CVE-2014-1569

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2014-1569

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2014-1569.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2014-1569

Related

Published

2014-12-15T18:59:00Z

Modified

2024-09-11T02:00:05Z

Summary

[none]

Details

The definitelengthdecoder function in lib/util/quickder.c in Mozilla Network Security Services (NSS) before 3.16.2.4 and 3.17.x before 3.17.3 does not ensure that the DER encoding of an ASN.1 length is properly formed, which allows remote attackers to conduct data-smuggling attacks by using a long byte sequence for an encoding, as demonstrated by the SEC_QuickDERDecodeItem function's improper handling of an arbitrary-length encoding of 0x00.

References

Affected packages

Debian:11 / nss

Package

Name: nss
Purl: pkg:deb/debian/nss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:3.17.2-1.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / nss

Package

Name: nss
Purl: pkg:deb/debian/nss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:3.17.2-1.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / nss

Package

Name: nss
Purl: pkg:deb/debian/nss?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2:3.17.2-1.1

Ecosystem specific

{
    "urgency": "not yet assigned"
}