From unknown Thu Jun 19 16:23:57 2025 X-Loop: help-debbugs@gnu.org Subject: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 01 Dec 2021 17:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 52228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 52228@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16383800786811 (code B ref -1); Wed, 01 Dec 2021 17:35:02 +0000 Received: (at submit) by debbugs.gnu.org; 1 Dec 2021 17:34:38 +0000 Received: from localhost ([127.0.0.1]:45494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msTV7-0001ln-R3 for submit@debbugs.gnu.org; Wed, 01 Dec 2021 12:34:38 -0500 Received: from lists.gnu.org ([209.51.188.17]:38460) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msTV5-0001le-Ul for submit@debbugs.gnu.org; Wed, 01 Dec 2021 12:34:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59504) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msTV5-0004N0-Jx for bug-guix@gnu.org; Wed, 01 Dec 2021 12:34:35 -0500 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:53793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msTV3-0000ux-9S for bug-guix@gnu.org; Wed, 01 Dec 2021 12:34:35 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E5CD03200BD2; Wed, 1 Dec 2021 12:34:29 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 01 Dec 2021 12:34:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=En8brLEhihAwil49sU+nAm4UM8veIDx1YMhKhGXPolg=; b=U6qjb yczs/fomDD3bSv+mC0uDbfxVCfbyzQDwdVeJxKUn3Nq40bAcWKgpdyWg/6HapdJH Q7rtOhmIhoiTzGGQlgUs2hwfVjnDXRt0XSA+0vX4/EQ+zTMOT3M6prvhO3tutzaB z69xqTxmI857DIEsBUCBLK6qOvPsh/jRSMgyds= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=En8brLEhihAwil49sU+nAm4UM8veI Dx1YMhKhGXPolg=; b=L7jCH3YBDFm5Rm818rbsbVd9vF7a8Y8ZCEQI1KtoZNOan wdMqHp/yguqZyJvCqEW34f1+sc1ueOGyIk4D1pb29ZEESxROLxH06aGAgnFSjb4R ncoAedN/xXnMLyA9r64JZ7+Rb5eUEzqxU5hAvwgVnGFMCgy90tizlmFKVHEz92FC p3kdL4gT+I8DbqpLdlzIggTyHOSTxMkk2q2asl6kkzhK5FW5JGuFA8lFkPt+Dnrd IvhjtMZ1XZeCGSQ8brpE2Fn8pO6J6vG7KQ3DcNErdM7s+1/Ub59+g/9FFwNRQVtn ksbvkJeSboZAT7+hEkOyZ4HXJVzwRN2RZB6qz5/3w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrieefgddutdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnheptefgffetffetfeejiefgieevudejtdejhf elhedtkedujefgieektedtudfftdegnecuffhomhgrihhnpegthhhrohhmihhumhdrohhr ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Wed, 1 Dec 2021 12:34:29 -0500 (EST) Date: Wed, 1 Dec 2021 12:34:27 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.24; envelope-from=leo@famulari.name; helo=wout1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) An attacker-controlled memory corruption vulnerability was discovered in NSS: https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 From unknown Thu Jun 19 16:23:57 2025 X-Loop: help-debbugs@gnu.org Subject: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 03 Dec 2021 02:09:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari , 52228@debbugs.gnu.org Received: via spool by 52228-submit@debbugs.gnu.org id=B52228.163849731613167 (code B ref 52228); Fri, 03 Dec 2021 02:09:02 +0000 Received: (at 52228) by debbugs.gnu.org; 3 Dec 2021 02:08:36 +0000 Received: from localhost ([127.0.0.1]:49797 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msxzz-0003QE-8z for submit@debbugs.gnu.org; Thu, 02 Dec 2021 21:08:36 -0500 Received: from world.peace.net ([64.112.178.59]:55656) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msxzu-0003Pw-JT for 52228@debbugs.gnu.org; Thu, 02 Dec 2021 21:08:29 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1msxzn-0007EK-7B; Thu, 02 Dec 2021 21:08:19 -0500 From: Mark H Weaver In-Reply-To: References: Date: Thu, 02 Dec 2021 21:07:41 -0500 Message-ID: <87ee6uo2yf.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Leo, Leo Famulari writes: > An attacker-controlled memory corruption vulnerability was discovered in > NSS: > > https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 Thanks for bringing this to our attention. I just pushed a new 'gnuzilla-updates' branch, which is 'master' plus two new commits: --8<---------------cut here---------------start------------->8--- commit 0863c665ebc54046baac7db1fde1f1f0e24476d0 Author: Mark H Weaver Date: Thu Dec 2 20:23:16 2021 -0500 UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft. * gnu/packages/patches/nss-CVE-2021-43527.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/nss.scm (nss/fixed): New variable (nss)[replacement]: New field. commit bc6afae2466017d1a19725a86e69e666249a1b71 Author: Mark H Weaver Date: Thu Dec 2 20:14:05 2021 -0500 UNTESTED: gnu: icecat: Fix CVE-2021-43527. * gnu/packages/patches/icecat-CVE-2021-43527.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/gnuzilla.scm (icecat-source): Apply it. --8<---------------cut here---------------end--------------->8--- As the summary lines indicate, I haven't yet tested these patches, apart from verifying that the patched sources are built correctly. If I'm not mistaken, ci.guix.gnu.org will soon evaluate the 'gnuzilla-updates' branch and perform the necessary rebuilds. If all goes well, I'll cherry-pick these commits to 'master'. If someone else verifies that the commits are good before I get to it, please feel free to cherry-pick them to 'master' on my behalf (with the "UNTESTED: " prefixes removed, of course). Regards, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about . From unknown Thu Jun 19 16:23:57 2025 X-Loop: help-debbugs@gnu.org Subject: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 04 Dec 2021 00:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Leo Famulari , 52228@debbugs.gnu.org Received: via spool by 52228-submit@debbugs.gnu.org id=B52228.16385777477925 (code B ref 52228); Sat, 04 Dec 2021 00:30:02 +0000 Received: (at 52228) by debbugs.gnu.org; 4 Dec 2021 00:29:07 +0000 Received: from localhost ([127.0.0.1]:52449 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mtIvL-00023l-EN for submit@debbugs.gnu.org; Fri, 03 Dec 2021 19:29:07 -0500 Received: from world.peace.net ([64.112.178.59]:57532) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mtIvH-00023E-Kp for 52228@debbugs.gnu.org; Fri, 03 Dec 2021 19:29:06 -0500 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mtIvA-0003wG-87; Fri, 03 Dec 2021 19:28:56 -0500 From: Mark H Weaver In-Reply-To: <87ee6uo2yf.fsf@netris.org> References: <87ee6uo2yf.fsf@netris.org> Date: Fri, 03 Dec 2021 19:28:18 -0500 Message-ID: <87wnklusaq.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, For the record, I've pushed commits 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I believe should fix this issue in our 'nss', 'icecat', 'icedove', 'icedove-wayland', and 'geierlein' packages. Does anyone know if there are other packages in Guix that include a bundled copy of NSS? If not, I guess this bug can be closed. Thanks, Mark -- Disinformation flourishes because many people care deeply about injustice but very few check the facts. Ask me about . From unknown Thu Jun 19 16:23:57 2025 X-Loop: help-debbugs@gnu.org Subject: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sun, 05 Dec 2021 04:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 52228 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Mark H Weaver Cc: 52228@debbugs.gnu.org Received: via spool by 52228-submit@debbugs.gnu.org id=B52228.163867942114138 (code B ref 52228); Sun, 05 Dec 2021 04:44:02 +0000 Received: (at 52228) by debbugs.gnu.org; 5 Dec 2021 04:43:41 +0000 Received: from localhost ([127.0.0.1]:56004 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mtjNF-0003fy-59 for submit@debbugs.gnu.org; Sat, 04 Dec 2021 23:43:41 -0500 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:43525) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mtjNB-0003fj-WE for 52228@debbugs.gnu.org; Sat, 04 Dec 2021 23:43:38 -0500 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id C6D9232002E2; Sat, 4 Dec 2021 23:43:31 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Sat, 04 Dec 2021 23:43:32 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=gJhZlwx1w0xtNZw4huGsW9qf /8AA8ud3UTiaPWlh3yw=; b=darQhdHzJ8PQjFogxun0sn39s6Ttce6mZ+4ZqHqJ c4j58g12AE+eUwijinUYv2UWiGh5c6wJcMaPhCpaQoIsBgVNguoTgonW5XMg5KbR ribkeI2off+KdMj3+ZOt3tvEABEDq/lZGf+lK7FCYDoXlbFhVuPXWfAYtamcQ/jo 8G0= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=gJhZlw x1w0xtNZw4huGsW9qf/8AA8ud3UTiaPWlh3yw=; b=iDHFkLfZ9DgTgnkesCG+aL TG5ELmkmd6keBmIQXrXwuQniqzR1VlJ0GGSSBG1QpiTPo7HpHrSpVMhbg+SSUwhW hFGf1r428x6KCUHTkbc6zWCjhjhEe6wLkeUFBNQVz7j5hrZckydcnIoSMeGMwiiF oPqiLjpUmFJFp0E4hRklVFV9gPkuRGiBvbHM2ub+/DZnJ0yAIW6tsUrA4iM+1/XM TMyMRTCDx/FB7zAZjBfCSeTsfpHxllrOtVPpXG4b//Lyln+gmVIh9f4G+rrG2TbH cwJ7Jon0c9u5Ldp3Q7zZ4/dwK1Y/G1jZh1T8q9BphjZql2fKGY2MJWG881/lcvOQ == X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrjedtgdejvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehttdertd dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeeukeektdffvddtudegjeegtdevhfeufe eivdejiedtieegtdevjedvjeehffevgfenucevlhhushhtvghrufhiiigvpedtnecurfgr rhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA; Sat, 4 Dec 2021 23:43:30 -0500 (EST) Date: Sat, 4 Dec 2021 23:43:23 -0500 From: Leo Famulari Message-ID: References: <87ee6uo2yf.fsf@netris.org> <87wnklusaq.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87wnklusaq.fsf@netris.org> X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote: > Hi, > > For the record, I've pushed commits > 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and > d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I > believe should fix this issue in our 'nss', 'icecat', 'icedove', > 'icedove-wayland', and 'geierlein' packages. Thanks for working on it, Mark. > Does anyone know if there are other packages in Guix that include a > bundled copy of NSS? If not, I guess this bug can be closed. Personally I don't know... I hope not. Let's wait a couple more days before closing. From unknown Thu Jun 19 16:23:57 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Leo Famulari Subject: bug#52228: closed (Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures") Message-ID: References: <87zglhz9ab.fsf@gmail.com> X-Gnu-PR-Message: they-closed 52228 X-Gnu-PR-Package: guix Reply-To: 52228@debbugs.gnu.org Date: Wed, 23 Mar 2022 02:35:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1648002902-2691-1" This is a multi-part message in MIME format... ------------=_1648002902-2691-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signat= ures" which was filed against the guix package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 52228@debbugs.gnu.org. --=20 52228: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D52228 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1648002902-2691-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 52228-done) by debbugs.gnu.org; 23 Mar 2022 02:34:46 +0000 Received: from localhost ([127.0.0.1]:42281 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqpi-0000gq-H6 for submit@debbugs.gnu.org; Tue, 22 Mar 2022 22:34:46 -0400 Received: from mail-qv1-f54.google.com ([209.85.219.54]:37575) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nWqpg-0000gc-4J for 52228-done@debbugs.gnu.org; Tue, 22 Mar 2022 22:34:44 -0400 Received: by mail-qv1-f54.google.com with SMTP id k7so301439qvc.4 for <52228-done@debbugs.gnu.org>; Tue, 22 Mar 2022 19:34:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=FkhzsJplcRsqeuR/MSowMVyXHxt7Ph9z4hxHqadVKPM=; b=A3RIPl6S+NjEsvt7O9Qlc83+nIWJyBXEjg9wxli1baflxrX0rMnQv/AdCf/ji9sOWm TwEuQtY+I2mKpljevZGvG6FvDPSP2rbo0cesBqqCXg6Ej2lzqE5tYCPR/loQrOuXcSKZ OfPSNK+6oC/FzOPEnMqSdn217uLce5LXf1q2eA3fqvzP7RJbRs+2SHANFe7JGgoRX6mt uof0u0mjbNKb657gkxjg6C4XIcxVPkq+IuGHBb36LHX3kV3IsGFWlutkULfhPPv3VdRy QmM9BAyfIre4MNNq9HL+vCI1dOk0tnE8x12wR+atxi7pvM2kuhprzQK7pR5VN7ZCOlOV cTPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=FkhzsJplcRsqeuR/MSowMVyXHxt7Ph9z4hxHqadVKPM=; b=yZ/VAn8vhpt/nW6W3iEELPdqinmYmPRbIGwdMYpfmWSNHWGvdaC7kVS8lu/XLBsLOJ CRHfZQE5XqNnddFwKbDJbTYZoU5sBY3lDgZZz6CGCv69M3B8jLjRIjj7XoYBaey5T9AV tM77ekWECW7ZiBjxQMVJr/mehopsZAAVtPmBeTaMjZTaFC6HRtQXaTU+RqKpWP0p6mEv a4tLbqKMwQZiLgENZIv0H0234R/SguxuJZWvcseFQMnSdv374IN0mENL35WQC0Uenf2x WbQJ7muOZJvmZrM7A2PcxUsl5/dOQR0ESqfTNnuiKUY6vxLb/ZWOzV2Guc4MggvnRHG3 hscg== X-Gm-Message-State: AOAM532moeQay0IpkWri7hzEUy5H/qvtUHCeoNgKOpbxPggxlGqxuvpe NRH067z7kWIXvsrKHl/sTE0GF5sUQ1ZW5w== X-Google-Smtp-Source: ABdhPJz4kwiif/zFUYG8/x7Ko6jIgnEncYE1RawlwF0rGJniLkdsHDO7xB86AgZAmMxOOeKFqcKcsA== X-Received: by 2002:ad4:5d68:0:b0:441:1d01:35aa with SMTP id fn8-20020ad45d68000000b004411d0135aamr10669328qvb.49.1648002878424; Tue, 22 Mar 2022 19:34:38 -0700 (PDT) Received: from hurd (dsl-10-129-199.b2b2c.ca. [72.10.129.199]) by smtp.gmail.com with ESMTPSA id p8-20020a05620a22e800b0067e75955f5esm5381996qki.77.2022.03.22.19.34.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Mar 2022 19:34:37 -0700 (PDT) From: Maxim Cournoyer To: Leo Famulari Subject: Re: bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" References: <87ee6uo2yf.fsf@netris.org> <87wnklusaq.fsf@netris.org> Date: Tue, 22 Mar 2022 22:34:36 -0400 In-Reply-To: (Leo Famulari's message of "Sat, 4 Dec 2021 23:43:23 -0500") Message-ID: <87zglhz9ab.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 52228-done Cc: 52228-done@debbugs.gnu.org, Mark H Weaver X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello, Leo Famulari writes: > On Fri, Dec 03, 2021 at 07:28:18PM -0500, Mark H Weaver wrote: >> Hi, >> >> For the record, I've pushed commits >> 080a5de2eeb5e0da83ae9fd94488508d5227c4e3 and >> d49e7a592f2f12cd1f9e07edfeebe0a2771f491e to the 'master' branch, which I >> believe should fix this issue in our 'nss', 'icecat', 'icedove', >> 'icedove-wayland', and 'geierlein' packages. > > Thanks for working on it, Mark. > >> Does anyone know if there are other packages in Guix that include a >> bundled copy of NSS? If not, I guess this bug can be closed. > > Personally I don't know... I hope not. Let's wait a couple more days > before closing. It's been 15 weeks :-). Closing. Maxim ------------=_1648002902-2691-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 1 Dec 2021 17:34:38 +0000 Received: from localhost ([127.0.0.1]:45494 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msTV7-0001ln-R3 for submit@debbugs.gnu.org; Wed, 01 Dec 2021 12:34:38 -0500 Received: from lists.gnu.org ([209.51.188.17]:38460) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1msTV5-0001le-Ul for submit@debbugs.gnu.org; Wed, 01 Dec 2021 12:34:36 -0500 Received: from eggs.gnu.org ([209.51.188.92]:59504) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msTV5-0004N0-Jx for bug-guix@gnu.org; Wed, 01 Dec 2021 12:34:35 -0500 Received: from wout1-smtp.messagingengine.com ([64.147.123.24]:53793) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1msTV3-0000ux-9S for bug-guix@gnu.org; Wed, 01 Dec 2021 12:34:35 -0500 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.west.internal (Postfix) with ESMTP id E5CD03200BD2; Wed, 1 Dec 2021 12:34:29 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Wed, 01 Dec 2021 12:34:30 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=En8brLEhihAwil49sU+nAm4UM8veIDx1YMhKhGXPolg=; b=U6qjb yczs/fomDD3bSv+mC0uDbfxVCfbyzQDwdVeJxKUn3Nq40bAcWKgpdyWg/6HapdJH Q7rtOhmIhoiTzGGQlgUs2hwfVjnDXRt0XSA+0vX4/EQ+zTMOT3M6prvhO3tutzaB z69xqTxmI857DIEsBUCBLK6qOvPsh/jRSMgyds= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=En8brLEhihAwil49sU+nAm4UM8veI Dx1YMhKhGXPolg=; b=L7jCH3YBDFm5Rm818rbsbVd9vF7a8Y8ZCEQI1KtoZNOan wdMqHp/yguqZyJvCqEW34f1+sc1ueOGyIk4D1pb29ZEESxROLxH06aGAgnFSjb4R ncoAedN/xXnMLyA9r64JZ7+Rb5eUEzqxU5hAvwgVnGFMCgy90tizlmFKVHEz92FC p3kdL4gT+I8DbqpLdlzIggTyHOSTxMkk2q2asl6kkzhK5FW5JGuFA8lFkPt+Dnrd IvhjtMZ1XZeCGSQ8brpE2Fn8pO6J6vG7KQ3DcNErdM7s+1/Ub59+g/9FFwNRQVtn ksbvkJeSboZAT7+hEkOyZ4HXJVzwRN2RZB6qz5/3w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvuddrieefgddutdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi rdhnrghmvgeqnecuggftrfgrthhtvghrnheptefgffetffetfeejiefgieevudejtdejhf elhedtkedujefgieektedtudfftdegnecuffhomhgrihhnpegthhhrohhmihhumhdrohhr ghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvg hosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Wed, 1 Dec 2021 12:34:29 -0500 (EST) Date: Wed, 1 Dec 2021 12:34:27 -0500 From: Leo Famulari To: bug-guix@gnu.org Subject: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Received-SPF: pass client-ip=64.147.123.24; envelope-from=leo@famulari.name; helo=wout1-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) An attacker-controlled memory corruption vulnerability was discovered in NSS: https://bugs.chromium.org/p/project-zero/issues/detail?id=2237 ------------=_1648002902-2691-1--