IBigSig, ubuthathaka kwiMozilla NSS enokuvumela ukwenziwa kwekhowudi

Darkcrizt

Imizuzu ye4

Iindaba malunga ukuchonga ubuthathaka obubalulekileyo (sele zidweliswe phantsi kwe-CVE-2021-43527) en iseti yeelayibrari ezifihlakeleyo NSS (Iinkonzo zokhuseleko lwenethiwekhi) ukusuka kwiMozilla enokukhokelela ekwenziweni kwekhowudi ekhohlakeleyo xa kusetyenzwa i-DSA okanye i-RSA-PSS yotyikityo lwedijithali olukhankanyiweyo kusetyenziswa i-DER (iMithetho eFakelwe iiKhowudi).

Ingxaki izibonakalisa kwizicelo ezisebenzisa i-NSS ukuphatha imisayino yedijithali CMS, S / MIME, PKCS # 7 kunye ne-PKCS # 12, okanye xa uqinisekisa izatifikethi ekuhanjisweni TLS, X.509, OCSP kunye neCRL. Ubuthathaka bunokuvela kwiinkqubo ezahlukeneyo zabaxhasi kunye neseva ezine-TLS, i-DTLS, kunye nenkxaso ye-S/MIME, abathengi be-imeyile, kunye nababukeli be-PDF abasebenzisa i-NSS CERT_VerifyCertificate () umnxeba wokuqinisekisa utyikityo lwedijithali.

I-LibreOffice, i-Evolution kunye ne-Evince zikhankanywe njengemizekelo yezicelo ezisengozini. Ngokunokwenzeka, ingxaki inokuchaphazela iiprojekthi ezinje ngePidgin, Apache OpenOffice, Suricata, Curl, phakathi kwabanye.

Kwangelo xesha ukuba sesichengeni akubonakali kwiFirefox, Thunderbird kunye neTor Browser, esebenzisa imozilla eyahlukileyo :: ilayibrari ye-pkix yokuqinisekisa, ekwayinxalenye ye-NSS. I Iibhrawuza ezisekwe kwiChrome (ngaphandle kokuba badityaniswe ngokuthe ngqo ne-NSS), eyayisebenzisa i-NSS kude kube ngu-2015, kodwa emva koko idluliselwe kwi-BoringSSL, abachatshazelwa yingxaki.

Ukuba sesichengeni kungenxa yegciwane kwikhowudi yokuqinisekisa yesatifikethi kwi vfy_CreateContext umsebenzi wefayile ye secvfy.c. Impazamo izibonakalisa zombini xa umxhasi efunda isatifikethi kumncedisi njengaxa umncedisi eqhuba izatifikethi zomxhasi.

Xa kungqinwa i-DER-encoded digital signature, NSS decodes signature into fixed-size buffer kwaye igqithise le buffer kwimodyuli yePKCS # 11. Ngexesha lokwenziwa komsebenzi, kwi-DSA kunye ne-RSA-PSS signatures, ubungakanani bungqinwe ngokungachanekanga, ngenxa yoko. apho kukhokelela ekuphuphumeni kwesikhuseli esinikezelweyo seVFYContextStr isakhiwo, ukuba ubungakanani botyikityo lwedijithali budlula iibhithi ezingama-16384 (iibhayithi ezingama-2048 zabelwe isithinteli, kodwa akuqinisekwanga ukuba utyikityo lunokuba lukhulu).

Ikhowudi equlathe ukuba sesichengeni iqale ngo-2003, kodwa ayizange ibe yingozi de i-refactoring ngo-2012. Ngo-2017, impazamo efanayo yenziwa xa kuphunyezwa inkxaso ye-RSA-PSS. Ukuqhuba uhlaselo, isizukulwana esinamandla sobutyebi bezitshixo ezithile akufuneki ukuba sifumane idatha efunekayo, ekubeni ukugqithisa kwenzeka kwinqanaba ngaphambi kokuqinisekiswa kokuqinisekiswa kwesignesha yedijithali. Inxalenye engaphandle kwemida yedatha ibhalwe kwindawo yememori equlethe izikhombisi zemisebenzi, okwenza kube lula ukudala ukuxhaphaza okusebenzayo.

Ukuba sesichengeni kwachongwa ngabaphandi beProjekthi kaGoogle yeZero ngexesha lovavanyo ngeendlela ezintsha zovavanyo lwe-fuzzing kwaye lumboniso olungileyo wendlela ubuthathaka obungenamsebenzi obunokuthi bungabonakali ixesha elide kwiprojekthi eyaziwayo evavanywe ngokubanzi.

Ngokuphathelele iingxaki eziphambili apho ingxaki ingazange ibonwe ixesha elide:

  • Ithala leencwadi le-NSS kunye novavanyo lwe-fuzzing aluzange lwenziwe lulonke, kodwa kwinqanaba lecandelo lomntu ngamnye.
  • Umzekelo, ikhowudi yokuchaza i-DER kunye nezatifikethi zenkqubo ziqinisekisiwe ngokwahlukeneyo; Ngethuba le-fuzzing, isatifikethi sinokufunyanwa kakuhle, ekhokelela ekubonakalisweni kobuthathaka obuchaphazelekayo, kodwa ukuqinisekiswa kwayo akuzange kufike kwikhowudi yokuqinisekisa kwaye ingxaki ayizange ibonakaliswe.
  • Ngexesha leemvavanyo eziphazamisayo, imida engqongqo yayimiselwe kubungakanani bemveliso (10,000 bytes) ngokungabikho kwemida elolo hlobo kwi-NSS (izakhiwo ezininzi ezikwimowudi eqhelekileyo zinokuba nkulu kune-10,000 bytes, ke ngoko, ukuchonga iingxaki, idatha yegalelo engaphezulu iyafuneka. ). Ukuqinisekisa ngokupheleleyo, umda kufuneka ube yi-2 24 -1 bytes (16 MB), ehambelana nobukhulu besatifikethi esivunyelwe kwi-TLS.
  • Umbono ongeyiyo malunga nokufakwa kwekhowudi ngovavanyo oluphangaleleyo. Ikhowudi esengozini yavavanywa ngokusebenzayo, kodwa isebenzisa i-fuzers, engakwazi ukuvelisa idatha efunekayo yokufaka. Umzekelo, i-fuzzer tls_server_target isebenzise iseti esele ichaziwe yezatifikethi ezingaphandle kwebhokisi, ezithintele ukuqinisekiswa kwekhowudi yokuqinisekisa yesatifikethi kwimiyalezo ye-TLS kuphela kunye notshintsho lwemeko yeprotocol.

Ekugqibeleni, Kufanelekile ukukhankanya ukuba ingxaki ye-codename BigSig ilungiswe kwi-NSS 3.73 kunye ne-NSS ESR 3.68.1 kunye nohlaziyo lwesisombululo kwifom yephakheji sele ikhutshwe kwizabelo ezahlukeneyo: i-Debian, i-RHEL, Ubuntu, i-SUSE, i-Arch Linux, i-Gentoo, i-FreeBSD, njl.

Ukuba ufuna ukwazi ngakumbi ngayo, unokuthetha eli khonkco lilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.