Certificate parsing broken by non-standard character encoding

Certificate parsing broken by non-standard character encoding

Announced

July 22, 2014

Reporter

Christian Holler

Impact

Moderate

Products

Firefox, Thunderbird

Fixed in

• Firefox 31
• Thunderbird 31

Description

Mozilla security researcher Christian Holler discovered several issues while fuzzing the parsing of SSL certificates. Two of these issues were a result of using characters that are not UTF-8 in certificates when various functions expected all strings to be UTF-8 format. The third issue was a result of using characters that were not ASCII in certificates while a function expected only ASCII formatted text. All of these issues causes the certificates to be incorrectly parsed, leading to a potential inability to use valid SSL certificates.

References

• ###!!! ASSERTION: Not a UTF-8 string. This code should only be used for converting from known UTF-8 strings. (CVE-2014-1558)
• ###!!! ASSERTION: Not a UTF-8 string. This code should only be used for converting from known UTF-8 strings. (CVE-2014-1559)
• ###!!! ASSERTION: Unexpected non-ASCII character: '!(*s2 & ~0x7F)' (CVE-2014-1560)