CVE-2012-0441

The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox	13.10 saucy	Fixed 14.0~b6+build2-0ubuntu2
	13.04 raring	Fixed 14.0~b6+build2-0ubuntu2
	12.10 quantal	Fixed 14.0~b6+build2-0ubuntu2
	12.04 LTS precise	Fixed 13.0+build1-0ubuntu0.12.04.1
	11.10 oneiric	Fixed 13.0+build1-0ubuntu0.11.10.1
	11.04 natty	Fixed 13.0+build1-0ubuntu0.11.04.1
	10.04 LTS lucid	Fixed 13.0+build1-0ubuntu0.10.04.1
	8.04 LTS hardy	Ignored end of life
nss	13.10 saucy	Fixed 3.13.1.with.ckbi.1.88-1ubuntu7
	13.04 raring	Fixed 3.13.1.with.ckbi.1.88-1ubuntu7
	12.10 quantal	Fixed 3.13.1.with.ckbi.1.88-1ubuntu7
	12.04 LTS precise	Fixed 3.13.1.with.ckbi.1.88-1ubuntu6.1
	11.10 oneiric	Fixed 3.12.9+ckbi-1.82-0ubuntu6.1
	11.04 natty	Fixed 3.12.9+ckbi-1.82-0ubuntu2.2
	10.04 LTS lucid	Fixed 3.12.9+ckbi-1.82-0ubuntu0.10.04.4
	8.04 LTS hardy	Ignored end of life
seamonkey	13.10 saucy	Not in release
	13.04 raring	Not in release
	12.10 quantal	Not in release
	12.04 LTS precise	Not in release
	11.10 oneiric	Ignored end of life
	11.04 natty	Ignored end of life
	10.04 LTS lucid	Ignored end of life
	8.04 LTS hardy	Ignored end of life
thunderbird	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Fixed 13.0.1+build1-0ubuntu0.12.04.1
	11.10 oneiric	Fixed 13.0.1+build1-0ubuntu0.11.10.1
	11.04 natty	Fixed 13.0.1+build1-0ubuntu0.11.04.1
	10.04 LTS lucid	Fixed 13.0.1+build1-0ubuntu0.10.04.1
	8.04 LTS hardy	Ignored end of life
xulrunner-1.9.2	13.10 saucy	Not in release
	13.04 raring	Not in release
	12.10 quantal	Not in release
	12.04 LTS precise	Not in release
	11.10 oneiric	Not in release
	11.04 natty	Ignored end of life
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Ignored end of life
xulrunner-2.0	13.10 saucy	Not in release
	13.04 raring	Not in release
	12.10 quantal	Not in release
	12.04 LTS precise	Not in release
	11.10 oneiric	Not in release
	11.04 natty	Ignored end of life
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Notes

micahg

xulrunner isn't affected as NSS isn't bundled with it

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
nss	Vendor: http://anonscm.debian.org/gitweb/?p=pkg-mozilla/nss.git;a=commitdiff;h=6c06f9c38d26a18c6c056c4fd3bd8a9538a3936b

References

Related Ubuntu Security Notices (USN)

USN-1463-1
Firefox vulnerabilities
6 June 2012

USN-1463-4
Thunderbird vulnerabilities
22 June 2012

USN-1540-1
NSS vulnerability
16 August 2012

USN-1463-6
Thunderbird vulnerabilities
27 June 2012

USN-1540-2
NSS vulnerability
21 August 2012

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references