NSS and NSPR memory corruption issues
- November 3, 2015
- Tyson Smith, David Keeler, Ryan Sleevi
- Firefox, Firefox ESR, Thunderbird
- Fixed in
- Firefox 42
- Firefox ESR 38.4
- Thunderbird 38.4
Mozilla engineers Tyson Smith and David Keeler reported a use-after-poison and buffer overflow in the ASN.1 decoder in Network Security Services (NSS). These issues were in octet string parsing and were found through fuzzing and code inspection. If these issues were triggered, they would lead to a potentially exploitable crash. These issues were fixed in NSS version 220.127.116.11 and 3.19.4, shipped in Firefox and Firefox ESR, respectively, as well as NSS 3.20.1.
Google security engineer Ryan Sleevi reported an integer overflow in the Netscape Portable Runtime (NSPR) due to a lack of checks during memory allocation. This leads to a potentially exploitable crash. This issue is fixed in NSPR 4.10.10. The NSPR library is a required component of NSS.