logging into metnors.debian.net crashes iceweasel ..

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon May 18 14:31:48 UTC 2015 

Control: reassign 782772 iceweasel
Control: found 782772 37.0.2-1 38.0-2
Control: tags 782772 + upstream
Control: forwarded 782772 https://bugzilla.mozilla.org/show_bug.cgi?id=1165911

On Mon 2015-05-18 10:07:48 -0400, Daniel Kahn Gillmor wrote:
> After upgrading to 38.0-2, with iceweasel-dbg, i get the following
> backtrace during the segfault:
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7fffd94fe700 (LWP 10459)]
> 0x00007ffff403bb87 in GatherEKUTelemetry (certList=...)
>     at /tmp/buildd/iceweasel-38.0/security/manager/ssl/src/SSLServerCertVerification.cpp:1047

http://sources.debian.net/src/iceweasel/38.0-2/security/manager/ssl/src/SSLServerCertVerification.cpp/?hl=1024#L1047

Digging a little bit further, it looks like a bug when iceweasel's
telemetry code tries to deal with an X.509v3 certificate which has no
extensions.

I've reported the problem uptsream at
https://bugzilla.mozilla.org/show_bug.cgi?id=1165911

In the meantime, i note that the end-entity certificate offered by
mentors.debian.net is provided twice in the TLS handshake (which is not
advisable), and it has no X.509v3 extensions.

The Debian CA (cc'ing debina-admin at debian.org here), which issued the
mentors.debian.net certificate, should probably re-issue the certificate
with some v3 extensions in it, at least:

 * basicConstraints (CA:False)
 * keyUsage (digitalSignature at least, keyEncipherment if you want to
   support RSA key exchange on mentors.debian.net)
 * extendedKeyUsage (TLS www server)
 * subjectAltName (mentors.debian.net)

These are good ideas for certificate issuance anyway, and they would
also fix the iceweasel segfault.

please let me know if i can help diagnose or repair this further.

Regards,

        --dkg

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mentors.debian.net.certs.txt
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150518/4297206c/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150518/4297206c/attachment-0001.sig>

More information about the pkg-mozilla-maintainers mailing list