Bug#697865: libnss3-1d: fix for DSA-2599 is incomplete
jamie at ubuntu.com
Thu Jan 10 16:54:05 UTC 2013
Justification: user security hole
-- System Information:
Debian Release: 6.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Versions of packages libnss3-1d depends on:
ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib
ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library
ii libsqlite3-0 3.7.3-1 SQLite 3 shared library
ii zlib1g 1:188.8.131.52.dfsg-3 compression library - runtime
libnss3-1d recommends no packages.
libnss3-1d suggests no packages.
http://www.debian.org/security/2013/dsa-2599 updated squeeze by updating ckbi
(certdata.txt and certdata.c) to distrust the mis-issued TURKTRUST intermediate
CAs. In preparing updates for Ubuntu, I saw that while 'strings
/usr/lib/nss/libnssckbi.so' shows that the certificates were added to
libnssckbi.so (certutil will only show root certificates, so you can't verify
the inclusion of the intermediates with this tool-- if there is another tool to
do this, please let me know :), nss does not actually blacklist them. If I
follow the instructions from the upstream bug to verify the certs are
blacklisted, the certs chain is shown as good:
# Compile nss since we need access to vfychain and it isn't shipped in packages
$ sudo apt-get build-dep nss
$ sudo apt-get install libnss3-1d # needed at runtime for vfychain (make sure
# it is 3.12.8-1+squeeze6)
$ apt-get source nss=3.12.8-1+squeeze6
$ cd nss-*/
$ fakeroot debian/rules build
$ mozilla/dist/bin/vfychain -u 1 /tmp/turktrust-google-1.der \
Chain is good!
$ mozilla/dist/bin/vfychain -u 3 /tmp/turktrust-intermediate-2.der \
Chain is good!
Both of these should show 'Chain is bad!'.
I can confirm that simply updating ckbi is not enough for nss 3.13.1 and
earlier. I did not check wheezy. I was able to confirm that if I recompile nspr
2:4.9.4-2 and nss 2:3.14.1.with.ckbi.1.93-1 on an Ubuntu 12.10 system, vfychain
would correctly blacklist them. As a result, I am considering upgrading nss and
nspr on all of Ubuntu's stable releases to the latest upstream versions (with
ckbi 1.93) to address this issue rather than trying to identify and cherrypick
the commits to make blacklisting an intermediate work.
More information about the pkg-mozilla-maintainers