CVE-2016-1938
Published: 26 January 2016
The s_mp_div function in lib/freebl/mpi/mpi.c in Mozilla Network Security Services (NSS) before 3.21, as used in Mozilla Firefox before 44.0, improperly divides numbers, which might make it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function.
Priority
CVSS 3 base score: 6.5
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
precise |
Does not exist
(precise was released [44.0+build3-0ubuntu0.12.04.1])
|
| trusty |
Does not exist
(trusty was released [44.0+build3-0ubuntu0.14.04.1])
|
|
| upstream |
Released
(44.0)
|
|
| vivid |
Released
(44.0+build3-0ubuntu0.15.04.1)
|
|
| wily |
Released
(44.0+build3-0ubuntu0.15.10.1)
|
|
| xenial |
Released
(44.0+build3-0ubuntu1)
|
|
| yakkety |
Released
(44.0+build3-0ubuntu1)
|
|
| zesty |
Released
(44.0+build3-0ubuntu1)
|
|
|
nss Launchpad, Ubuntu, Debian |
precise |
Released
(2:3.21-0ubuntu0.12.04.1)
|
| trusty |
Released
(2:3.21-0ubuntu0.14.04.1)
|
|
| upstream |
Released
(3.21)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Released
(2:3.21-0ubuntu0.15.10.1)
|
|
| xenial |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| yakkety |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
| zesty |
Not vulnerable
(2:3.21-1ubuntu2)
|
|
|
Patches: upstream: http://hg.mozilla.org/projects/nss/rev/a555bf0fc23a upstream: http://hg.mozilla.org/projects/nss/rev/608645309ab9 upstream: http://hg.mozilla.org/projects/nss/rev/cfd0ad4726cb |
||
|
thunderbird Launchpad, Ubuntu, Debian |
precise |
Does not exist
(precise was released [1:38.8.0+build1-0ubuntu0.12.04.1])
|
| trusty |
Does not exist
(trusty was released [1:38.8.0+build1-0ubuntu0.14.04.1])
|
|
| upstream |
Released
(38.8.0)
|
|
| vivid |
Ignored
(reached end-of-life)
|
|
| wily |
Released
(1:38.8.0+build1-0ubuntu0.15.10.1)
|
|
| xenial |
Released
(1:38.8.0+build1-0ubuntu0.16.04.1)
|
|
| yakkety |
Released
(1:38.8.0+build1-0ubuntu1)
|
|
| zesty |
Released
(1:38.8.0+build1-0ubuntu1)
|
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1938
- https://www.mozilla.org/en-US/security/advisories/mfsa2016-07/
- https://ubuntu.com/security/notices/USN-2880-1
- https://blog.fuzzing-project.org/37-Mozilla-NSS-Wrong-calculation-results-in-mp_div-and-mp_exptmod.html
- https://ubuntu.com/security/notices/USN-2903-1
- https://ubuntu.com/security/notices/USN-2973-1
- NVD
- Launchpad
- Debian