Fix for CVE-2013-6420

Patch:

http://git.php.net/?p=php-src.git;a=patch;h=c1224573c773b6845e83505f717fbf820fc18415

Code:

http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415

This patch is for php 5.3 code but works well enough on php 5.2 code.

Verified by hand that it patches the correct code.

From c1224573c773b6845e83505f717fbf820fc18415 Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <[email protected]>

Date: Sun, 8 Dec 2013 11:40:18 -0800

Subject: [PATCH] Fix CVE-2013-6420 - memory corruption in openssl_x509_parse

---

 NEWS                                 |  4 +++-

 ext/openssl/openssl.c                | 18 ++++++++++++++----

 ext/openssl/tests/cve-2013-6420.crt  | 29 +++++++++++++++++++++++++++++

 ext/openssl/tests/cve-2013-6420.phpt | 18 ++++++++++++++++++

 4 files changed, 64 insertions(+), 5 deletions(-)

 create mode 100644 ext/openssl/tests/cve-2013-6420.crt

 create mode 100644 ext/openssl/tests/cve-2013-6420.phpt

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c

index e7672e4..0d2d644 100644

--- a/ext/openssl/openssl.c

+++ b/ext/openssl/openssl.c

@@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */

 	char * thestr;

 	long gmadjust = 0;

-	if (timestr->length < 13) {

-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);

+	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {

+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");

 		return (time_t)-1;

 	}

-	strbuf = estrdup((char *)timestr->data);

+	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {

+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");

+		return (time_t)-1;

+	}

+

+	if (ASN1_STRING_length(timestr) < 13) {

+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);

+		return (time_t)-1;

+	}

+

+	strbuf = estrdup((char *)ASN1_STRING_data(timestr));

 	memset(&thetime, 0, sizeof(thetime));

 	/* we work backwards so that we can use atoi more easily */

-	thestr = strbuf + timestr->length - 3;

+	thestr = strbuf + ASN1_STRING_length(timestr) - 3;

 	thetime.tm_sec = atoi(thestr);

 	*thestr = '\0';

diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt

new file mode 100644

index 0000000..4543314

--- /dev/null

+++ b/ext/openssl/tests/cve-2013-6420.crt

@@ -0,0 +1,29 @@

+-----BEGIN CERTIFICATE-----

+MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD

+VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH

+S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91

+cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k

+ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY

+ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

+AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO

+b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT

+ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G

+A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz

+dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB

+DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu

+wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh

+0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8

+pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6

+SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX

+1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw

+EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF

+BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD

+8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl

+VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7

+lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319

+o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg

+Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==

+-----END CERTIFICATE-----

+

+

diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt

new file mode 100644

index 0000000..b946cf0

--- /dev/null

+++ b/ext/openssl/tests/cve-2013-6420.phpt

@@ -0,0 +1,18 @@

+--TEST--

+CVE-2013-6420

+--SKIPIF--

+<?php 

+if (!extension_loaded("openssl")) die("skip"); 

+?>

+--FILE--

+<?php

+$crt = substr(__FILE__, 0, -4).'.crt';

+$info = openssl_x509_parse("file://$crt");

+var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);

+?>

+Done

+--EXPECTF--

+%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3

+string(27) "[email protected]"

+int(-1)

+Done

-- 

1.8.4.3