Comment 1 for bug 7084

Message-ID: <email address hidden>
Date: Sat, 17 Jul 2004 15:20:01 +0200
From: Martin Helas <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla: Overriding built-in certificate leading to error -8182 (DoS),
 especially exploitable by email

--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla
Version: Overriding built-in certificate leading to error -8182 (DoS), espe=
cially exploitable by email
Severity: critical
Tags: security

Please have a look at
http://bugzilla.mozilla.org/show_bug.cgi?id=3D249004

Importing a self-made certificate (call it x) with the same DN (but differe=
nt
serial nr) as a built-in CA root cert (called b) overrides the built-in one:
trying to open a SSL page protected by a cert signed by b throws an error -=
8182
('certificate presented by xyz.com is invalid or corrupt') -> Denial of Ser=
vice.

This bug may also effect other packages (e.g. mozilla-firefox)

Greetings
Martin

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=3Den_US.ISO-8859-15, LC_CTYPE=3Den_US.ISO-8859-15
--=20
  Martin Helas <email address hidden> or <email address hidden>
  http://www.helas.net or http://mhelas.blogspot.com
  GPGKey-Fingerprint: 14744CACEF5CECFAE29E2CB17929AB90F7AC3AF0

--ZPt4rx8FFjLCG7dd
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA+SeBeSmrkPesOvARAoHlAJ9dxU7+VA/MyJFpXyHQstIx9xJtYwCeOg6+
U8r0omXM+4/DlhxGohVifNY=
=p7oi
-----END PGP SIGNATURE-----

--ZPt4rx8FFjLCG7dd--