oss-sec mailing list archives
Re: nss RSA forgery (CVE-2014-1568)
From: Nick Semenkovich <nick () semenkovich com>
Date: Wed, 24 Sep 2014 17:59:21 -0500
The commits are available in the mercurial repo: https://hg.mozilla.org/projects/nss/rev/fb7208e91ae8 https://hg.mozilla.org/projects/nss/rev/ad411fb64046 https://hg.mozilla.org/projects/nss/rev/4e90910ad2f9 Offhand, it looks like an issue with the encoding of DigestInfo. On Wed, Sep 24, 2014 at 5:03 PM, Hanno Böck <hanno () hboeck de> wrote:
One serious vuln per day isn't enough, so nss decided to bring us another one. Mozilla reports this: https://www.mozilla.org/security/announce/2014/mfsa2014-73.html Bugtracker entry still private, so hard to judge about details. Interesting: Two independent discoveries (we had the same with heartbleed and I couldn't believe this was coincidence). This is what mcaffee has to say: http://blogs.mcafee.com/executive-perspectives/need-know-berserk-mozilla They say its related to BER/ASN1-parsing, but adam langley disagrees: https://twitter.com/agl__/status/514881918110683136 And it seems cyassl had something similar, also found by intel: http://www.yassl.com/yaSSL/Blog/Entries/2014/9/12_CyaSSL_3.2.0_Released.html No real details yet and information seems confusing. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
-- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis https://nick.semenkovich.com/
Current thread:
- nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 24)
- Re: nss RSA forgery (CVE-2014-1568) Marcus Meissner (Sep 24)
- Re: nss RSA forgery (CVE-2014-1568) Yves-Alexis Perez (Sep 25)
- Re: nss RSA forgery (CVE-2014-1568) Nick Semenkovich (Sep 24)
- Re: nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 25)
- Re: nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 25)
- Re: nss RSA forgery (CVE-2014-1568) Marcus Meissner (Sep 24)