[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss
From: |
Mark H Weaver |
Subject: |
bug#52228: NSS CVE-2021-43527 "memory corruption validating dsa/rsa-pss signatures" |
Date: |
Thu, 02 Dec 2021 21:07:41 -0500 |
Hi Leo,
Leo Famulari <leo@famulari.name> writes:
> An attacker-controlled memory corruption vulnerability was discovered in
> NSS:
>
> https://bugs.chromium.org/p/project-zero/issues/detail?id=2237
Thanks for bringing this to our attention. I just pushed a new
'gnuzilla-updates' branch, which is 'master' plus two new commits:
--8<---------------cut here---------------start------------->8---
commit 0863c665ebc54046baac7db1fde1f1f0e24476d0
Author: Mark H Weaver <mhw@netris.org>
Date: Thu Dec 2 20:23:16 2021 -0500
UNTESTED: gnu: nss: Fix CVE-2021-43527 via graft.
* gnu/packages/patches/nss-CVE-2021-43527.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/nss.scm (nss/fixed): New variable
(nss)[replacement]: New field.
commit bc6afae2466017d1a19725a86e69e666249a1b71
Author: Mark H Weaver <mhw@netris.org>
Date: Thu Dec 2 20:14:05 2021 -0500
UNTESTED: gnu: icecat: Fix CVE-2021-43527.
* gnu/packages/patches/icecat-CVE-2021-43527.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat-source): Apply it.
--8<---------------cut here---------------end--------------->8---
As the summary lines indicate, I haven't yet tested these patches, apart
from verifying that the patched sources are built correctly.
If I'm not mistaken, ci.guix.gnu.org will soon evaluate the
'gnuzilla-updates' branch and perform the necessary rebuilds.
If all goes well, I'll cherry-pick these commits to 'master'.
If someone else verifies that the commits are good before I get to it,
please feel free to cherry-pick them to 'master' on my behalf (with the
"UNTESTED: " prefixes removed, of course).
Regards,
Mark
--
Disinformation flourishes because many people care deeply about injustice
but very few check the facts. Ask me about <https://stallmansupport.org>.