Fluid Attacks Database

Description

Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 4.10.2, as used in Firefox before 25.0.1, Firefox ESR 17.x before 17.0.11 and 24.x before 24.1.1, and SeaMonkey before 2.22.1, allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	nss-util	<0:3.15.3-1.el6_5	0:3.15.3-1.el6_5
rpm rhel5	nspr	<0:4.10.2-2.el5_10	0:4.10.2-2.el5_10
debian 11	nspr	>=0 <2:4.10.2-1	2:4.10.2-1
debian 12	nspr	>=0 <2:4.10.2-1	2:4.10.2-1
debian 13	nspr	>=0 <2:4.10.2-1	2:4.10.2-1
debian 14	nspr	>=0 <2:4.10.2-1	2:4.10.2-1
rpm rhel6	nspr	<0:4.10.2-1.el6_5	0:4.10.2-1.el6_5
rpm rhel6	nss	<0:3.15.3-2.el6_5	0:3.15.3-2.el6_5
rpm rhel5	nss	<0:3.15.3-3.el5_10	0:3.15.3-3.el5_10

Aliases

1. CVE-2013-56072. NVD-2013-56073. OSV-2013-56074. OSV-DEBIAN-2013-56075. SECURITY-TRACKER-CVE-2013-5607

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.