Mozilla has published a security advisory warning of a critical security vulnerability in the Network Security Services libraries which are widely used by open-source software.
While the bug does not impact Mozilla Firefox, it is thought to affect many other email clients and PDF viewers that use the electronic signature verification features of the Network Security Services, including Thunderbird, LibreOffice, Evince and Evolution.
NSS versions prior to 3.73 and 3.68.1 ESR are vulnerable when handling certain forms of digital signature (DER-encoded DSA or RSA-PSS signatures) – and a heap overflow can be induced. A heap overflow is a type of buffer overflow attack and can be exploited to crash the software or to perform arbitrary code execution. The flaw can be exploited by creating a signature/key combination which is larger than expected by the NSS library. The bug exists in the implementation for several CMS standards including S/MIME and PKCS #7 and PKCS #12. This means, for example, simply sending a digitally signed S/MIME email to a Thunderbird client is enough to trigger the vulnerability in a vulnerable version of that email client.
The NSS library can also be incorporated into in-house developed systems and third-party applications so Security Managers should check their software inventory to identify any software that may need updating.