Debian Bug report logs - #627552
iceweasel doesn't (re)validate certificates when loading HTTPS page from cache (CVE-2011-0082)

version graph

Package: iceweasel; Maintainer for iceweasel is Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>; Source for iceweasel is src:firefox-esr (PTS, buildd, popcon).

Reported by: Jakub Wilk <jwilk@debian.org>

Date: Sat, 21 May 2011 22:00:02 UTC

Severity: important

Tags: security

Found in version iceweasel/4.0.1-2

Forwarded to https://bugzilla.mozilla.org/show_bug.cgi?id=660749

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#627552; Package iceweasel. (Sat, 21 May 2011 22:00:05 GMT) (full text, mbox, link).


Acknowledgement sent to Jakub Wilk <jwilk@debian.org>:
New Bug report received and forwarded. Copy sent to jwilk@debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Sat, 21 May 2011 22:00:05 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: iceweasel doesn't (re)validate certificates when loading HTTPS page from cache
Date: Sat, 21 May 2011 23:56:00 +0200
Package: iceweasel
Version: 4.0.1-2
Severity: important
Tags: security

It looks like when Iceweasel loads an HTTPS page from cache, it doesn't 
verify if its certificate is (still) valid. Here's how to reproduce this 
bug:

1. Try to visit https://kitenet.net/. Iceweasel (correctly) displays 
scary warning about the untrusted connection. Click "I Understand The 
Risks", click "Add Exception", uncheck "Permanently store this 
exception", click "Confirm Security Exception". Iceweasel shows contents 
of the page.

2. Close the browser. The kitenet.net's certificate should be no longer 
consider valid past this point.

3. Start Iceweasel again. Try to visit https://kitenet.net/. The browser 
happily shows contents of the page (presumably loaded from cache), even 
though its certificate is not valid anymore.

4. For added fun, try to refresh the page. Iceweasel displays scary 
warning about the untrusted connection. Click "I Understand The Risks", 
click "Add Exception". The browser says that "This site provides valid, 
verified identification" and doesn't allow you to confirm security 
exception. So it turns out the certificate is both valid and invalid at 
the same time...


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils                   4          Miscellaneous utilities specific t
ii  fontconfig                    2.8.0-2.2  generic font configuration library
ii  libc6                         2.13-4     Embedded GNU C Library: Shared lib
ii  libgcc1                       1:4.6.0-7  GCC support library
ii  libgdk-pixbuf2.0-0            2.23.3-3   GDK Pixbuf library
ii  libglib2.0-0                  2.28.6-2   GLib library of C routines
ii  libgtk2.0-0                   2.24.4-3   The GTK+ graphical user interface 
ii  libnspr4-0d                   4.8.7-2    NetScape Portable Runtime Library
ii  libstdc++6                    4.6.0-7    The GNU Standard C++ Library v3
ii  procps                        1:3.2.8-10 /proc file system utilities
ii  xulrunner-2.0                 2.0.1-2    XUL + XPCOM application runner

Versions of packages xulrunner-2.0 depends on:
ii  libasound2       1.0.23-4                shared library for ALSA applicatio
ii  libatk1.0-0      2.0.0-1                 The ATK accessibility toolkit
ii  libbz2-1.0       1.0.5-6                 high-quality block-sorting file co
ii  libc6            2.13-4                  Embedded GNU C Library: Shared lib
ii  libcairo2        1.10.2-6                The Cairo 2D vector graphics libra
ii  libdbus-1-3      1.5.0-2                 simple interprocess messaging syst
ii  libevent-1.4-2   1.4.13-stable-1         An asynchronous event notification
ii  libfontconfig1   2.8.0-2.2               generic font configuration library
ii  libfreetype6     2.4.4-1                 FreeType 2 font engine, shared lib
ii  libgcc1          1:4.6.0-7               GCC support library
ii  libgdk-pixbuf2.0 2.23.3-3                GDK Pixbuf library
ii  libglib2.0-0     2.28.6-2                GLib library of C routines
ii  libgtk2.0-0      2.24.4-3                The GTK+ graphical user interface 
ii  libhunspell-1.2- 1.3.1-1                 spell checker and morphological an
ii  libjpeg62        6b1-1                   The Independent JPEG Group's JPEG 
ii  libmozjs4d       2.0.1-2                 The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d      4.8.7-2                 NetScape Portable Runtime Library
ii  libnss3-1d       3.12.9.with.ckbi.1.82-1 Network Security Service libraries
ii  libpango1.0-0    1.28.3-6                Layout and rendering of internatio
ii  libpixman-1-0    0.21.8-1                pixel-manipulation library for X a
ii  libreadline6     6.2-2                   GNU readline and history libraries
ii  libsqlite3-0     3.7.6.2-1               SQLite 3 shared library
ii  libstartup-notif 0.12-1                  library for program launch feedbac
ii  libstdc++6       4.6.0-7                 The GNU Standard C++ Library v3
ii  libvpx0          0.9.6-1                 VP8 video codec (shared library)
ii  libx11-6         2:1.4.3-1               X11 client-side library
ii  libxext6         2:1.3.0-1               X11 miscellaneous extension librar
ii  libxrender1      1:0.9.6-1               X Rendering Extension client libra
ii  libxt6           1:1.1.1-1               X11 toolkit intrinsics library
ii  zlib1g           1:1.2.5.dfsg-1          compression library - runtime

-- 
Jakub Wilk




Set Bug forwarded-to-address to 'https://bugzilla.mozilla.org/show_bug.cgi?id=660749'. Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Tue, 31 May 2011 23:51:02 GMT) (full text, mbox, link).


Changed Bug title to 'iceweasel doesn't (re)validate certificates when loading HTTPS page from cache (CVE-2011-008)' from 'iceweasel doesn't (re)validate certificates when loading HTTPS page from cache' Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Tue, 11 Feb 2014 13:39:04 GMT) (full text, mbox, link).


Changed Bug title to 'iceweasel doesn't (re)validate certificates when loading HTTPS page from cache (CVE-2011-0082)' from 'iceweasel doesn't (re)validate certificates when loading HTTPS page from cache (CVE-2011-008)' Request was from Jakub Wilk <jwilk@debian.org> to control@bugs.debian.org. (Tue, 11 Feb 2014 13:45:22 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:26:12 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.