The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of NSPR: buffer overflow of sprintf

Synthesis of the vulnerability

An attacker can generate a buffer overflow of NSPR via sprintf(), in order to trigger a denial of service, and possibly to execute code.
Severity of this announce: 3/4.
Creation date: 10/06/2014.
Références of this computer vulnerability: CERTFR-2019-AVI-325, CVE-2014-1545, DSA-2962-1, FEDORA-2014-7279, FEDORA-2014-7310, JSA10939, MDVSA-2014:125, MDVSA-2015:059, MFSA 2014-55, openSUSE-SU-2014:0797-1, RHSA-2014:0917-01, RHSA-2014:1246-01, SUSE-SU-2014:0824-1, SUSE-SU-2014:0824-2, SUSE-SU-2014:0824-3, SUSE-SU-2014:0905-1, USN-2265-1, VIGILANCE-VUL-14869.

Description of the vulnerability

The NSPR (Netscape Portable Runtime) library is used to create multi-platform applications.

However, if the size of data is greater than the size of the storage array, an overflow occurs in the sprintf() function.

An attacker can therefore generate a buffer overflow of NSPR via sprintf(), in order to trigger a denial of service, and possibly to execute code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness announce impacts software or systems such as Debian, Fedora, Juniper SBR, NSPR, openSUSE, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this vulnerability alert is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer threat announce.

Solutions for this threat

NSPR: version 4.10.6.
The version 4.10.6 is fixed:
  https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR

Debian: new nspr packages.
New packages are available:
  Debian 7: nspr 2:4.9.2-1+deb7u2

Fedora: new nspr packages.
New packages are available:
  Fedora 19: nspr 4.10.6-1.fc19
  Fedora 20: nspr 4.10.6-1.fc20

Mandriva BS2: new nss packages.
New packages are available:
  Mandriva BS2: nspr 4.10.8-1.mbs2, nss 3.17.4-1.mbs2

Mandriva: new nspr packages.
New packages are available:
  Mandriva ES5: nspr 4.10.6-0.1mdvmes5.2, nss 3.16.1-0.1mdvmes5.2
  Mandriva BS1: nspr 4.10.6-1.mbs1, nss 3.16.1-1.mbs1

openSUSE 11.4: new Mozilla packages.
New packages are available:
  openSUSE 11.4: MozillaFirefox 24.6.0-115.1, MozillaThunderbird 24.6.0-97.1, nspr 4.10.6-44.1

RHEL 5: new nss packages.
New packages are available:
  RHEL 5: nss 3.16.1-2.el5

RHEL 6.5: new nss packages.
New packages are available:
  RHEL 6: nspr 4.10.6-1.el6_5, nss 3.16.1-4.el6_5

Steel Belted Radius Carrier Edition: versions 8.4R14 and 8.5R5.
Versions 8.4R14 and 8.5R5 are fixed.

SUSE LE: new Mozilla packages.
New packages are available:
  SUSE LE 10: MozillaFirefox 24.6.0esr-0.5.2, mozilla-nspr 4.10.6-0.5.1, mozilla-nss 3.16.1-0.5.1
  SUSE LE 11: MozillaFirefox 24.6.0esr-0.8.1, mozilla-nspr 4.10.6-0.3.1, mozilla-nss 3.16.1-0.8.1

Ubuntu: new libnspr4 packages.
New packages are available:
  Ubuntu 14.04 LTS: libnspr4 2:4.10.2-1ubuntu1.1
  Ubuntu 13.10: libnspr4 2:4.9.5-1ubuntu1.2
  Ubuntu 12.04 LTS: libnspr4 4.9.5-0ubuntu0.12.04.3
  Ubuntu 10.04 LTS: libnspr4-0d 4.9.5-0ubuntu0.10.04.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities note. The Vigil@nce vulnerability database contains several thousand vulnerabilities.