oss-sec mailing list archives

nss RSA forgery (CVE-2014-1568)

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 25 Sep 2014 00:03:21 +0200

One serious vuln per day isn't enough, so nss decided to bring us
another one.

Mozilla reports this:
https://www.mozilla.org/security/announce/2014/mfsa2014-73.html
Bugtracker entry still private, so hard to judge about details.
Interesting: Two independent discoveries (we had the same with
heartbleed and I couldn't believe this was coincidence).

This is what mcaffee has to say:
http://blogs.mcafee.com/executive-perspectives/need-know-berserk-mozilla

They say its related to BER/ASN1-parsing, but adam langley disagrees:
https://twitter.com/agl__/status/514881918110683136


And it seems cyassl had something similar, also found by intel:
http://www.yassl.com/yaSSL/Blog/Entries/2014/9/12_CyaSSL_3.2.0_Released.html

No real details yet and information seems confusing.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: signature.asc
Description:

Current thread:

nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 24)
- Re: nss RSA forgery (CVE-2014-1568) Marcus Meissner (Sep 24)
  - Re: nss RSA forgery (CVE-2014-1568) Yves-Alexis Perez (Sep 25)
- Re: nss RSA forgery (CVE-2014-1568) Nick Semenkovich (Sep 24)
- Re: nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 25)
  - Re: nss RSA forgery (CVE-2014-1568) Hanno Böck (Sep 25)