ArchLinux: 201511-3: nss: arbitrary code execution
Summary
Several issues existed within the ASN.1 decoder used by NSS for handling streaming BER data. While the majority of NSS uses a separate, unaffected DER decoder, several public routines also accept BER data, and thus are affected. An attacker that successfully exploited these issues can overflow the heap and may be able to obtain remote code execution.
Resolution
Upgrade to 3.20.1-1.
# pacman -Syu "nss>=3.20.1-1"
The problem has been fixed upstream in version 3.20.1.
References
https://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12386.html https://access.redhat.com/security/cve/CVE-2015-7181 https://access.redhat.com/security/cve/CVE-2015-7182
Workaround
None.