]>
Commit | Line | Data |
---|---|---|
1 | From: Stanislav Malyshev <stas@php.net> | |
2 | Date: Sun, 8 Dec 2013 19:40:18 +0000 (-0800) | |
3 | Subject: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse | |
4 | X-Git-Tag: php-5.3.28~1 | |
5 | X-Git-Url: http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415 | |
6 | ||
7 | Fix CVE-2013-6420 - memory corruption in openssl_x509_parse | |
8 | --- | |
9 | ||
10 | diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c | |
11 | index e7672e4..0d2d644 100644 | |
12 | --- a/ext/openssl/openssl.c | |
13 | +++ b/ext/openssl/openssl.c | |
14 | @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ | |
15 | char * thestr; | |
16 | long gmadjust = 0; | |
17 | ||
18 | - if (timestr->length < 13) { | |
19 | - php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data); | |
20 | + if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { | |
21 | + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp"); | |
22 | return (time_t)-1; | |
23 | } | |
24 | ||
25 | - strbuf = estrdup((char *)timestr->data); | |
26 | + if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { | |
27 | + php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); | |
28 | + return (time_t)-1; | |
29 | + } | |
30 | + | |
31 | + if (ASN1_STRING_length(timestr) < 13) { | |
32 | + php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data); | |
33 | + return (time_t)-1; | |
34 | + } | |
35 | + | |
36 | + strbuf = estrdup((char *)ASN1_STRING_data(timestr)); | |
37 | ||
38 | memset(&thetime, 0, sizeof(thetime)); | |
39 | ||
40 | /* we work backwards so that we can use atoi more easily */ | |
41 | ||
42 | - thestr = strbuf + timestr->length - 3; | |
43 | + thestr = strbuf + ASN1_STRING_length(timestr) - 3; | |
44 | ||
45 | thetime.tm_sec = atoi(thestr); | |
46 | *thestr = '\0'; | |
47 | diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt | |
48 | new file mode 100644 | |
49 | index 0000000..4543314 | |
50 | --- /dev/null | |
51 | +++ b/ext/openssl/tests/cve-2013-6420.crt | |
52 | @@ -0,0 +1,29 @@ | |
53 | +-----BEGIN CERTIFICATE----- | |
54 | +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD | |
55 | +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH | |
56 | +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 | |
57 | +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k | |
58 | +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY | |
59 | +ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
60 | +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA | |
61 | +AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO | |
62 | +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT | |
63 | +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G | |
64 | +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz | |
65 | +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB | |
66 | +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu | |
67 | +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh | |
68 | +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 | |
69 | +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 | |
70 | +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX | |
71 | +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw | |
72 | +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF | |
73 | +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD | |
74 | +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl | |
75 | +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 | |
76 | +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 | |
77 | +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg | |
78 | +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== | |
79 | +-----END CERTIFICATE----- | |
80 | + | |
81 | + | |
82 | diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt | |
83 | new file mode 100644 | |
84 | index 0000000..b946cf0 | |
85 | --- /dev/null | |
86 | +++ b/ext/openssl/tests/cve-2013-6420.phpt | |
87 | @@ -0,0 +1,18 @@ | |
88 | +--TEST-- | |
89 | +CVE-2013-6420 | |
90 | +--SKIPIF-- | |
91 | +<?php | |
92 | +if (!extension_loaded("openssl")) die("skip"); | |
93 | +?> | |
94 | +--FILE-- | |
95 | +<?php | |
96 | +$crt = substr(__FILE__, 0, -4).'.crt'; | |
97 | +$info = openssl_x509_parse("file://$crt"); | |
98 | +var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]); | |
99 | +?> | |
100 | +Done | |
101 | +--EXPECTF-- | |
102 | +%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3 | |
103 | +string(27) "stefan.esser@sektioneins.de" | |
104 | +int(-1) | |
105 | +Done |