Bug#697865: libnss3-1d: fix for DSA-2599 is incomplete

Jamie Strandboge jamie at ubuntu.com
Thu Jan 10 16:54:05 UTC 2013

Package: libnss3-1d
Version: 3.12.8-1+squeeze6
Severity: grave
Tags: security
Justification: user security hole

-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Versions of packages libnss3-1d depends on:
ii  libc6                   2.11.3-4         Embedded GNU C Library: Shared lib
ii  libnspr4-0d             4.8.6-1          NetScape Portable Runtime Library
ii  libsqlite3-0            3.7.3-1          SQLite 3 shared library
ii  zlib1g                  1: compression library - runtime

libnss3-1d recommends no packages.

libnss3-1d suggests no packages.

http://www.debian.org/security/2013/dsa-2599 updated squeeze by updating ckbi
(certdata.txt and certdata.c) to distrust the mis-issued TURKTRUST intermediate
CAs. In preparing updates for Ubuntu, I saw that while 'strings
/usr/lib/nss/libnssckbi.so' shows that the certificates were added to
libnssckbi.so (certutil will only show root certificates, so you can't verify
the inclusion of the intermediates with this tool-- if there is another tool to
do this, please let me know :), nss does not actually blacklist them. If I
follow the instructions from the upstream bug[1] to verify the certs are
blacklisted, the certs chain is shown as good:

# Compile nss since we need access to vfychain and it isn't shipped in packages
$ sudo apt-get build-dep nss
$ sudo apt-get install libnss3-1d # needed at runtime for vfychain (make sure
                                  # it is 3.12.8-1+squeeze6)
$ apt-get source nss=3.12.8-1+squeeze6
$ cd nss-*/
$ fakeroot debian/rules build
$ mozilla/dist/bin/vfychain -u 1 /tmp/turktrust-google-1.der \
                                 /tmp/turktrust-google-2.der \
Chain is good!
$ mozilla/dist/bin/vfychain -u 3 /tmp/turktrust-intermediate-2.der \
Chain is good!

Both of these should show 'Chain is bad!'.

I can confirm that simply updating ckbi is not enough for nss 3.13.1 and
earlier. I did not check wheezy. I was able to confirm that if I recompile nspr
2:4.9.4-2 and nss 2:3.14.1.with.ckbi.1.93-1 on an Ubuntu 12.10 system, vfychain
would correctly blacklist them. As a result, I am considering upgrading nss and
nspr on all of Ubuntu's stable releases to the latest upstream versions (with
ckbi 1.93) to address this issue rather than trying to identify and cherrypick
the commits to make blacklisting an intermediate work.


More information about the pkg-mozilla-maintainers mailing list