Bug 510251 - (CVE-2009-2408) CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
CVE-2009-2408 firefox/nss: doesn't handle NULL in Common Name properly
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
reported=20090225,public=20090729,imp...
: Security
Depends On: 230399 514474 514916 565580 565581 565584 565585 582839
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-08 09:40 EDT by Mark J. Cox
Modified: 2010-04-15 17:58 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-13 09:30:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backported mozbz#480509 (23.81 KB, patch)
2009-08-03 06:52 EDT, Martin Stransky
no flags Details | Diff
backported mozbz#484111 (2.25 KB, patch)
2009-08-03 06:53 EDT, Martin Stransky
no flags Details | Diff

  None (edit)
Description Mark J. Cox 2009-07-08 09:40:23 EDT
In his upcoming Blackhat paper and presentation Dan Kaminsky
highlights some more issues he has found relating to SSL hash
collisions and related vulnerabilities.

His second issue is all about inconsistencies in the interpretation of subject
x509 names in certificates.  Specifically "issue 2, attack 2c" regarding NULL terminators in a Common Name field.  An attacker could create a malicious certificate containing a NULL, which, if they were able to get it signed, could confuse a client into accepting it by mistake.

According to the paper this is said to affect Firefox.
Comment 1 Mark J. Cox 2009-07-27 03:52:50 EDT
This issue is fixed in upstream NSS 3.12.3 by the following bzs:

        Improper character escaping and unescaping in alg1485.c & secname.c
        https://bugzilla.mozilla.org/show_bug.cgi?id=480509

        Must escape DER DNS names when converting to zStrings
        https://bugzilla.mozilla.org/show_bug.cgi?id=484111
Comment 4 Mark J. Cox 2009-07-30 03:58:09 EDT
This was also found by Moxie and presented in two talks at Blackhat last night.  Moxie was able to get a CA to sign a certificate containing a NULL in the CN name.

Removing embargo.
Comment 5 errata-xmlrpc 2009-07-30 18:09:58 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2009:1184 https://rhn.redhat.com/errata/RHSA-2009-1184.html
Comment 6 errata-xmlrpc 2009-07-30 18:20:08 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1186 https://rhn.redhat.com/errata/RHSA-2009-1186.html
Comment 8 errata-xmlrpc 2009-07-31 10:31:38 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4.7 Z Stream

Via RHSA-2009:1190 https://rhn.redhat.com/errata/RHSA-2009-1190.html
Comment 9 Martin Stransky 2009-08-03 06:52:01 EDT
Created attachment 355994 [details]
backported mozbz#480509
Comment 10 Martin Stransky 2009-08-03 06:53:29 EDT
Created attachment 355997 [details]
backported mozbz#484111
Comment 11 errata-xmlrpc 2009-08-12 10:31:17 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.2 Z Stream

Via RHSA-2009:1207 https://rhn.redhat.com/errata/RHSA-2009-1207.html
Comment 15 errata-xmlrpc 2009-09-09 19:50:53 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1432 https://rhn.redhat.com/errata/RHSA-2009-1432.html
Comment 16 Tomas Hoger 2009-10-13 09:30:35 EDT
This was fixed in all affected NSS versions in Red Hat Enterprise Linux 3, 4 and 5 and all current Fedora versions (F10+).

Note You need to log in before you can comment on or make changes to this bug.