Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13322
HistoryJun 27, 2006 - 12:00 a.m.

K-Meleon NSS Library Memory Leak Vulnerability

2006-06-2700:00:00
vulners.com
5

Description:
K-Meleon 0.9.13 is susceptible to affected to DoS-type memory leak vulnerability disclosed in Mozilla
Network Security Services library implementation. This library is shipped with the newest K-Meleon
browser.

Reportedly the Network Security Services (NSS) library will leak 256 bytes of memory per RSA
cryptographic operation. After a certain amount of time, this causes the system to run out of memory
and may lead to a system hang or panic state.

The following Network Security Services library version was shipped with the newest K-Meleon browser
0.9.13:
C:\Program Files\K-Meleon\nss3.dll (NSS Base Library)
3.9.3.0 (April 2006)

Solution status:
No updated version available from the vendor at the time of reporting.

Timeline:
23-Jun-2006 - Vulnerability researched
25-Jun-2006 - Detailed research
25-Jun-2006 - Vendor was contacted
26-Jun-2006 - Reply from vendor
26-Jun-2006 - Security companies and several CERT units contacted

References:
Sun Alert ID #102461:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102461-1

NSS Project home page:
http://www.mozilla.org/projects/security/pki/nss/

Best regards,
Juha-Matti Laurio
Networksecurity.fi
http://www.networksecurity.fi/