Closed Bug 162763 Opened 22 years ago Closed 22 years ago

CERT_DecodeBasicConstraintValue fails with empty basic constraints

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: wtc)

Details

(Whiteboard: [sg:nse] confidential until IP address expunged)

Attachments

(1 file)

patch to use quick DER decoder for basic constraints
538 bytes, patch
Details | Diff | Splinter Review
Group: security?
Not accessible to reporter
Accessible to reporter
This was resolved when the large checkin for quickder went in yesterday, as part
of fix for bug #160805.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
wtc et al, are you OK with making this bug public? Looks like it wasn't really
an exploit anyway, but please confirm.
There's no exploit here.  NSS rejects certs with pointless (empty) 
basicConstraints extensions.  No crash, no exploit.  I see no reason for
this to be "security sensitive".
The IP address with the test exploit for IE given was given to us privately and
was not supposed to be made public, but I was unware of that when I posted the
bug. This is why it was made security sensitive.

Since there is no exploit here, how is this IP address security sensitive?
That IP address isn't one of ours. Somebody outside of Netscape setup a test
system to reproduce the IE exploit, but intended only for us to be aware of that
address, not the world.


We need to expunge that confidential IP address or else remove this bug from the
database; it can't stay security-sensitive.
I would say delete it . I don't know how to do that, though.
Whiteboard: [sg:nse] confidential until IP address expunged
Group: security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: