Gentoo Bug 57380 - net-www/mozilla, firefox: certificate problems

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	57380
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	DUPLICATE of bug 59419
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Carsten Lohrke <carlo@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 57380 depends on:			Show dependency tree
Bug 57380 blocks:			Show dependency tree

Votes:	0 Show votes for this bug Vote for this bug

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED DUPLICATE
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2004-07-17 04:59 0000

Importing a self-made certificate (call it x) with the same DN (but different
serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -8182
('certificate presented by xyz.com is invalid or corrupt') -> Denial of Service.

This could be automated when importing x via mime type
application/x-x509-email-cert, causing Mozilla to import the cert silently (bug
Nr. 2). 
This is also possible via email messages, calling the cert x link inside an
<iframe> tag, leading to a silent import of x when opening or previewing the
message (bug Nr. 3).

Conclusion: fully automatical DoS of the entire cert store via email is
possible, no user interaction needed. 

http://bugzilla.mozilla.org/show_bug.cgi?id=249004

------- Comment #1 From Thierry Carrez (RETIRED) 2004-07-19 00:47:45 0000 -------

Waiting for an upstream fix.

------- Comment #2 From Carsten Lohrke 2004-07-28 08:32:23 0000 -------

mozilla patch is ready, see also
http://bugzilla.mozilla.org/show_bug.cgi?id=253121

------- Comment #3 From Thierry Carrez (RETIRED) 2004-07-28 13:35:20 0000 -------

Thnaks for the feedback Carlo.

mozilla team : do you think we should apply fix to our ebuilds or wait for Moz 1.7.2 / FireFox 0.9.3 ?

------- Comment #4 From Dan Margolis (RETIRED) 2004-07-28 16:48:05 0000 -------

*** Bug 58709 has been marked as a duplicate of this bug. ***

------- Comment #5 From Thierry Carrez (RETIRED) 2004-08-04 10:37:36 0000 -------

0.9.3 and 1.7.2 are out.
Using bug 59419 as a metabug.

------- Comment #6 From Thierry Carrez (RETIRED) 2004-08-05 04:58:26 0000 -------


*** This bug has been marked as a duplicate of 59419 ***

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 57380

net-www/mozilla, firefox: certificate problems

Last modified: 2005-07-17 13:06:51 0000