Commit: c1224573c773b6845e83505f717fbf820fc18415 Author: Stanislav Malyshev <s...@php.net> Sun, 8 Dec 2013 11:40:18 -0800 Parents: 32873cd0ddea7df8062213bb025beb6fb070e59d Branches: PHP-5.3 PHP-5.4 PHP-5.5 PHP-5.6 master PHP-5.3.28
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415 Log: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse Changed paths: M NEWS M ext/openssl/openssl.c A ext/openssl/tests/cve-2013-6420.crt A ext/openssl/tests/cve-2013-6420.phpt Diff: diff --git a/NEWS b/NEWS index 70461d9..8abf65e 100644 --- a/NEWS +++ b/NEWS @@ -1,10 +1,12 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2013, PHP 5.3.28 +12 Dec 2013, PHP 5.3.28 - Openssl: . Fixed handling null bytes in subjectAltName (CVE-2013-4073). (Christian Heimes) + . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). + (Stefan Esser). 11 Jul 2013, PHP 5.3.27 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e7672e4..0d2d644 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ char * thestr; long gmadjust = 0; - if (timestr->length < 13) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data); + if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp"); return (time_t)-1; } - strbuf = estrdup((char *)timestr->data); + if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); + return (time_t)-1; + } + + if (ASN1_STRING_length(timestr) < 13) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data); + return (time_t)-1; + } + + strbuf = estrdup((char *)ASN1_STRING_data(timestr)); memset(&thetime, 0, sizeof(thetime)); /* we work backwards so that we can use atoi more easily */ - thestr = strbuf + timestr->length - 3; + thestr = strbuf + ASN1_STRING_length(timestr) - 3; thetime.tm_sec = atoi(thestr); *thestr = '\0'; diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt new file mode 100644 index 0000000..4543314 --- /dev/null +++ b/ext/openssl/tests/cve-2013-6420.crt @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY +ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== +-----END CERTIFICATE----- + + diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt new file mode 100644 index 0000000..b946cf0 --- /dev/null +++ b/ext/openssl/tests/cve-2013-6420.phpt @@ -0,0 +1,18 @@ +--TEST-- +CVE-2013-6420 +--SKIPIF-- +<?php +if (!extension_loaded("openssl")) die("skip"); +?> +--FILE-- +<?php +$crt = substr(__FILE__, 0, -4).'.crt'; +$info = openssl_x509_parse("file://$crt"); +var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]); +?> +Done +--EXPECTF-- +%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3 +string(27) "stefan.es...@sektioneins.de" +int(-1) +Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php