In the set of cryptographic libraries NSS (Network Security Services) developed by Mozilla, detected Critical Vulnerability ( CVE-2021 -43527 ), which can lead to perform an attacker code Processing DSA or RSA-PSS digital signatures specified using the coding method Der (Distinguished Encoding Rules). The problem is assigned to the code name Bigsig, Eliminated in the NSS 3.73 and NSS ESR 3.68.1 . Package updates in distributions are available for Debian , RHEL , ubuntu , Fedora , SUSE , Arch Linux .
The problem is manifested in applications using NSS for processing CMS digital signatures, S / MIME, PKCS # 7 and PKCS # 12, or when verifying certificates in TLS, X.509, OCSP and CRL implementations. At the same time, the vulnerability is not manifested in Firefox, Thunderbird and Tor Browser, in which a separate library is used for verification. Mozilla :: PKIX And also does not affect Chromium-based browsers (from 2015 translated into BoringssL). At the same time, the vulnerability can emerge in various client and server applications with support for TLS, DTLS and S / MIME, mailing clients and PDF-viewers using the CERT_VERIFYCERTIFICATE () NSS call to test digital signatures. As an example of vulnerable applications is mentioned LibreOffice, Evolution and Evince.
The vulnerability is caused by an error in the checking of certificates of verification code in vfy_CreateContext function