10997 – php: handling of certs with null bytes (CVE-2013-4248)

Bug 10997 - php: handling of certs with null bytes (CVE-2013-4248)

Summary: php: handling of certs with null bytes (CVE-2013-4248)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/564819/
Whiteboard:	MGA2TOO has_procedure mga2-64-ok mga2...
Keywords:	validated_update

Depends on:
Blocks:	8538 10847
	Show dependency tree / graph

Reported:	2013-08-14 10:43 CEST by Oden Eriksson
Modified:	2013-08-30 19:31 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	php
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Oden Eriksson 2013-08-14 10:43:06 CEST

A similar flaw as in ruby and python was discovered and fixed for php.

ruby - CVE-2013-4073
python - CVE-2013-4238
php - CVE-2013-????

http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/

Upstream fixes:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755

http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897



Reproducible: 

Steps to Reproduce:

Comment 1 Oden Eriksson 2013-08-14 10:50:03 CEST

CVE request: http://www.openwall.com/lists/oss-security/2013/08/14/4

David Walser 2013-08-14 13:25:18 CEST

Version: 2 => Cauldron
Whiteboard: (none) => MGA3TOO, MGA2TOO

Comment 2 Oden Eriksson 2013-08-15 10:11:34 CEST

CVE assignment: http://www.openwall.com/lists/oss-security/2013/08/15/3

Summary: php: Fix CVE-2013-4073 - handling of certs with null bytes => php: Fix CVE-2013-4248 - handling of certs with null bytes

Comment 3 Oden Eriksson 2013-08-16 13:03:54 CEST

Fixed with php-5.4.18-1.1.mga3 and php-5.3.27-1.1.mga2

Changelog for php-5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

Note. They only mention:

----
Openssl:

    Fixed handling null bytes in subjectAltName (CVE-2013-4073).

----

Using the ruby CVE-2013-4073 identifier, when CVE-2013-4248 got assigned here:

http://www.openwall.com/lists/oss-security/2013/08/15/3

Comment 4 David Walser 2013-08-16 19:07:26 CEST

I guess if PHP 5.5 is affected, it's fixed in 5.5.2 as well?

Comment 5 David Walser 2013-08-16 19:11:46 CEST

I'm guessing we'll need some things rebuilt in mga3, since this is also updating to PHP 5.4.18.

Currently uploaded packages:
php-ini-5.3.27-1.1.mga2
php-cli-5.3.27-1.1.mga2
php-cgi-5.3.27-1.1.mga2
php-fpm-5.3.27-1.1.mga2
apache-mod_php-5.3.27-1.1.mga2
libphp5_common5-5.3.27-1.1.mga2
php-devel-5.3.27-1.1.mga2
php-openssl-5.3.27-1.1.mga2
php-zlib-5.3.27-1.1.mga2
php-bcmath-5.3.27-1.1.mga2
php-bz2-5.3.27-1.1.mga2
php-calendar-5.3.27-1.1.mga2
php-ctype-5.3.27-1.1.mga2
php-curl-5.3.27-1.1.mga2
php-dba-5.3.27-1.1.mga2
php-dom-5.3.27-1.1.mga2
php-enchant-5.3.27-1.1.mga2
php-exif-5.3.27-1.1.mga2
php-fileinfo-5.3.27-1.1.mga2
php-filter-5.3.27-1.1.mga2
php-ftp-5.3.27-1.1.mga2
php-gd-5.3.27-1.1.mga2
php-gettext-5.3.27-1.1.mga2
php-gmp-5.3.27-1.1.mga2
php-hash-5.3.27-1.1.mga2
php-iconv-5.3.27-1.1.mga2
php-imap-5.3.27-1.1.mga2
php-intl-5.3.27-1.1.mga2
php-json-5.3.27-1.1.mga2
php-ldap-5.3.27-1.1.mga2
php-mbstring-5.3.27-1.1.mga2
php-mcrypt-5.3.27-1.1.mga2
php-mssql-5.3.27-1.1.mga2
php-mysql-5.3.27-1.1.mga2
php-mysqli-5.3.27-1.1.mga2
php-mysqlnd-5.3.27-1.1.mga2
php-odbc-5.3.27-1.1.mga2
php-pcntl-5.3.27-1.1.mga2
php-pdo-5.3.27-1.1.mga2
php-pdo_dblib-5.3.27-1.1.mga2
php-pdo_mysql-5.3.27-1.1.mga2
php-pdo_odbc-5.3.27-1.1.mga2
php-pdo_pgsql-5.3.27-1.1.mga2
php-pdo_sqlite-5.3.27-1.1.mga2
php-pgsql-5.3.27-1.1.mga2
php-phar-5.3.27-1.1.mga2
php-posix-5.3.27-1.1.mga2
php-readline-5.3.27-1.1.mga2
php-recode-5.3.27-1.1.mga2
php-session-5.3.27-1.1.mga2
php-shmop-5.3.27-1.1.mga2
php-snmp-5.3.27-1.1.mga2
php-soap-5.3.27-1.1.mga2
php-sockets-5.3.27-1.1.mga2
php-sqlite3-5.3.27-1.1.mga2
php-sqlite-5.3.27-1.1.mga2
php-sybase_ct-5.3.27-1.1.mga2
php-sysvmsg-5.3.27-1.1.mga2
php-sysvsem-5.3.27-1.1.mga2
php-sysvshm-5.3.27-1.1.mga2
php-tidy-5.3.27-1.1.mga2
php-tokenizer-5.3.27-1.1.mga2
php-xml-5.3.27-1.1.mga2
php-xmlreader-5.3.27-1.1.mga2
php-xmlrpc-5.3.27-1.1.mga2
php-xmlwriter-5.3.27-1.1.mga2
php-xsl-5.3.27-1.1.mga2
php-wddx-5.3.27-1.1.mga2
php-zip-5.3.27-1.1.mga2
php-ini-5.4.18-1.1.mga3
apache-mod_php-5.4.18-1.1.mga3
php-cli-5.4.18-1.1.mga3
php-cgi-5.4.18-1.1.mga3
libphp5_common5-5.4.18-1.1.mga3
php-devel-5.4.18-1.1.mga3
php-openssl-5.4.18-1.1.mga3
php-zlib-5.4.18-1.1.mga3
php-doc-5.4.18-1.1.mga3
php-bcmath-5.4.18-1.1.mga3
php-bz2-5.4.18-1.1.mga3
php-calendar-5.4.18-1.1.mga3
php-ctype-5.4.18-1.1.mga3
php-curl-5.4.18-1.1.mga3
php-dba-5.4.18-1.1.mga3
php-dom-5.4.18-1.1.mga3
php-enchant-5.4.18-1.1.mga3
php-exif-5.4.18-1.1.mga3
php-fileinfo-5.4.18-1.1.mga3
php-filter-5.4.18-1.1.mga3
php-ftp-5.4.18-1.1.mga3
php-gd-5.4.18-1.1.mga3
php-gettext-5.4.18-1.1.mga3
php-gmp-5.4.18-1.1.mga3
php-hash-5.4.18-1.1.mga3
php-iconv-5.4.18-1.1.mga3
php-imap-5.4.18-1.1.mga3
php-interbase-5.4.18-1.1.mga3
php-intl-5.4.18-1.1.mga3
php-json-5.4.18-1.1.mga3
php-ldap-5.4.18-1.1.mga3
php-mbstring-5.4.18-1.1.mga3
php-mcrypt-5.4.18-1.1.mga3
php-mssql-5.4.18-1.1.mga3
php-mysql-5.4.18-1.1.mga3
php-mysqli-5.4.18-1.1.mga3
php-mysqlnd-5.4.18-1.1.mga3
php-odbc-5.4.18-1.1.mga3
php-pcntl-5.4.18-1.1.mga3
php-pdo-5.4.18-1.1.mga3
php-pdo_dblib-5.4.18-1.1.mga3
php-pdo_firebird-5.4.18-1.1.mga3
php-pdo_mysql-5.4.18-1.1.mga3
php-pdo_odbc-5.4.18-1.1.mga3
php-pdo_pgsql-5.4.18-1.1.mga3
php-pdo_sqlite-5.4.18-1.1.mga3
php-pgsql-5.4.18-1.1.mga3
php-phar-5.4.18-1.1.mga3
php-posix-5.4.18-1.1.mga3
php-readline-5.4.18-1.1.mga3
php-recode-5.4.18-1.1.mga3
php-session-5.4.18-1.1.mga3
php-shmop-5.4.18-1.1.mga3
php-snmp-5.4.18-1.1.mga3
php-soap-5.4.18-1.1.mga3
php-sockets-5.4.18-1.1.mga3
php-sqlite3-5.4.18-1.1.mga3
php-sybase_ct-5.4.18-1.1.mga3
php-sysvmsg-5.4.18-1.1.mga3
php-sysvsem-5.4.18-1.1.mga3
php-sysvshm-5.4.18-1.1.mga3
php-tidy-5.4.18-1.1.mga3
php-tokenizer-5.4.18-1.1.mga3
php-xml-5.4.18-1.1.mga3
php-xmlreader-5.4.18-1.1.mga3
php-xmlrpc-5.4.18-1.1.mga3
php-xmlwriter-5.4.18-1.1.mga3
php-xsl-5.4.18-1.1.mga3
php-wddx-5.4.18-1.1.mga3
php-zip-5.4.18-1.1.mga3
php-fpm-5.4.18-1.1.mga3

from SRPMS:
php-5.3.27-1.1.mga2.src.rpm
php-5.4.18-1.1.mga3.src.rpm

David Walser 2013-08-17 18:00:19 CEST

Summary: php: Fix CVE-2013-4248 - handling of certs with null bytes => php: handling of certs with null bytes (CVE-2013-4248)

David Walser 2013-08-23 12:43:08 CEST

CC: (none) => luigiwalser
Blocks: (none) => 10847, 8538

Comment 7 David Walser 2013-08-23 19:01:34 CEST

Oden has updated these again and rebuilt some stuff.

Currently available packages in updates_testing:
php-ini-5.3.27-1.2.mga2
php-cli-5.3.27-1.2.mga2
php-cgi-5.3.27-1.2.mga2
php-fpm-5.3.27-1.2.mga2
apache-mod_php-5.3.27-1.2.mga2
libphp5_common5-5.3.27-1.2.mga2
php-devel-5.3.27-1.2.mga2
php-openssl-5.3.27-1.2.mga2
php-zlib-5.3.27-1.2.mga2
php-bcmath-5.3.27-1.2.mga2
php-bz2-5.3.27-1.2.mga2
php-calendar-5.3.27-1.2.mga2
php-ctype-5.3.27-1.2.mga2
php-curl-5.3.27-1.2.mga2
php-dba-5.3.27-1.2.mga2
php-dom-5.3.27-1.2.mga2
php-enchant-5.3.27-1.2.mga2
php-exif-5.3.27-1.2.mga2
php-fileinfo-5.3.27-1.2.mga2
php-filter-5.3.27-1.2.mga2
php-ftp-5.3.27-1.2.mga2
php-gd-5.3.27-1.2.mga2
php-gettext-5.3.27-1.2.mga2
php-gmp-5.3.27-1.2.mga2
php-hash-5.3.27-1.2.mga2
php-iconv-5.3.27-1.2.mga2
php-imap-5.3.27-1.2.mga2
php-intl-5.3.27-1.2.mga2
php-json-5.3.27-1.2.mga2
php-ldap-5.3.27-1.2.mga2
php-mbstring-5.3.27-1.2.mga2
php-mcrypt-5.3.27-1.2.mga2
php-mssql-5.3.27-1.2.mga2
php-mysql-5.3.27-1.2.mga2
php-mysqli-5.3.27-1.2.mga2
php-mysqlnd-5.3.27-1.2.mga2
php-odbc-5.3.27-1.2.mga2
php-pcntl-5.3.27-1.2.mga2
php-pdo-5.3.27-1.2.mga2
php-pdo_dblib-5.3.27-1.2.mga2
php-pdo_mysql-5.3.27-1.2.mga2
php-pdo_odbc-5.3.27-1.2.mga2
php-pdo_pgsql-5.3.27-1.2.mga2
php-pdo_sqlite-5.3.27-1.2.mga2
php-pgsql-5.3.27-1.2.mga2
php-phar-5.3.27-1.2.mga2
php-posix-5.3.27-1.2.mga2
php-readline-5.3.27-1.2.mga2
php-recode-5.3.27-1.2.mga2
php-session-5.3.27-1.2.mga2
php-shmop-5.3.27-1.2.mga2
php-snmp-5.3.27-1.2.mga2
php-soap-5.3.27-1.2.mga2
php-sockets-5.3.27-1.2.mga2
php-sqlite3-5.3.27-1.2.mga2
php-sqlite-5.3.27-1.2.mga2
php-sybase_ct-5.3.27-1.2.mga2
php-sysvmsg-5.3.27-1.2.mga2
php-sysvsem-5.3.27-1.2.mga2
php-sysvshm-5.3.27-1.2.mga2
php-tidy-5.3.27-1.2.mga2
php-tokenizer-5.3.27-1.2.mga2
php-xml-5.3.27-1.2.mga2
php-xmlreader-5.3.27-1.2.mga2
php-xmlrpc-5.3.27-1.2.mga2
php-xmlwriter-5.3.27-1.2.mga2
php-xsl-5.3.27-1.2.mga2
php-wddx-5.3.27-1.2.mga2
php-zip-5.3.27-1.2.mga2
php-ini-5.4.19-1.1.mga3
apache-mod_php-5.4.19-1.1.mga3
php-cli-5.4.19-1.1.mga3
php-cgi-5.4.19-1.1.mga3
libphp5_common5-5.4.19-1.1.mga3
php-devel-5.4.19-1.1.mga3
php-openssl-5.4.19-1.1.mga3
php-zlib-5.4.19-1.1.mga3
php-doc-5.4.19-1.1.mga3
php-bcmath-5.4.19-1.1.mga3
php-bz2-5.4.19-1.1.mga3
php-calendar-5.4.19-1.1.mga3
php-ctype-5.4.19-1.1.mga3
php-curl-5.4.19-1.1.mga3
php-dba-5.4.19-1.1.mga3
php-dom-5.4.19-1.1.mga3
php-enchant-5.4.19-1.1.mga3
php-exif-5.4.19-1.1.mga3
php-fileinfo-5.4.19-1.1.mga3
php-filter-5.4.19-1.1.mga3
php-ftp-5.4.19-1.1.mga3
php-gd-5.4.19-1.1.mga3
php-gettext-5.4.19-1.1.mga3
php-gmp-5.4.19-1.1.mga3
php-hash-5.4.19-1.1.mga3
php-iconv-5.4.19-1.1.mga3
php-imap-5.4.19-1.1.mga3
php-interbase-5.4.19-1.1.mga3
php-intl-5.4.19-1.1.mga3
php-json-5.4.19-1.1.mga3
php-ldap-5.4.19-1.1.mga3
php-mbstring-5.4.19-1.1.mga3
php-mcrypt-5.4.19-1.1.mga3
php-mssql-5.4.19-1.1.mga3
php-mysql-5.4.19-1.1.mga3
php-mysqli-5.4.19-1.1.mga3
php-mysqlnd-5.4.19-1.1.mga3
php-odbc-5.4.19-1.1.mga3
php-pcntl-5.4.19-1.1.mga3
php-pdo-5.4.19-1.1.mga3
php-pdo_dblib-5.4.19-1.1.mga3
php-pdo_firebird-5.4.19-1.1.mga3
php-pdo_mysql-5.4.19-1.1.mga3
php-pdo_odbc-5.4.19-1.1.mga3
php-pdo_pgsql-5.4.19-1.1.mga3
php-pdo_sqlite-5.4.19-1.1.mga3
php-pgsql-5.4.19-1.1.mga3
php-phar-5.4.19-1.1.mga3
php-posix-5.4.19-1.1.mga3
php-readline-5.4.19-1.1.mga3
php-recode-5.4.19-1.1.mga3
php-session-5.4.19-1.1.mga3
php-shmop-5.4.19-1.1.mga3
php-snmp-5.4.19-1.1.mga3
php-soap-5.4.19-1.1.mga3
php-sockets-5.4.19-1.1.mga3
php-sqlite3-5.4.19-1.1.mga3
php-sybase_ct-5.4.19-1.1.mga3
php-sysvmsg-5.4.19-1.1.mga3
php-sysvsem-5.4.19-1.1.mga3
php-sysvshm-5.4.19-1.1.mga3
php-tidy-5.4.19-1.1.mga3
php-tokenizer-5.4.19-1.1.mga3
php-xml-5.4.19-1.1.mga3
php-xmlreader-5.4.19-1.1.mga3
php-xmlrpc-5.4.19-1.1.mga3
php-xmlwriter-5.4.19-1.1.mga3
php-xsl-5.4.19-1.1.mga3
php-wddx-5.4.19-1.1.mga3
php-zip-5.4.19-1.1.mga3
php-fpm-5.4.19-1.1.mga3
php-apc-3.1.14-7.3.mga3
php-apc-admin-3.1.14-7.3.mga3
php-gd-bundled-5.4.19-1.mga3

from SRPMS:
php-5.3.27-1.2.mga2.src.rpm
php-5.4.19-1.1.mga3.src.rpm
php-apc-3.1.14-7.3.mga3.src.rpm
php-gd-bundled-5.4.19-1.mga3.src.rpm

Comment 8 David Walser 2013-08-25 14:04:05 CEST

Funda has updated PHP to 5.5.3 in Cauldron, which should fix this there.

Are there any more packages that need to be built for the stable updates?

If not, we just need an advisory and can push this to QA.

Version: Cauldron => 3
Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO

Comment 9 Oden Eriksson 2013-08-26 12:36:29 CEST

I think only php-apc needs a rebuild in mga3, so I think we're fine.

Comment 10 David Walser 2013-08-26 14:41:45 CEST

Thanks Oden.  Note that the CVE reference has been fixed on the upstream ChangeLog

Assigning to QA.  Advisory below.  Package list in Comment 7.

Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php

Assignee: bugsquad => qa-bugs

Comment 11 David Walser 2013-08-26 18:49:06 CEST

Fedora has issued an advisory for this on August 19:
https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114648.html

URL: (none) => http://lwn.net/Vulnerabilities/564819/

Comment 12 Oden Eriksson 2013-08-27 12:57:47 CEST

Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

Additionally a patch has been applied to fix an UMR (Unitialized Memory Read) bug in the original fix for CVE-2013-4248.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b

Comment 13 Oden Eriksson 2013-08-27 13:39:32 CEST

http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:221/

Comment 14 claire robinson 2013-08-27 18:56:40 CEST

If the package list in comment 7 is current then for mga2 there are usually php-eaccelerator, php-apc, etc rebuilt at the same time. Is it necessary here too?

Comment 15 claire robinson 2013-08-27 18:57:49 CEST

see eg. bug 10760

Comment 16 David Walser 2013-08-27 19:13:50 CEST

(In reply to claire robinson from comment #14)
> If the package list in comment 7 is current then for mga2 there are usually
> php-eaccelerator, php-apc, etc rebuilt at the same time. Is it necessary
> here too?

No, because php hasn't been updated to a new version this time, only patched.

Comment 17 David Walser 2013-08-27 19:15:53 CEST

Adding the MDV advisory to the references.

Advisory:
========================

Updated php packages fix security vulnerability:

The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character
in a domain name in the Subject Alternative Name field of an X.509 certificate,
which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority
(CVE-2013-4248).

Additionally a patch has been applied to fix an UMR (Unitialized Memory Read)
bug in the original fix for CVE-2013-4248.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4248
http://www.php.net/ChangeLog-5.php
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:221/

Comment 18 claire robinson 2013-08-28 12:50:24 CEST

Testing complete mga2 64

The php-gd/php-gd-bundled problem in bug 10847 confirmed fixed, they now conflict.

Tested with phpmyadmin, logged in to php-eaccelerator and watched the cache. Checked for errors in php -i. All modules show as loaded.

Whiteboard: MGA2TOO => MGA2TOO has_procedure mga2-64-ok

Comment 19 claire robinson 2013-08-28 14:49:39 CEST

Testing complete mga2 32

bug 10847 ok. Checked with phpmyadmin, php-apc and php -i

Whiteboard: MGA2TOO has_procedure mga2-64-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok

Comment 20 claire robinson 2013-08-29 11:29:12 CEST

Testing complete mga3 64

Whiteboard: MGA2TOO has_procedure mga2-64-ok mga2-32-ok => MGA2TOO has_procedure mga2-64-ok mga2-32-ok mga3-64-ok

Comment 21 claire robinson 2013-08-29 17:06:45 CEST

Testing complete mga3 32

Comment 22 claire robinson 2013-08-29 17:16:16 CEST

Validating. Advisory uploaded.

Could sysadmin please push from 2 & 3 core/updates_testing to updates

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 23 Thomas Backlund 2013-08-30 19:31:29 CEST

Update pushed:
http://advisories.mageia.org/MGASA-2013-0264.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.