17362112 problem in UTILITY/PHP
18083695 problem in UTILITY/PHP
18368537 problem in UTILITY/PHP
18368630 problem in UTILITY/PHP
Fix for CVE-2013-6420
Patch:
http://git.php.net/?p=php-src.git;a=patch;h=c1224573c773b6845e83505f717fbf820fc18415
Code:
http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415
This patch is for php 5.3 code but works well enough on php 5.2 code.
Verified by hand that it patches the correct code.
From c1224573c773b6845e83505f717fbf820fc18415 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <[email protected]>
Date: Sun, 8 Dec 2013 11:40:18 -0800
Subject: [PATCH] Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
---
NEWS | 4 +++-
ext/openssl/openssl.c | 18 ++++++++++++++----
ext/openssl/tests/cve-2013-6420.crt | 29 +++++++++++++++++++++++++++++
ext/openssl/tests/cve-2013-6420.phpt | 18 ++++++++++++++++++
4 files changed, 64 insertions(+), 5 deletions(-)
create mode 100644 ext/openssl/tests/cve-2013-6420.crt
create mode 100644 ext/openssl/tests/cve-2013-6420.phpt
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e7672e4..0d2d644 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
char * thestr;
long gmadjust = 0;
- if (timestr->length < 13) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
+ if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
return (time_t)-1;
}
- strbuf = estrdup((char *)timestr->data);
+ if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
+ return (time_t)-1;
+ }
+
+ if (ASN1_STRING_length(timestr) < 13) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);
+ return (time_t)-1;
+ }
+
+ strbuf = estrdup((char *)ASN1_STRING_data(timestr));
memset(&thetime, 0, sizeof(thetime));
/* we work backwards so that we can use atoi more easily */
- thestr = strbuf + timestr->length - 3;
+ thestr = strbuf + ASN1_STRING_length(timestr) - 3;
thetime.tm_sec = atoi(thestr);
*thestr = '\0';
diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt
new file mode 100644
index 0000000..4543314
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
+VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
+S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
+cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
+ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
+ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
+b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
+ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
+A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
+dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
+wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
+0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
+pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
+SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
+1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
+EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
+BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
+8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
+VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
+lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
+o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
+Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
+-----END CERTIFICATE-----
+
+
diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
new file mode 100644
index 0000000..b946cf0
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.phpt
@@ -0,0 +1,18 @@
+--TEST--
+CVE-2013-6420
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip");
+?>
+--FILE--
+<?php
+$crt = substr(__FILE__, 0, -4).'.crt';
+$info = openssl_x509_parse("file://$crt");
+var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
+?>
+Done
+--EXPECTF--
+%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
+string(27) "[email protected]"
+int(-1)
+Done
--
1.8.4.3