FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nss -- Use-after-free in TLS 1.2 generating handshake hashes

Affected packages
3.32 <= linux-c6-nss < 3.32.1
3.28 <= linux-c6-nss < 3.28.6
3.32 <= linux-c7-nss < 3.32.1
3.28 <= linux-c7-nss < 3.28.6
3.32 <= nss < 3.32.1
3.28 <= nss < 3.28.6

Details

VuXML ID e71fd9d3-af47-11e7-a633-009c02a2ab30
Discovery 2017-08-04
Entry 2017-10-12

Mozilla reports:

During TLS 1.2 exchanges, handshake hashes are generated which point to a message buffer. This saved data is used for later messages but in some cases, the handshake transcript can exceed the space available in the current buffer, causing the allocation of a new buffer. This leaves a pointer pointing to the old, freed buffer, resulting in a use-after-free when handshake hashes are then calculated afterwards. This can result in a potentially exploitable crash.

References

CVE Name CVE-2017-7805
URL https://hg.mozilla.org/projects/nss/rev/2d7b65b72290
URL https://hg.mozilla.org/projects/nss/rev/d3865e2957d0
URL https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805