Hi Arturo, the note is correct. Here's the patch:
diff --git lib/freebl/ec.c lib/freebl/ec.c
--- lib/freebl/ec.c
+++ lib/freebl/ec.c
@@ -297,6 +297,10 @@ done:
cleanup:
mp_clear(&k);
+ if (err < MP_OKAY) {
+ MP_TO_SEC_ERROR(err);
+ rv = SECFailure;
+ }
if (rv) {
PORT_FreeArena(arena, PR_TRUE);
}
Cheers,
John
On Wed, Sep 25, 2024 at 1:02 PM Arturo Borrero Gonzalez
<arturo.borrero.g...@gmail.com> wrote:
>
> Hi there,
>
> I'm interested in having a patch for CVE-2024-6609 available for the nss
> version we have in Debian Bullseye (nss 3.61).
>
> We have a note [0] that mentions this:
>
> === 8< ===
> To address CVE in older versions of src:nss what is needed is to add the error
> handling code (confirmed by upstream):
> https://searchfox.org/nss/rev/ba9330537e6e94971de8b9bc49460891b23afd4f/lib/freebl/ec.c#379-382
> to the ec_NewKey function, in the cleanup section, after mp_clear and
> before `if (rv)`.
> === 8< ===
>
> I was hoping that you could provide this patch yourself, because I don't
> think just a copy/paste (like the note seems to suggest), would be enough.
>
> Please, let me know if you can help with this.
>
> thanks, regards.
>
> [0] https://security-tracker.debian.org/tracker/CVE-2024-6609
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "dev-tech-crypto@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to dev-tech-crypto+unsubscr...@mozilla.org.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/66071e21-a687-49f2-a709-5244a06438b6n%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups
"dev-tech-crypto@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dev-tech-crypto+unsubscr...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-tech-crypto/CAFgAd7HgLjNvDz1NXOnjV2DYquYuOL3mtNZruCgAtGMPddwE%2BA%40mail.gmail.com.
