Mozilla Foundation Security Advisory 2014-65

Certificate parsing broken by non-standard character encoding

Announced

July 22, 2014

Reporter

Christian Holler

Impact

Moderate

Products

Firefox, Thunderbird

Fixed in

Firefox 31
Thunderbird 31

Description

Mozilla security researcher Christian Holler discovered several issues while fuzzing the parsing of SSL certificates. Two of these issues were a result of using characters that are not UTF-8 in certificates when various functions expected all strings to be UTF-8 format. The third issue was a result of using characters that were not ASCII in certificates while a function expected only ASCII formatted text. All of these issues causes the certificates to be incorrectly parsed, leading to a potential inability to use valid SSL certificates.

References

###!!! ASSERTION: Not a UTF-8 string. This code should only be used for converting from known UTF-8 strings. (CVE-2014-1558)
###!!! ASSERTION: Not a UTF-8 string. This code should only be used for converting from known UTF-8 strings. (CVE-2014-1559)
###!!! ASSERTION: Unexpected non-ASCII character: '!(*s2 & ~0x7F)' (CVE-2014-1560)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-65

Certificate parsing broken by non-standard character encoding

Description

References