CVE-2017-11698

NameCVE-2017-11698
DescriptionHeap-based buffer overflow in the __get_page function in lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows context-dependent attackers to have unspecified impact using a crafted cert8.db file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs873259

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nss (PTS)jessie, jessie (lts)2:3.26-1+debu8u19vulnerable
stretch (security)2:3.26.2-1.1+deb9u5vulnerable
stretch (lts), stretch2:3.26.2-1.1+deb9u8vulnerable
buster, buster (lts)2:3.42.1-1+deb10u9vulnerable
buster (security)2:3.42.1-1+deb10u8vulnerable
bullseye2:3.61-1+deb11u3vulnerable
bullseye (security)2:3.61-1+deb11u4vulnerable
bookworm2:3.87.1-1vulnerable
bookworm (security)2:3.87.1-1+deb12u1vulnerable
sid, trixie2:3.106-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nsssource(unstable)(unfixed)unimportant873259

Notes

Issues triggered by crafted DBM databases, which would
require local user access to a machine running NSS and
crafting the local DBM files.
http://seclists.org/fulldisclosure/2017/Aug/17
https://bugzilla.mozilla.org/show_bug.cgi?id=1360779

Search for package or bug name: Reporting problems