Candidate: CVE-2017-11698
PublicDate: 2017-12-27 19:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11698
 http://seclists.org/fulldisclosure/2017/Aug/17
Description:
 Heap-based buffer overflow in the __get_page function in
 lib/dbm/src/h_page.c in Mozilla Network Security Services (NSS) allows
 context-dependent attackers to have unspecified impact using a crafted
 cert8.db file.
Ubuntu-Description:
Notes:
 mdeslaur> Upstream NSS will not be fixing this issue.
 mdeslaur> this is an issue in libnssdbm. NSS 3.35 made SQLite the default
 mdeslaur> datastore. NSS 3.49 stopped building the legacy datastore.
Bugs:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1360779 (private)
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873259
 https://bugzilla.redhat.com/show_bug.cgi?id=1487130
Priority: negligible
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]

Patches_nss:
upstream_nss: needs-triage
precise/esm_nss: ignored (end of ESM support, was deferred)
trusty_nss: ignored (reached end-of-life)
trusty/esm_nss: deferred
vivid/ubuntu-core_nss: DNE
xenial_nss: ignored (end of standard support, was deferred)
esm-infra/xenial_nss: deferred
zesty_nss: ignored (reached end-of-life)
artful_nss: ignored (reached end-of-life)
bionic_nss: deferred
cosmic_nss: ignored (reached end-of-life)
disco_nss: ignored (reached end-of-life)
eoan_nss: ignored (reached end-of-life)
focal_nss: not-affected (2:3.49.1-1ubuntu1)
groovy_nss: not-affected (2:3.49.1-1ubuntu1)
hirsute_nss: not-affected (2:3.49.1-1ubuntu1)
impish_nss: not-affected (2:3.49.1-1ubuntu1)
jammy_nss: not-affected (2:3.49.1-1ubuntu1)
devel_nss: not-affected (2:3.49.1-1ubuntu1)