Hi Charles, It looks like all of these are in the legacy BerkleyDB. In NSS 3.12 <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.12_release_notes.html> (2008) we began shipping a newer database implementation based on SQLite, and made it the default in NSS 3.35 <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes> in 2018.
I'm afraid these hadn't risen to my attention, but the legacy DB is unmaintained and will be removed in the future when all migrations are completed. I believe final removal would be end of 2020, corresponding to retirement of RHEL6, but I would need to double-check that with my colleagues at RedHat. This does remind me that we should stop building DBM by default soon, as January will mark two years since we changed the default to SQLite. I've opened bug 1594931 <https://bugzilla.mozilla.org/show_bug.cgi?id=1594931> to disable building DBM entirely for Firefox builds, which I believe we can do at any time. I've also opened bug 1594933 <https://bugzilla.mozilla.org/show_bug.cgi?id=1594933> to disable building DBM by default in future versions of NSS, leaving it to maintainers to handle exceptions for now. J.C. On Thu, Nov 7, 2019 at 3:16 PM Charles Robertson <cgrobert...@suse.com> wrote: > Hi, > > What is the status of the following CVEs on NSS? I've searched through all > your MFSAs and did not find these. > > CVE-2017-11695: heap-buffer-overflow (write of size 8) in alloc_segs > (lib/dbm/src/hash.c:1105) > https://bugzilla.mozilla.org/show_bug.cgi?id=1360782 > > CVE-2017-11696: heap-buffer-overflow (write of size 65544) in __hash_open > (lib/dbm/src/hash.c:241) > https://bugzilla.mozilla.org/show_bug.cgi?id=1360778 > > CVE-2017-11697: Floating Point Exception in __hash_open (hash.c:229) > https://bugzilla.mozilla.org/show_bug.cgi?id=1360900 > > CVE-2017-11698: heap-buffer-overflow (write of size 2) in __get_page > (lib/dbm/src/h_page.c:704) > https://bugzilla.mozilla.org/show_bug.cgi?id=1360779 > > Are they ever going to be fixed? > > Charles Robertson > Firefox Maintainer > SUSE LLC > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security > _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
