Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 453168 (CVE-2012-6113)

Summary: <dev-lang/php-5.3.15: openssl_encrypt memory disclosure (CVE-2012-6113)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: php-bugs
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/01/18/5
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-01-20 13:29:09 UTC 
From $URL :

PHP 5.3.9 to 5.3.13 disclose arbitrary memory when an empty $data string
is passed to openssl_encrypt.

It was introduced with the following commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb

and was fixed in 5.3.14 with the following:
http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e

Bugs:

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793
https://bugs.php.net/bug.php?id=61413
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-01-25 15:22:52 UTC 
CVE-2012-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6113):
  The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through
  5.3.13 does not initialize a certain variable, which allows remote attackers
  to obtain sensitive information from process memory by providing zero bytes
  of input data.
Comment 2 Matthew Schultz 2013-01-25 17:12:08 UTC 
These versions of php are no longer in the main tree.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-26 00:56:29 UTC 
Closing noglsa. Users have already been advised to update in GLSA 201209-03.