8---
commit 0863c665ebc54046baac7db1fde1f1f0e24476d0
Author: Mark H Weaver <mhw <at> netris.org>
Date: Thu Dec 2 20:23:16 2021 -0500
UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft.
* gnu/packages/patches/nss-CVE-2021-43527.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/nss.scm (nss/fixed): New variable
(nss)[replacement]: New field.
commit bc6afae2466017d1a19725a86e69e666249a1b71
Author: Mark H Weaver <mhw <at> netris.org>
Date: Thu Dec 2 20:14:05 2021 -0500
UNTESTED: gnu: icecat: Fix CVE-2021-43527.
* gnu/packages/patches/icecat-CVE-2021-43527.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat-source): Apply it.
--8<---------------cut here---------------end--------------->8---
As the summary lines indicate, I haven't yet tested these patches, apart
from verifying that the patched sources are built correctly.
If I'm not mistaken, ci.guix.gnu.org will soon evaluate the
'gnuzilla-updates' branch and perform the necessary rebuilds.
If all goes well, I'll cherry-pick these commits to 'master'.
If someone else verifies that the commits are good before I get to it,
please feel free to cherry-pick them to 'master' on my behalf (with the
"UNTESTED: " prefixes removed, of course).
Regards,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#52228
; Package
guix
.
(Sat, 04 Dec 2021 00:30:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 52228 <at> debbugs.gnu.org (full text, mbox):
Hi,
For the record, I've pushed commits
080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
believe should fix this issue in our 'nss', 'icecat', 'icedove',
'icedove-wayland', and 'geierlein' packages.
Does anyone know if there are other packages in Guix that include a
bundled copy of NSS? If not, I guess this bug can be closed.
Thanks,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#52228
; Package
guix
.
(Sun, 05 Dec 2021 04:44:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 52228 <at> debbugs.gnu.org (full text, mbox):
On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
> Hi,
>
> For the record, I've pushed commits
> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
> believe should fix this issue in our 'nss', 'icecat', 'icedove',
> 'icedove-wayland', and 'geierlein' packages.
Thanks for working on it, Mark.
> Does anyone know if there are other packages in Guix that include a
> bundled copy of NSS? If not, I guess this bug can be closed.
Personally I don't know... I hope not. Let's wait a couple more days
before closing.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
:
You have taken responsibility.
(Wed, 23 Mar 2022 02:35:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Leo Famulari <leo <at> famulari.name>
:
bug acknowledged by developer.
(Wed, 23 Mar 2022 02:35:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 52228-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Leo Famulari <leo <at> famulari.name> writes:
> On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote:
>> Hi,
>>
>> For the record, I've pushed commits
>> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and
>> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I
>> believe should fix this issue in our 'nss', 'icecat', 'icedove',
>> 'icedove-wayland', and 'geierlein' packages.
>
> Thanks for working on it, Mark.
>
>> Does anyone know if there are other packages in Guix that include a
>> bundled copy of NSS? If not, I guess this bug can be closed.
>
> Personally I don't know... I hope not. Let's wait a couple more days
> before closing.
It's been 15 weeks :-).
Closing.
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 20 Apr 2022 11:24:09 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 6 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.