]> git.pld-linux.org Git - packages/php.git/blob - CVE-2013-6420.patch
projects / packages / php.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- make it possible to coinstall phpXY-pdo-pgsql
[packages/php.git] / CVE-2013-6420.patch
1 From: Stanislav Malyshev <stas@php.net>
2 Date: Sun, 8 Dec 2013 19:40:18 +0000 (-0800)
3 Subject: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
4 X-Git-Tag: php-5.3.28~1
5 X-Git-Url: http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415
6
7 Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
8 ---
9
10 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
11 index e7672e4..0d2d644 100644
12 --- a/ext/openssl/openssl.c
13 +++ b/ext/openssl/openssl.c
14 @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
15         char * thestr;
16         long gmadjust = 0;
17  
18 -       if (timestr->length < 13) {
19 -               php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
20 +       if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
21 +               php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
22                 return (time_t)-1;
23         }
24  
25 -       strbuf = estrdup((char *)timestr->data);
26 +       if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
27 +               php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
28 +               return (time_t)-1;
29 +       }
30 +
31 +       if (ASN1_STRING_length(timestr) < 13) {
32 +               php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);
33 +               return (time_t)-1;
34 +       }
35 +
36 +       strbuf = estrdup((char *)ASN1_STRING_data(timestr));
37  
38         memset(&thetime, 0, sizeof(thetime));
39  
40         /* we work backwards so that we can use atoi more easily */
41  
42 -       thestr = strbuf + timestr->length - 3;
43 +       thestr = strbuf + ASN1_STRING_length(timestr) - 3;
44  
45         thetime.tm_sec = atoi(thestr);
46         *thestr = '\0';
47 diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt
48 new file mode 100644
49 index 0000000..4543314
50 --- /dev/null
51 +++ b/ext/openssl/tests/cve-2013-6420.crt
52 @@ -0,0 +1,29 @@
53 +-----BEGIN CERTIFICATE-----
54 +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
55 +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
56 +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
57 +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
58 +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
59 +ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
60 +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
61 +AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
62 +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
63 +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
64 +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
65 +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
66 +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
67 +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
68 +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
69 +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
70 +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
71 +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
72 +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
73 +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
74 +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
75 +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
76 +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
77 +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
78 +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
79 +-----END CERTIFICATE-----
80 +
81 +
82 diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
83 new file mode 100644
84 index 0000000..b946cf0
85 --- /dev/null
86 +++ b/ext/openssl/tests/cve-2013-6420.phpt
87 @@ -0,0 +1,18 @@
88 +--TEST--
89 +CVE-2013-6420
90 +--SKIPIF--
91 +<?php 
92 +if (!extension_loaded("openssl")) die("skip"); 
93 +?>
94 +--FILE--
95 +<?php
96 +$crt = substr(__FILE__, 0, -4).'.crt';
97 +$info = openssl_x509_parse("file://$crt");
98 +var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
99 +?>
100 +Done
101 +--EXPECTF--
102 +%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
103 +string(27) "stefan.esser@sektioneins.de"
104 +int(-1)
105 +Done
PHP: Hypertext Preprocessor
This page took 0.034306 seconds and 3 git commands to generate.