Buffer overflow in nspr (Alpine package)

1) Buffer overflow

EUVDB-ID: #VU33644

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-7183

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Integer overflow in the PL_ARENA_ALLOCATE implementation in Netscape Portable Runtime (NSPR) in Mozilla Network Security Services (NSS) before 3.19.2.1 and 3.20.x before 3.20.1, as used in Firefox before 42.0 and Firefox ESR 38.x before 38.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors.

Mitigation

Install update from vendor's website.

Vulnerable software versions

nspr (Alpine package): 4.10.6-r0 - 4.10.8-r0

CPE2.3

• cpe:2.3:o:alpine:nspr_alpine_package:4.10.6-r0:*:*:*:*:alpine_linux:*:2.6
• cpe:2.3:o:alpine:nspr_alpine_package:4.10.6-r1:*:*:*:*:alpine_linux:*:2.7
• cpe:2.3:o:alpine:nspr_alpine_package:4.10.7-r0:*:*:*:*:alpine_linux:*:3.1

External links

https://git.alpinelinux.org/aports/commit/?id=9ac33818d81877a371c90f9e93d3ebc162fffd6f
https://git.alpinelinux.org/aports/commit/?id=ade89daaa06e20736c57d7cdaa74338ab93ff0d8
https://git.alpinelinux.org/aports/commit/?id=7df429e6fc6fd00eced7c89389178a5092fcceb8
https://git.alpinelinux.org/aports/commit/?id=69fb0e1f20c39292fcd4d5bad5085a96e33cb6c3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.