Bug 10997 - php: handling of certs with null bytes (CVE-2013-4248)
: php: handling of certs with null bytes (CVE-2013-4248)
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/564819/
: MGA2TOO has_procedure mga2-64-ok mga2...
: validated_update
:
: 8538 10847
  Show dependency treegraph
 
Reported: 2013-08-14 10:43 CEST by Oden Eriksson
Modified: 2013-08-30 19:31 CEST (History)
3 users (show)

See Also:
Source RPM: php
CVE:


Attachments

Description Oden Eriksson 2013-08-14 10:43:06 CEST
A similar flaw as in ruby and python was discovered and fixed for php.

ruby - CVE-2013-4073
python - CVE-2013-4238
php - CVE-2013-????

http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

Upstream fixes:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755

http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897



Reproducible: 

Steps to Reproduce:
Comment 1 Oden Eriksson 2013-08-14 10:50:03 CEST
CVE request: http://www.openwall.com/lists/oss-security/2013/08/14/4
Comment 2 Oden Eriksson 2013-08-15 10:11:34 CEST
CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 3 Oden Eriksson 2013-08-16 13:03:54 CEST
Fixed with php-5.4.18-1.1.mga3 and php-5.3.27-1.1.mga2

Changelog for php-5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

Note. They only mention:

----
Openssl:

    Fixed handling null bytes in subjectAltName (CVE-2013-4073).

----

Using the ruby CVE-2013-4073 identifier, when CVE-2013-4248 got assigned here:

http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 4 David Walser 2013-08-16 19:07:26 CEST
I guess if PHP 5.5 is affected, it's fixed in 5.5.2 as well?
Comment 5 David Walser 2013-08-16 19:11:46 CEST
I'm guessing we'll need some things rebuilt in mga3, since this is also updating to PHP 5.4.18.

Currently uploaded packages:
php-ini-5.3.27-1.1.mga2
php-cli-5.3.27-1.1.mga2
php-cgi-5.3.27-1.1.mga2
php-fpm-5.3.27-1.1.mga2
apache-mod_php-5.3.27-1.1.mga2
libphp5_common5-5.3.27-1.1.mga2
php-devel-5.3.27-1.1.mga2
php-openssl-5.3.27-1.1.mga2
php-zlib-5.3.27-1.1.mga2
php-bcmath-5.3.27-1.1.mga2
php-bz2-5.3.27-1.1.mga2
php-calendar-5.3.27-1.1.mga2
php-ctype-5.3.27-1.1.mga2
php-curl-5.3.27-1.1.mga2
php-dba-5.3.27-1.1.mga2
php-dom-5.3.27-1.1.mga2
php-enchant-5.3.27-1.1.mga2
php-exif-5.3.27-1.1.mga2
php-fileinfo-5.3.27-1.1.mga2
php-filter-5.3.27-1.1.mga2
php-ftp-5.3.27-1.1.mga2
php-gd-5.3.27-1.1.mga2
php-gettext-5.3.27-1.1.mga2
php-gmp-5.3.27-1.1.mga2
php-hash-5.3.27-1.1.mga2
php-iconv-5.3.27-1.1.mga2
php-imap-5.3.27-1.1.mga2
php-intl-5.3.27-1.1.mga2
php-json-5.3.27-1.1.mga2
php-ldap-5.3.27-1.1.mga2
php-mbstring-5.3.27-1.1.mga2
php-mcrypt-5.3.27-1.1.mga2
php-mssql-5.3.27-1.1.mga2
php-mysql-5.3.27-1.1.mga2
php-mysqli-5.3.27-1.1.mga2
php-mysqlnd-5.3.27-1.1.mga2
php-odbc-5.3.27-1.1.mga2
php-pcntl-5.3.27-1.1.mga2
php-pdo-5.3.27-1.1.mga2
php-pdo_dblib-5.3.27-1.1.mga2
php-pdo_mysql-5.3.27-1.1.mga2
php-pdo_odbc-5.3.27-1.1.mga2
php-pdo_pgsql-5.3.27-1.1.mga2
php-pdo_sqlite-5.3.27-1.1.mga2
php-pgsql-5.3.27-1.1.mga2
php-phar-5.3.27-1.1.mga2
php-posix-5.3.27-1.1.mga2
php-readline-5.3.27-1.1.mga2
php-recode-5.3.27-1.1.mga2
php-session-5.3.27-1.1.mga2
php-shmop-5.3.27-1.1.mga2
php-snmp-5.3.27-1.1.mga2
php-soap-5.3.27-1.1.mga2
php-sockets-5.3.27-1.1.mga2
php-sqlite3-5.3.27-1.1.mga2
php-sqlite-5.3.27-1.1.mga2
php-sybase_ct-5.3.27-1.1.mga2
php-sysvmsg-5.3.27-1.1.mga2
php-sysvsem-5.3.27-1.1.mga2
php-sysvshm-5.3.27-1.1.mga2
php-tidy-5.3.27-1.1.mga2
php-tokenizer-5.3.27-1.1.mga2
php-xml-5.3.27-1.1.mga2
php-xmlreader-5.3.27-1.1.mga2
php-xmlrpc-5.3.27-1.1.mga2
php-xmlwriter-5.3.27-1.1.mga2
php-xsl-5.3.27-1.1.mga2
php-wddx-5.3.27-1.1.mga2
php-zip-5.3.27-1.1.mga2
php-ini-5.4.18-1.1.mga3
apache-mod_php-5.4.18-1.1.mga3
php-cli-5.4.18-1.1.mga3
php-cgi-5.4.18-1.1.mga3
libphp5_common5-5.4.18-1.1.mga3
php-devel-5.4.18-1.1.mga3
php-openssl-5.4.18-1.1.mga3
php-zlib-5.4.18-1.1.mga3
php-doc-5.4.18-1.1.mga3
php-bcmath-5.4.18-1.1.mga3
php-bz2-5.4.18-1.1.mga3
php-calendar-5.4.18-1.1.mga3
php-ctype-5.4.18-1.1.mga3
php-curl-5.4.18-1.1.mga3
php-dba-5.4.18-1.1.mga3
php-dom-5.4.18-1.1.mga3
php-enchant-5.4.18-1.1.mga3
php-exif-5.4.18-1.1.mga3
php-fileinfo-5.4.18-1.1.mga3
php-filter-5.4.18-1.1.mga3
php-ftp-5.4.18-1.1.mga3
php-gd-5.4.18-1.1.mga3
php-gettext-5.4.18-1.1.mga3
php-gmp-5.4.18-1.1.mga3
php-hash-5.4.18-1.1.mga3
php-iconv-5.4.18-1.1.mga3
php-imap-5.4.18-1.1.mga3
php-interbase-5.4.18-1.1.mga3
php-intl-5.4.18-1.1.mga3
php-json-5.4.18-1.1.mga3
php-ldap-5.4.18-1.1.mga3
php-mbstring-5.4.18-1.1.mga3
php-mcrypt-5.4.18-1.1.mga3
php-mssql-5.4.18-1.1.mga3
php-mysql-5.4.18-1.1.mga3
php-mysqli-5.4.18-1.1.mga3
php-mysqlnd-5.4.18-1.1.mga3
php-odbc-5.4.18-1.1.mga3
php-pcntl-5.4.18-1.1.mga3
php-pdo-5.4.18-1.1.mga3
php-pdo_dblib-5.4.18-1.1.mga3
php-pdo_firebird-5.4.18-1.1.mga3
php-pdo_mysql-5.4.18-1.1.mga3
php-pdo_odbc-5.4.18-1.1.mga3
php-pdo_pgsql-5.4.18-1.1.mga3
php-pdo_sqlite-5.4.18-1.1.mga3
php-pgsql-5.4.18-1.1.mga3
php-phar-5.4.18-1.1.mga3
php-posix-5.4.18-1.1.mga3
php-readline-5.4.18-1.1.mga3
php-recode-5.4.18-1.1.mga3
php-session-5.4.18-1.1.mga3
php-shmop-5.4.18-1.1.mga3
php-snmp-5.4.18-1.1.mga3
php-soap-5.4.18-1.1.mga3
php-sockets-5.4.18-1.1.mga3
php-sqlite3-5.4.18-1.1.mga3
php-sybase_ct-5.4.18-1.1.mga3
php-sysvmsg-5.4.18-1.1.mga3
php-sysvsem-5.4.18-1.1.mga3
php-sysvshm-5.4.18-1.1.mga3
php-tidy-5.4.18-1.1.mga3
php-tokenizer-5.4.18-1.1.mga3
php-xml-5.4.18-1.1.mga3
php-xmlreader-5.4.18-1.1.mga3
php-xmlrpc-5.4.18-1.1.mga3
php-xmlwriter-5.4.18-1.1.mga3
php-xsl-5.4.18-1.1.mga3
php-wddx-5.4.18-1.1.mga3
php-zip-5.4.18-1.1.mga3
php-fpm-5.4.18-1.1.mga3

from SRPMS:
php-5.3.27-1.1.mga2.src.rpm
php-5.4.18-1.1.mga3.src.rpm
Comment 7 David Walser 2013-08-23 19:01:34 CEST
Oden has updated these again and rebuilt some stuff.

Currently available packages in updates_testing:
php-ini-5.3.27-1.2.mga2
php-cli-5.3.27-1.2.mga2
php-cgi-5.3.27-1.2.mga2
php-fpm-5.3.27-1.2.mga2
apache-mod_php-5.3.27-1.2.mga2
libphp5_common5-5.3.27-1.2.mga2
php-devel-5.3.27-1.2.mga2
php-openssl-5.3.27-1.2.mga2
php-zlib-5.3.27-1.2.mga2
php-bcmath-5.3.27-1.2.mga2
php-bz2-5.3.27-1.2.mga2
php-calendar-5.3.27-1.2.mga2
php-ctype-5.3.27-1.2.mga2
php-curl-5.3.27-1.2.mga2
php-dba-5.3.27-1.2.mga2
php-dom-5.3.27-1.2.mga2
php-enchant-5.3.27-1.2.mga2
php-exif-5.3.27-1.2.mga2
php-fileinfo-5.3.27-1.2.mga2
php-filter-5.3.27-1.2.mga2
php-ftp-5.3.27-1.2.mga2
php-gd-5.3.27-1.2.mga2
php-gettext-5.3.27-1.2.mga2
php-gmp-5.3.27-1.2.mga2
php-hash-5.3.27-1.2.mga2
php-iconv-5.3.27-1.2.mga2
php-imap-5.3.27-1.2.mga2
php-intl-5.3.27-1.2.mga2
php-json-5.3.27-1.2.mga2
php-ldap-5.3.27-1.2.mga2
php-mbstring-5.3.27-1.2.mga2
php-mcrypt-5.3.27-1.2.mga2
php-mssql-5.3.27-1.2.mga2
php-mysql-5.3.27-1.2.mga2
php-mysqli-5.3.27-1.2.mga2
php-mysqlnd-5.3.27-1.2.mga2
php-odbc-5.3.27-1.2.mga2
php-pcntl-5.3.27-1.2.mga2
php-pdo-5.3.27-1.2.mga2
php-pdo_dblib-5.3.27-1.2.mga2
php-pdo_mysql-5.3.27-1.2.mga2
php-pdo_odbc-5.3.27-1.2.mga2
php-pdo_pgsql-5.3.27-1.2.mga2
php-pdo_sqlite-5.3.27-1.2.mga2
php-pgsql-5.3.27-1.2.mga2
php-phar-5.3.27-1.2.mga2
php-posix-5.3.27-1.2.mga2
php-readline-5.3.27-1.2.mga2
php-recode-5.3.27-1.2.mga2
php-session-5.3.27-1.2.mga2
php-shmop-5.3.27-1.2.mga2
php-snmp-5.3.27-1.2.mga2
php-soap-5.3.27-1.2.mga2
php-sockets-5.3.27-1.2.mga2
php-sqlite3-5.3.27-1.2.mga2
php-sqlite-5.3.27-1.2.mga2
php-sybase_ct-5.3.27-1.2.mga2
php-sysvmsg-5.3.27-1.2.mga2
php-sysvsem-5.3.27-1.2.mga2
php-sysvshm-5.3.27-1.2.mga2
php-tidy-5.3.27-1.2.mga2
php-tokenizer-5.3.27-1.2.mga2
php-xml-5.3.27-1.2.mga2
php-xmlreader-5.3.27-1.2.mga2
php-xmlrpc-5.3.27-1.2.mga2
php-xmlwriter-5.3.27-1.2.mga2
php-xsl-5.3.27-1.2.mga2
php-wddx-5.3.27-1.2.mga2
php-zip-5.3.27-1.2.mga2
php-ini-5.4.19-1.1.mga3
apache-mod_php-5.4.19-1.1.mga3
php-cli-5.4.19-1.1.mga3
php-cgi-5.4.19-1.1.mga3
libphp5_common5-5.4.19-1.1.mga3
php-devel-5.4.19-1.1.mga3
php-openssl-5.4.19-1.1.mga3
php-zlib-5.4.19-1.1.mga3
php-doc-5.4.19-1.1.mga3
php-bcmath-5.4.19-1.1.mga3
php-bz2-5.4.19-1.1.mga3
php-calendar-5.4.19-1.1.mga3
php-ctype-5.4.19-1.1.mga3
php-curl-5.4.19-1.1.mga3
php-dba-5.4.19-1.1.mga3
php-dom-5.4.19-1.1.mga3
php-enchant-5.4.19-1.1.mga3
php-exif-5.4.19-1.1.mga3
php-fileinfo-5.4.19-1.1.mga3
php-filter-5.4.19-1.1.mga3
php-ftp-5.4.19-1.1.mga3
php-gd-5.4.19-1.1.mga3
php-gettext-5.4.19-1.1.mga3
php-gmp-5.4.19-1.1.mga3
php-hash-5.4.19-1.1.mga3
php-iconv-5.4.19-1.1.mga3
php-imap-5.4.19-1.1.mga3
php-interbase-5.4.19-1.1.mga3
php-intl-5.4.19-1.1.mga3
php-json-5.4.19-1.1.mga3
php-ldap-5.4.19-1.1.mga3
php-mbstring-5.4.19-1.1.mga3
php-mcrypt-5.4.19-1.1.mga3
php-mssql-5.4.19-1.1.mga3
php-mysql-5.4.19-1.1.mga3
php-mysqli-5.4.19-1.1.mga3
php-mysqlnd-5.4.19-1.1.mga3
php-odbc-5.4.19-1.1.mga3
php-pcntl-5.4.19-1.1.mga3
php-pdo-5.4.19-1.1.mga3
php-pdo_dblib-5.4.19-1.1.mga3
php-pdo_firebird-5.4.19-1.1.mga3
php-pdo_mysql-5.4.19-1.1.mga3
php-pdo_odbc-5.4.19-1.1.mga3
php-pdo_pgsql-5.4.19-1.1.mga3
php-pdo_sqlite-5.4.19-1.1.mga3
php-pgsql-5.4.19-1.1.mga3
php-phar-5.4.19-1.1.mga3
php-posix-5.4.19-1.1.mga3
php-readline-5.4.19-1.1.mga3
php-recode-5.4.19-1.1.mga3
php-session-5.4.19-1.1.mga3
php-shmop-5.4.19-1.1.mga3
php-snmp-5.4.19-1.1.mga3
php-soap-5.4.19-1.1.mga3
php-sockets-5.4.19-1.1.mga3
php-sqlite3-5.4.19-1.1.mga3
php-sybase_ct-5.4.19-1.1.mga3
php-sysvmsg-5.4.19-1.1.mga3
php-sysvsem-5.4.19-1.1.mga3
php-sysvshm-5.4.19-1.1.mga3
php-tidy-5.4.19-1.1.mga3
php-tokenizer-5.4.19-1.1.mga3
php-xml-5.4.19-1.1.mga3
php-xmlreader-5.4.19-1.1.mga3
php-xmlrpc-5.4.19-1.1.mga3
php-xmlwriter-5.4.19-1.1.mga3
php-xsl-5.4.19-1.1.mga3
php-wddx-5.4.19-1.1.mga3
php-zip-5.4.19-1.1.mga3
php-fpm-5.4.19-1.1.mga3
php-apc-3.1.14-7.3.mga3
php-apc-admin-3.1.14-7.3.mga3
php-gd-bundled-5.4.19-1.mga3

from SRPMS:
php-5.3.27-1.2.mga2.src.rpm
php-5.4.19-1.1.mga3.src.rpm
php-apc-3.1.14-7.3.mga3.src.rpm
php-gd-bundled-5.4.19-1.mga3.src.rpm
Comment 8 David Walser 2013-08-25 14:04:05 CEST
Funda has updated PHP to 5.5.3 in Cauldron, which should fix this there.

Are there any more packages that need to be built for the stable updates?

If not, we just need an advisory and can push this to QA.
Comment 9 Oden Eriksson 2013-08-26 12:36:29 CEST
I think only php-apc needs a rebuild in mga3, so I think we're fine.
Comment 10 David Walser 2013-08-26 14:41:45 CEST
Thanks Oden.  Note that the CVE reference has been fixed on the upstream ChangeLog

Assigning to QA.  Advisory below.  Package list in Comment 7.

Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php
Comment 11 David Walser 2013-08-26 18:49:06 CEST
Fedora has issued an advisory for this on August 19:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114648.html
Comment 12 Oden Eriksson 2013-08-27 12:57:47 CEST
Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

Additionally a patch has been applied to fix an UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b
Comment 14 claire robinson 2013-08-27 18:56:40 CEST
If the package list in comment 7 is current then for mga2 there are usually php-eaccelerator, php-apc, etc rebuilt at the same time. Is it necessary here too?
Comment 15 claire robinson 2013-08-27 18:57:49 CEST
see eg. bug 10760
Comment 16 David Walser 2013-08-27 19:13:50 CEST
(In reply to claire robinson from comment #14)
> If the package list in comment 7 is current then for mga2 there are usually
> php-eaccelerator, php-apc, etc rebuilt at the same time. Is it necessary
> here too?

No, because php hasn't been updated to a new version this time, only patched.
Comment 17 David Walser 2013-08-27 19:15:53 CEST
Adding the MDV advisory to the references.

Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

Additionally a patch has been applied to fix an UMR (Unitialized Memory Read)
bug in the original fix for CVE-2013-4248.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:221/
Comment 18 claire robinson 2013-08-28 12:50:24 CEST
Testing complete mga2 64

The php-gd/php-gd-bundled problem in bug 10847 confirmed fixed, they now conflict.

Tested with phpmyadmin, logged in to php-eaccelerator and watched the cache. Checked for errors in php -i. All modules show as loaded.
Comment 19 claire robinson 2013-08-28 14:49:39 CEST
Testing complete mga2 32

bug 10847 ok. Checked with phpmyadmin, php-apc and php -i
Comment 20 claire robinson 2013-08-29 11:29:12 CEST
Testing complete mga3 64
Comment 21 claire robinson 2013-08-29 17:06:45 CEST
Testing complete mga3 32
Comment 22 claire robinson 2013-08-29 17:16:16 CEST
Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!
Comment 23 Thomas Backlund 2013-08-30 19:31:29 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2013-0264.html

Note You need to log in before you can comment on or make changes to this bug.