Mozilla Foundation Security Advisory 2013-103

Miscellaneous Network Security Services (NSS) vulnerabilities

Announced
November 15, 2013
Impact
Critical
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 25.0.1
  • Firefox ESR 17.0.11
  • Firefox ESR 24.1.1
  • SeaMonkey 2.22.1
  • Thunderbird 24.1.1
  • Thunderbird ESR 17.0.11

Description

Mozilla has updated the version of Network Security Services (NSS) library used in Mozilla projects to NSS 3.15.3 with the exception of ESR17-based releases, which have been updated to NSS 3.14.5. This addresses several moderate to critical rated networking security issues.

Google developer Andrew Tinits reported a potentially exploitable buffer overflow that was fixed in both NSS 3.15.3 and NSS 3.14.5.

Mozilla developer Camilo Viecco discovered that if the verifylog feature was used when validating certificates then certificates with incompatible key usage constraints were not rejected. This did not directly affect Firefox but might affect other software using the NSS library

Google security researcher Tavis Ormandy reported a runaway memset in certificate parsing on 64-bit computers leading to a crash by attempting to write 4Gb of nulls.

Pascal Cuoq, RedHat developer Kamil Dudka, and Google developer Wan-Teh Chang found equivalent Netscape Portable Runtime (NSPR) library code suffered the same integer truncation.

NSS lowered the priority of RC4 in cipher suite advertisement so that more secure ciphers instead of RC4 are likely to be chosen by the server. This can help address the problem described by Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt in their paper "On the Security of RC4 in TLS."