Summary: | <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability (CVE-2013-6420) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bugs, himbeere, php-bugs |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2013-12-11 23:08:00 UTC
The issue is fixed in PHP 5.3.28, 5.4.23, 5.5.7 c.f. http://php.net/archive/2013.php#id2013-12-12-3 Also CVE-2013-4073 is fixed in version 4.3.28. http://www.php.net/archive/2013.php CVE-2013-6420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6420): The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. Are we ready for stabilization on affected versions? If so please advise what versions to stabilize. We have Bug # 492784 going through stabilization now. Based on the text of this bug the patches/fixes are applied to the versions being stabilized as part of that bug: dev-lang/php-5.3.28 dev-lang/php-5.4.23 dev-lang/php-5.5.7 Setting this bug to depend on the 492784 (please advise if I am incorrect). (In reply to Mike Limansky from comment #2) > Also CVE-2013-4073 is fixed in version 4.3.28. > http://www.php.net/archive/2013.php Note should be 5.3.28 - Correction only. Maintainer(s), please drop the vulnerable version(s). Adding to existing GLSA. This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |