components/php-5_2/php-sapi/patches/40_php_18083695.patch
branchs11u1-sru
changeset 3086 649b12aa87ce
equal deleted inserted replaced
3083:6826bd655a25 3086:649b12aa87ce
       
     1 Fix for CVE-2013-6420
       
     2 Patch:
       
     3 http://git.php.net/?p=php-src.git;a=patch;h=c1224573c773b6845e83505f717fbf820fc18415
       
     4 Code:
       
     5 http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415
       
     6 This patch is for php 5.3 code but works well enough on php 5.2 code.
       
     7 Verified by hand that it patches the correct code.
       
     8 
       
     9 
       
    10 
       
    11 From c1224573c773b6845e83505f717fbf820fc18415 Mon Sep 17 00:00:00 2001
       
    12 From: Stanislav Malyshev <[email protected]>
       
    13 Date: Sun, 8 Dec 2013 11:40:18 -0800
       
    14 Subject: [PATCH] Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
       
    15 
       
    16 ---
       
    17  NEWS                                 |  4 +++-
       
    18  ext/openssl/openssl.c                | 18 ++++++++++++++----
       
    19  ext/openssl/tests/cve-2013-6420.crt  | 29 +++++++++++++++++++++++++++++
       
    20  ext/openssl/tests/cve-2013-6420.phpt | 18 ++++++++++++++++++
       
    21  4 files changed, 64 insertions(+), 5 deletions(-)
       
    22  create mode 100644 ext/openssl/tests/cve-2013-6420.crt
       
    23  create mode 100644 ext/openssl/tests/cve-2013-6420.phpt
       
    24 
       
    25 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
       
    26 index e7672e4..0d2d644 100644
       
    27 --- a/ext/openssl/openssl.c
       
    28 +++ b/ext/openssl/openssl.c
       
    29 @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
       
    30  	char * thestr;
       
    31  	long gmadjust = 0;
       
    32  
       
    33 -	if (timestr->length < 13) {
       
    34 -		php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
       
    35 +	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
       
    36 +		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
       
    37  		return (time_t)-1;
       
    38  	}
       
    39  
       
    40 -	strbuf = estrdup((char *)timestr->data);
       
    41 +	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
       
    42 +		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
       
    43 +		return (time_t)-1;
       
    44 +	}
       
    45 +
       
    46 +	if (ASN1_STRING_length(timestr) < 13) {
       
    47 +		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);
       
    48 +		return (time_t)-1;
       
    49 +	}
       
    50 +
       
    51 +	strbuf = estrdup((char *)ASN1_STRING_data(timestr));
       
    52  
       
    53  	memset(&thetime, 0, sizeof(thetime));
       
    54  
       
    55  	/* we work backwards so that we can use atoi more easily */
       
    56  
       
    57 -	thestr = strbuf + timestr->length - 3;
       
    58 +	thestr = strbuf + ASN1_STRING_length(timestr) - 3;
       
    59  
       
    60  	thetime.tm_sec = atoi(thestr);
       
    61  	*thestr = '\0';
       
    62 diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt
       
    63 new file mode 100644
       
    64 index 0000000..4543314
       
    65 --- /dev/null
       
    66 +++ b/ext/openssl/tests/cve-2013-6420.crt
       
    67 @@ -0,0 +1,29 @@
       
    68 +-----BEGIN CERTIFICATE-----
       
    69 +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
       
    70 +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
       
    71 +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
       
    72 +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
       
    73 +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
       
    74 +ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
       
    75 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
       
    76 +AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
       
    77 +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
       
    78 +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
       
    79 +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
       
    80 +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
       
    81 +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
       
    82 +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
       
    83 +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
       
    84 +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
       
    85 +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
       
    86 +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
       
    87 +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
       
    88 +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
       
    89 +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
       
    90 +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
       
    91 +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
       
    92 +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
       
    93 +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
       
    94 +-----END CERTIFICATE-----
       
    95 +
       
    96 +
       
    97 diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
       
    98 new file mode 100644
       
    99 index 0000000..b946cf0
       
   100 --- /dev/null
       
   101 +++ b/ext/openssl/tests/cve-2013-6420.phpt
       
   102 @@ -0,0 +1,18 @@
       
   103 +--TEST--
       
   104 +CVE-2013-6420
       
   105 +--SKIPIF--
       
   106 +<?php 
       
   107 +if (!extension_loaded("openssl")) die("skip"); 
       
   108 +?>
       
   109 +--FILE--
       
   110 +<?php
       
   111 +$crt = substr(__FILE__, 0, -4).'.crt';
       
   112 +$info = openssl_x509_parse("file://$crt");
       
   113 +var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
       
   114 +?>
       
   115 +Done
       
   116 +--EXPECTF--
       
   117 +%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
       
   118 +string(27) "[email protected]"
       
   119 +int(-1)
       
   120 +Done
       
   121 -- 
       
   122 1.8.4.3
       
   123 
       
   124