493982 – (CVE-2013-6420) <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability (CVE-2013-6420)

Bug 493982 (CVE-2013-6420) - <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability (CVE-2013-6420)

Summary: <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate ...

Status:	RESOLVED FIXED

Alias:	CVE-2013-6420

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://cve.mitre.org/cgi-bin/cvename....
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2013-12-11 23:08 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2014-08-31 11:26 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2013-12-11 23:08:00 UTC

A vulnerability has been reported in PHP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the "asn1_time_to_time_t()" function (ext/openssl/openssl.c) when parsing X.509 certificates and can be exploited to corrupt memory via a specially crafted X.509 certificate.

The vulnerability is reported in versions 5.3.27 and prior, 5.4.22 and prior, and 5.5.6 and prior. Other versions may also be affected.

Solution 	

Fixed in the source code repository.
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415

See also 
http://www.securelist.com/en/advisories/56055


Reproducible: Always

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2013-12-13 16:21:37 UTC

The issue is fixed in PHP 5.3.28, 5.4.23, 5.5.7 c.f. http://php.net/archive/2013.php#id2013-12-12-3

Comment 2 Mike Limansky 2013-12-14 10:48:33 UTC

Also CVE-2013-4073 is fixed in version 4.3.28. http://www.php.net/archive/2013.php

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2013-12-27 01:38:48 UTC

CVE-2013-6420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6420):
  The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before
  5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse
  (1) notBefore and (2) notAfter timestamps in X.509 certificates, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via a crafted certificate that is not properly
  handled by the openssl_x509_parse function.

Comment 4 Yury German Gentoo Infrastructure

2013-12-27 14:22:35 UTC

Are we ready for stabilization on affected versions? If so please advise what versions to stabilize.

Comment 5 Yury German Gentoo Infrastructure

2014-01-07 05:34:46 UTC

We have Bug # 492784 going through stabilization now. Based on the text of this bug the patches/fixes are applied to the versions being stabilized as part of that bug:

dev-lang/php-5.3.28
dev-lang/php-5.4.23
dev-lang/php-5.5.7

Setting this bug to depend on the 492784 (please advise if I am incorrect).

Comment 6 Yury German Gentoo Infrastructure

2014-01-07 05:42:24 UTC

(In reply to Mike Limansky from comment #2)
> Also CVE-2013-4073 is fixed in version 4.3.28.
> http://www.php.net/archive/2013.php

Note should be 5.3.28 - Correction only.

Comment 7 Yury German Gentoo Infrastructure

2014-01-20 13:49:31 UTC

Maintainer(s), please drop the vulnerable version(s).

Adding to existing GLSA.

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2014-08-31 11:26:55 UTC

This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).