Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 57380 - net-www/mozilla, firefox: certificate problems
Summary: net-www/mozilla, firefox: certificate problems
Status: RESOLVED DUPLICATE of bug 59419
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A3 [ebuild]
: 58709 (view as bug list)
Depends on:
Reported: 2004-07-17 04:59 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2004-07-17 04:59:22 UTC
Importing a self-made certificate (call it x) with the same DN (but different
serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -8182
('certificate presented by is invalid or corrupt') -> Denial of Service.

This could be automated when importing x via mime type
application/x-x509-email-cert, causing Mozilla to import the cert silently (bug
Nr. 2). 
This is also possible via email messages, calling the cert x link inside an
<iframe> tag, leading to a silent import of x when opening or previewing the
message (bug Nr. 3).

Conclusion: fully automatical DoS of the entire cert store via email is
possible, no user interaction needed.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-07-19 00:47:45 UTC
Waiting for an upstream fix.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2004-07-28 08:32:23 UTC
mozilla patch is ready, see also
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-07-28 13:35:20 UTC
Thnaks for the feedback Carlo.

mozilla team : do you think we should apply fix to our ebuilds or wait for Moz 1.7.2 / FireFox 0.9.3 ?
Comment 4 Dan Margolis (RETIRED) gentoo-dev 2004-07-28 16:48:05 UTC
*** Bug 58709 has been marked as a duplicate of this bug. ***
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 10:37:36 UTC
0.9.3 and 1.7.2 are out.
Using bug 59419 as a metabug.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 04:58:26 UTC

*** This bug has been marked as a duplicate of 59419 ***