CERT_DecodeBasicConstraintValue fails with empty basic constraints

RESOLVED FIXED

Status

NSS
Libraries
RESOLVED FIXED
16 years ago
11 years ago

People

(Reporter: Julien Pierre, Assigned: Wan-Teh Chang)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse] confidential until IP address expunged)

Attachments

(1 attachment)

(Reporter)

Comment 1

16 years ago
Created attachment 95320 [details] [diff] [review]
patch to use quick DER decoder for basic constraints

Updated

16 years ago
Group: security?
(Assignee)

Updated

16 years ago
Not accessible to reporter
(Assignee)

Updated

16 years ago
Accessible to reporter
(Reporter)

Comment 2

16 years ago
This was resolved when the large checkin for quickder went in yesterday, as part
of fix for bug #160805.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → FIXED
wtc et al, are you OK with making this bug public? Looks like it wasn't really
an exploit anyway, but please confirm.
There's no exploit here.  NSS rejects certs with pointless (empty) 
basicConstraints extensions.  No crash, no exploit.  I see no reason for
this to be "security sensitive".
(Reporter)

Comment 5

15 years ago
The IP address with the test exploit for IE given was given to us privately and
was not supposed to be made public, but I was unware of that when I posted the
bug. This is why it was made security sensitive.
Since there is no exploit here, how is this IP address security sensitive?
(Reporter)

Comment 7

15 years ago
That IP address isn't one of ours. Somebody outside of Netscape setup a test
system to reproduce the IE exploit, but intended only for us to be aware of that
address, not the world.

We need to expunge that confidential IP address or else remove this bug from the
database; it can't stay security-sensitive.
(Reporter)

Comment 9

15 years ago
I would say delete it . I don't know how to do that, though.
Whiteboard: [sg:nse] confidential until IP address expunged
Group: security
You need to log in before you can comment on or make changes to this bug.