1 Fix for CVE-2013-6420 |
|
2 Patch: |
|
3 http://git.php.net/?p=php-src.git;a=patch;h=c1224573c773b6845e83505f717fbf820fc18415 |
|
4 Code: |
|
5 http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415 |
|
6 This patch is for php 5.3 code but works well enough on php 5.2 code. |
|
7 Verified by hand that it patches the correct code. |
|
8 |
|
9 |
|
10 |
|
11 From c1224573c773b6845e83505f717fbf820fc18415 Mon Sep 17 00:00:00 2001 |
|
12 From: Stanislav Malyshev <[email protected]> |
|
13 Date: Sun, 8 Dec 2013 11:40:18 -0800 |
|
14 Subject: [PATCH] Fix CVE-2013-6420 - memory corruption in openssl_x509_parse |
|
15 |
|
16 --- |
|
17 NEWS | 4 +++- |
|
18 ext/openssl/openssl.c | 18 ++++++++++++++---- |
|
19 ext/openssl/tests/cve-2013-6420.crt | 29 +++++++++++++++++++++++++++++ |
|
20 ext/openssl/tests/cve-2013-6420.phpt | 18 ++++++++++++++++++ |
|
21 4 files changed, 64 insertions(+), 5 deletions(-) |
|
22 create mode 100644 ext/openssl/tests/cve-2013-6420.crt |
|
23 create mode 100644 ext/openssl/tests/cve-2013-6420.phpt |
|
24 |
|
25 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c |
|
26 index e7672e4..0d2d644 100644 |
|
27 --- a/ext/openssl/openssl.c |
|
28 +++ b/ext/openssl/openssl.c |
|
29 @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ |
|
30 char * thestr; |
|
31 long gmadjust = 0; |
|
32 |
|
33 - if (timestr->length < 13) { |
|
34 - php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data); |
|
35 + if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { |
|
36 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp"); |
|
37 return (time_t)-1; |
|
38 } |
|
39 |
|
40 - strbuf = estrdup((char *)timestr->data); |
|
41 + if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { |
|
42 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); |
|
43 + return (time_t)-1; |
|
44 + } |
|
45 + |
|
46 + if (ASN1_STRING_length(timestr) < 13) { |
|
47 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data); |
|
48 + return (time_t)-1; |
|
49 + } |
|
50 + |
|
51 + strbuf = estrdup((char *)ASN1_STRING_data(timestr)); |
|
52 |
|
53 memset(&thetime, 0, sizeof(thetime)); |
|
54 |
|
55 /* we work backwards so that we can use atoi more easily */ |
|
56 |
|
57 - thestr = strbuf + timestr->length - 3; |
|
58 + thestr = strbuf + ASN1_STRING_length(timestr) - 3; |
|
59 |
|
60 thetime.tm_sec = atoi(thestr); |
|
61 *thestr = '\0'; |
|
62 diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt |
|
63 new file mode 100644 |
|
64 index 0000000..4543314 |
|
65 --- /dev/null |
|
66 +++ b/ext/openssl/tests/cve-2013-6420.crt |
|
67 @@ -0,0 +1,29 @@ |
|
68 +-----BEGIN CERTIFICATE----- |
|
69 +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD |
|
70 +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH |
|
71 +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 |
|
72 +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k |
|
73 +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY |
|
74 +ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
|
75 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
|
76 +AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO |
|
77 +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT |
|
78 +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G |
|
79 +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz |
|
80 +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB |
|
81 +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu |
|
82 +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh |
|
83 +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 |
|
84 +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 |
|
85 +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX |
|
86 +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw |
|
87 +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF |
|
88 +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD |
|
89 +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl |
|
90 +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 |
|
91 +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 |
|
92 +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg |
|
93 +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== |
|
94 +-----END CERTIFICATE----- |
|
95 + |
|
96 + |
|
97 diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt |
|
98 new file mode 100644 |
|
99 index 0000000..b946cf0 |
|
100 --- /dev/null |
|
101 +++ b/ext/openssl/tests/cve-2013-6420.phpt |
|
102 @@ -0,0 +1,18 @@ |
|
103 +--TEST-- |
|
104 +CVE-2013-6420 |
|
105 +--SKIPIF-- |
|
106 +<?php |
|
107 +if (!extension_loaded("openssl")) die("skip"); |
|
108 +?> |
|
109 +--FILE-- |
|
110 +<?php |
|
111 +$crt = substr(__FILE__, 0, -4).'.crt'; |
|
112 +$info = openssl_x509_parse("file://$crt"); |
|
113 +var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]); |
|
114 +?> |
|
115 +Done |
|
116 +--EXPECTF-- |
|
117 +%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3 |
|
118 +string(27) "[email protected]" |
|
119 +int(-1) |
|
120 +Done |
|
121 -- |
|
122 1.8.4.3 |
|
123 |
|
124 |
|