Importing a self-made certificate (call it x) with the same DN (but different serial nr) as a built-in CA root cert (called b) overrides the built-in one: trying to open a SSL page protected by a cert signed by b throws an error -8182 ('certificate presented by xyz.com is invalid or corrupt') -> Denial of Service. This could be automated when importing x via mime type application/x-x509-email-cert, causing Mozilla to import the cert silently (bug Nr. 2). This is also possible via email messages, calling the cert x link inside an <iframe> tag, leading to a silent import of x when opening or previewing the message (bug Nr. 3). Conclusion: fully automatical DoS of the entire cert store via email is possible, no user interaction needed. http://bugzilla.mozilla.org/show_bug.cgi?id=249004
Waiting for an upstream fix.
mozilla patch is ready, see also http://bugzilla.mozilla.org/show_bug.cgi?id=253121
Thnaks for the feedback Carlo. mozilla team : do you think we should apply fix to our ebuilds or wait for Moz 1.7.2 / FireFox 0.9.3 ?
*** Bug 58709 has been marked as a duplicate of this bug. ***
0.9.3 and 1.7.2 are out. Using bug 59419 as a metabug.
*** This bug has been marked as a duplicate of 59419 ***