The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of NSPR: buffer overflow via GrowStuff

Synthesis of the vulnerability

An attacker can generate a buffer overflow in GrowStuff of NSPR, in order to trigger a denial of service, and possibly to run code.
Severity of this computer vulnerability: 2/4.
Creation date: 13/06/2016.
Références of this announce: 1174015, CERTFR-2019-AVI-325, CVE-2016-1951, DLA-513-1, DSA-3687-1, JSA10939, USN-3023-1, USN-3028-1, VIGILANCE-VUL-19876.

Description of the vulnerability

The NSPR library provides functions for memory management.

The routine GrowStuff reallocates a buffer. However, on 32 bits platform, an arithmetic overflow may occur, which leads to a buffer overflow because the actually allocated size is too small.

An attacker can therefore generate a buffer overflow in GrowStuff of NSPR, in order to trigger a denial of service, and possibly to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat impacts software or systems such as Debian, Juniper SBR, NSPR, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this cybersecurity weakness.

Solutions for this threat

NSPR: version 4.12.
The version 4.12 is fixed:
  https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.12/src/

Debian 8: new nspr packages.
New packages are available:
  Debian 8: nspr 2:4.12-1+debu8u1

Debian: new nspr packages.
New packages are available:
  Debian 7: nspr 2:4.9.2-1+deb7u4

Steel Belted Radius Carrier Edition: versions 8.4R14 and 8.5R5.
Versions 8.4R14 and 8.5R5 are fixed.

Ubuntu: new libnspr4 packages.
New packages are available:
  Ubuntu 16.04 LTS: libnspr4 2:4.12-0ubuntu0.16.04.1
  Ubuntu 15.10: libnspr4 2:4.12-0ubuntu0.15.10.1
  Ubuntu 14.04 LTS: libnspr4 2:4.12-0ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libnspr4 4.12-0ubuntu0.12.04.1

Ubuntu: new thunderbird packages.
New packages are available:
  Ubuntu 16.04 LTS: thunderbird 1:45.2.0+build1-0ubuntu0.16.04.1
  Ubuntu 15.10: thunderbird 1:45.2.0+build1-0ubuntu0.15.10.1
  Ubuntu 14.04 LTS: thunderbird 1:45.2.0+build1-0ubuntu0.14.04.3
  Ubuntu 12.04 LTS: thunderbird 1:45.2.0+build1-0ubuntu0.12.04.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities workaround. The Vigil@nce vulnerability database contains several thousand vulnerabilities.