Closed Bug 891145 Opened 11 years ago Closed 11 years ago

null dereference in PK11_FreeSlot (pk11slot.c:452) via crypto.generateCRMFRequest

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 849553

People

(Reporter: keeler, Unassigned)

Details

In testing out a fix for another generateCRMFRequest bug, I attempted to evaluate 'crypto.generateCRMFRequest("CN=somedomain.org", "0", "0", null, "alert(1)", 64, null, "rsa-ex")' in the web console, which caused a crash dereferencing a null pointer (non-zero offset).

This looks a lot like one of the issues brought up in bug 849553, but I think this is more dangerous than the dos issue, so I'm filing a new bug and marking it as security-sensitive.
Actually, I think the problem here is that the key size is too small, which really does make this the same as bug 849553.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.