Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493982 (CVE-2013-6420) - <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate Parsing Memory Corruption Vulnerability (CVE-2013-6420)
Summary: <dev-lang/php-{5.3.28,5.4.23,5.5.7}: PHP OpenSSL Extension X.509 Certificate ...
Status: RESOLVED FIXED
Alias: CVE-2013-6420
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-11 23:08 UTC by Kristian Fiskerstrand
Modified: 2014-08-31 11:26 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2013-12-11 23:08:00 UTC
A vulnerability has been reported in PHP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the "asn1_time_to_time_t()" function (ext/openssl/openssl.c) when parsing X.509 certificates and can be exploited to corrupt memory via a specially crafted X.509 certificate.

The vulnerability is reported in versions 5.3.27 and prior, 5.4.22 and prior, and 5.5.6 and prior. Other versions may also be affected.

Solution 	

Fixed in the source code repository.
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415

See also 
http://www.securelist.com/en/advisories/56055


Reproducible: Always
Comment 1 Kristian Fiskerstrand gentoo-dev Security 2013-12-13 16:21:37 UTC
The issue is fixed in PHP 5.3.28, 5.4.23, 5.5.7 c.f. http://php.net/archive/2013.php#id2013-12-12-3
Comment 2 Mike Limansky 2013-12-14 10:48:33 UTC
Also CVE-2013-4073 is fixed in version 4.3.28. http://www.php.net/archive/2013.php
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 01:38:48 UTC
CVE-2013-6420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6420):
  The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before
  5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse
  (1) notBefore and (2) notAfter timestamps in X.509 certificates, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via a crafted certificate that is not properly
  handled by the openssl_x509_parse function.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-27 14:22:35 UTC
Are we ready for stabilization on affected versions? If so please advise what versions to stabilize.
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-07 05:34:46 UTC
We have Bug # 492784 going through stabilization now. Based on the text of this bug the patches/fixes are applied to the versions being stabilized as part of that bug:

dev-lang/php-5.3.28
dev-lang/php-5.4.23
dev-lang/php-5.5.7

Setting this bug to depend on the 492784 (please advise if I am incorrect).
Comment 6 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-07 05:42:24 UTC
(In reply to Mike Limansky from comment #2)
> Also CVE-2013-4073 is fixed in version 4.3.28.
> http://www.php.net/archive/2013.php

Note should be 5.3.28 - Correction only.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev Security 2014-01-20 13:49:31 UTC
Maintainer(s), please drop the vulnerable version(s).

Adding to existing GLSA.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:26:55 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).