Mozilla Foundation Security Advisory 2015-133

NSS and NSPR memory corruption issues

Announced
November 3, 2015
Reporter
Tyson Smith, David Keeler, Ryan Sleevi
Impact
Critical
Products
Firefox, Firefox ESR, Thunderbird
Fixed in
  • Firefox 42
  • Firefox ESR 38.4
  • Thunderbird 38.4

Description

Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 3.19.2.1 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.

Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS.

References