Bug 11947 - php new security issues CVE-2013-6420 and CVE-2013-6712
: php new security issues CVE-2013-6420 and CVE-2013-6712
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/576584/
: has_procedure advisory mga3-64-ok mg...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-12-10 22:49 CET by David Walser
Modified: 2013-12-19 22:12 CET (History)
3 users (show)

See Also:
Source RPM: php-5.4.19-1.1.mga3.src.rpm
CVE:


Attachments
test.crt (1.63 KB, application/pkix-cert)
2013-12-18 18:33 CET, claire robinson
Details

Description David Walser 2013-12-10 22:49:01 CET
It looks like new upstream versions of PHP will be released on December 12, fixing a new security issue fixed in this commit:
http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-12-11 20:59:31 CET
RedHat has issued an advisory for this today (December 11):
https://rhn.redhat.com/errata/RHSA-2013-1813.html
Comment 2 David Walser 2013-12-12 18:27:52 CET
Ubuntu has issued an advisory for this today (December 12):
http://www.ubuntu.com/usn/usn-2055-1/

It includes another CVE, CVE-2013-6712.
Comment 3 David Walser 2013-12-12 18:28:13 CET
LWN reference for CVE-2013-6712:
http://lwn.net/Vulnerabilities/576780/
Comment 4 David Walser 2013-12-12 21:13:22 CET
Ahh, I just noticed that Oden previously filed a bug for CVE-2013-6712.  We can handle that on this bug, so I'll close that one.  Here's the information he gave on it earlier.

Name: CVE-2013-6712
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20131108
Category: 
Reference: MISC:https://bugs.php.net/bug.php?id=66060
Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071

The scan function in ext/date/lib/parse_iso_intervals.c in PHP through
5.5.6 does not properly restrict creation of DateInterval objects,
which might allow remote attackers to cause a denial of service
(heap-based buffer over-read) via a crafted interval specification.
Comment 5 David Walser 2013-12-12 21:13:51 CET
*** Bug 11804 has been marked as a duplicate of this bug. ***
Comment 6 David Walser 2013-12-13 03:19:23 CET
5.5.7 is out, which fixes these in Cauldron:
http://www.php.net/ChangeLog-5.php#5.5.7

I've committed it to SVN and confirmed that it builds in Cauldron.

Is there anything else that needs to be updated along with this?

Also, what needs to be rebuilt once this is pushed?

I'll ask for a freeze push request once everything's ready to go.
Comment 7 David Walser 2013-12-13 03:21:35 CET
For Mageia 3, 5.4.23 has been released, fixing this:
http://www.php.net/ChangeLog-5.php#5.4.23

I haven't done anything with this yet.
Comment 8 David Walser 2013-12-16 13:44:18 CET
Oden has built PHP 5.4.23 for updates_testing.

php-ini-5.4.23-1.mga3
apache-mod_php-5.4.23-1.mga3
php-cli-5.4.23-1.mga3
php-cgi-5.4.23-1.mga3
libphp5_common5-5.4.23-1.mga3
php-devel-5.4.23-1.mga3
php-openssl-5.4.23-1.mga3
php-zlib-5.4.23-1.mga3
php-doc-5.4.23-1.mga3
php-bcmath-5.4.23-1.mga3
php-bz2-5.4.23-1.mga3
php-calendar-5.4.23-1.mga3
php-ctype-5.4.23-1.mga3
php-curl-5.4.23-1.mga3
php-dba-5.4.23-1.mga3
php-dom-5.4.23-1.mga3
php-enchant-5.4.23-1.mga3
php-exif-5.4.23-1.mga3
php-fileinfo-5.4.23-1.mga3
php-filter-5.4.23-1.mga3
php-ftp-5.4.23-1.mga3
php-gd-5.4.23-1.mga3
php-gettext-5.4.23-1.mga3
php-gmp-5.4.23-1.mga3
php-hash-5.4.23-1.mga3
php-iconv-5.4.23-1.mga3
php-imap-5.4.23-1.mga3
php-interbase-5.4.23-1.mga3
php-intl-5.4.23-1.mga3
php-json-5.4.23-1.mga3
php-ldap-5.4.23-1.mga3
php-mbstring-5.4.23-1.mga3
php-mcrypt-5.4.23-1.mga3
php-mssql-5.4.23-1.mga3
php-mysql-5.4.23-1.mga3
php-mysqli-5.4.23-1.mga3
php-mysqlnd-5.4.23-1.mga3
php-odbc-5.4.23-1.mga3
php-pcntl-5.4.23-1.mga3
php-pdo-5.4.23-1.mga3
php-pdo_dblib-5.4.23-1.mga3
php-pdo_firebird-5.4.23-1.mga3
php-pdo_mysql-5.4.23-1.mga3
php-pdo_odbc-5.4.23-1.mga3
php-pdo_pgsql-5.4.23-1.mga3
php-pdo_sqlite-5.4.23-1.mga3
php-pgsql-5.4.23-1.mga3
php-phar-5.4.23-1.mga3
php-posix-5.4.23-1.mga3
php-readline-5.4.23-1.mga3
php-recode-5.4.23-1.mga3
php-session-5.4.23-1.mga3
php-shmop-5.4.23-1.mga3
php-snmp-5.4.23-1.mga3
php-soap-5.4.23-1.mga3
php-sockets-5.4.23-1.mga3
php-sqlite3-5.4.23-1.mga3
php-sybase_ct-5.4.23-1.mga3
php-sysvmsg-5.4.23-1.mga3
php-sysvsem-5.4.23-1.mga3
php-sysvshm-5.4.23-1.mga3
php-tidy-5.4.23-1.mga3
php-tokenizer-5.4.23-1.mga3
php-xml-5.4.23-1.mga3
php-xmlreader-5.4.23-1.mga3
php-xmlrpc-5.4.23-1.mga3
php-xmlwriter-5.4.23-1.mga3
php-xsl-5.4.23-1.mga3
php-wddx-5.4.23-1.mga3
php-zip-5.4.23-1.mga3
php-fpm-5.4.23-1.mga3

from php-5.4.23-1.mga3.src.rpm
Comment 9 Oden Eriksson 2013-12-16 18:45:22 CET
(In reply to David Walser from comment #6)
> 5.5.7 is out, which fixes these in Cauldron:
> http://www.php.net/ChangeLog-5.php#5.5.7
> 
> I've committed it to SVN and confirmed that it builds in Cauldron.
> 
> Is there anything else that needs to be updated along with this?
> 
> Also, what needs to be rebuilt once this is pushed?
> 
> I'll ask for a freeze push request once everything's ready to go.

Please submit these:

php-apc
php-manual-en (5.5.7)

I think only php-apc needs to be rebuilt.
Comment 10 Oden Eriksson 2013-12-16 18:46:26 CET
(In reply to David Walser from comment #8)
> Oden has built PHP 5.4.23 for updates_testing.
> 
> php-ini-5.4.23-1.mga3
> apache-mod_php-5.4.23-1.mga3
> php-cli-5.4.23-1.mga3
> php-cgi-5.4.23-1.mga3
> libphp5_common5-5.4.23-1.mga3
> php-devel-5.4.23-1.mga3
> php-openssl-5.4.23-1.mga3
> php-zlib-5.4.23-1.mga3
> php-doc-5.4.23-1.mga3
> php-bcmath-5.4.23-1.mga3
> php-bz2-5.4.23-1.mga3
> php-calendar-5.4.23-1.mga3
> php-ctype-5.4.23-1.mga3
> php-curl-5.4.23-1.mga3
> php-dba-5.4.23-1.mga3
> php-dom-5.4.23-1.mga3
> php-enchant-5.4.23-1.mga3
> php-exif-5.4.23-1.mga3
> php-fileinfo-5.4.23-1.mga3
> php-filter-5.4.23-1.mga3
> php-ftp-5.4.23-1.mga3
> php-gd-5.4.23-1.mga3
> php-gettext-5.4.23-1.mga3
> php-gmp-5.4.23-1.mga3
> php-hash-5.4.23-1.mga3
> php-iconv-5.4.23-1.mga3
> php-imap-5.4.23-1.mga3
> php-interbase-5.4.23-1.mga3
> php-intl-5.4.23-1.mga3
> php-json-5.4.23-1.mga3
> php-ldap-5.4.23-1.mga3
> php-mbstring-5.4.23-1.mga3
> php-mcrypt-5.4.23-1.mga3
> php-mssql-5.4.23-1.mga3
> php-mysql-5.4.23-1.mga3
> php-mysqli-5.4.23-1.mga3
> php-mysqlnd-5.4.23-1.mga3
> php-odbc-5.4.23-1.mga3
> php-pcntl-5.4.23-1.mga3
> php-pdo-5.4.23-1.mga3
> php-pdo_dblib-5.4.23-1.mga3
> php-pdo_firebird-5.4.23-1.mga3
> php-pdo_mysql-5.4.23-1.mga3
> php-pdo_odbc-5.4.23-1.mga3
> php-pdo_pgsql-5.4.23-1.mga3
> php-pdo_sqlite-5.4.23-1.mga3
> php-pgsql-5.4.23-1.mga3
> php-phar-5.4.23-1.mga3
> php-posix-5.4.23-1.mga3
> php-readline-5.4.23-1.mga3
> php-recode-5.4.23-1.mga3
> php-session-5.4.23-1.mga3
> php-shmop-5.4.23-1.mga3
> php-snmp-5.4.23-1.mga3
> php-soap-5.4.23-1.mga3
> php-sockets-5.4.23-1.mga3
> php-sqlite3-5.4.23-1.mga3
> php-sybase_ct-5.4.23-1.mga3
> php-sysvmsg-5.4.23-1.mga3
> php-sysvsem-5.4.23-1.mga3
> php-sysvshm-5.4.23-1.mga3
> php-tidy-5.4.23-1.mga3
> php-tokenizer-5.4.23-1.mga3
> php-xml-5.4.23-1.mga3
> php-xmlreader-5.4.23-1.mga3
> php-xmlrpc-5.4.23-1.mga3
> php-xmlwriter-5.4.23-1.mga3
> php-xsl-5.4.23-1.mga3
> php-wddx-5.4.23-1.mga3
> php-zip-5.4.23-1.mga3
> php-fpm-5.4.23-1.mga3
> 
> from php-5.4.23-1.mga3.src.rpm


+ these:
php-gd-bundled-5.4.23-1.mga3
php-apc-3.1.14-7.5.mga3
Comment 11 David Walser 2013-12-16 18:51:52 CET
Thanks Oden!

Freeze push request has been sent to the dev ml.
Comment 12 David Walser 2013-12-16 18:56:32 CET
(In reply to Oden Eriksson from comment #10)
> + these:
> php-gd-bundled-5.4.23-1.mga3
> php-apc-3.1.14-7.5.mga3
+ this:
php-apc-admin-3.1.14-7.5.mga3

from SRPMS:

php-gd-bundled-5.4.23-1.mga3.src.rpm
php-apc-3.1.14-7.5.mga3.src.rpm
Comment 13 David Walser 2013-12-18 16:23:32 CET
Updated packages built for Mageia 3 and Cauldron.

Note to QA: RedHat has rated CVE-2013-6420 as critical severity, and linked to a page with a PoC here:
https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html

Advisory:
========================

Updated php packages fix security vulnerabilities:

Stefan Esser discovered that PHP incorrectly parsed certificates. An
attacker could use a malformed certificate to cause PHP to crash, resulting
in a denial of service, or possibly execute arbitrary code (CVE-2013-6420).

It was discovered that PHP incorrectly handled DateInterval objects. An
attacker could use this issue to cause PHP to crash, resulting in a denial
of service (CVE-2013-6712).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712
http://www.php.net/ChangeLog-5.php#5.4.23
http://www.ubuntu.com/usn/usn-2055-1/
========================

Updated packages in core/updates_testing:
========================
php-ini-5.4.23-1.mga3
apache-mod_php-5.4.23-1.mga3
php-cli-5.4.23-1.mga3
php-cgi-5.4.23-1.mga3
libphp5_common5-5.4.23-1.mga3
php-devel-5.4.23-1.mga3
php-openssl-5.4.23-1.mga3
php-zlib-5.4.23-1.mga3
php-doc-5.4.23-1.mga3
php-bcmath-5.4.23-1.mga3
php-bz2-5.4.23-1.mga3
php-calendar-5.4.23-1.mga3
php-ctype-5.4.23-1.mga3
php-curl-5.4.23-1.mga3
php-dba-5.4.23-1.mga3
php-dom-5.4.23-1.mga3
php-enchant-5.4.23-1.mga3
php-exif-5.4.23-1.mga3
php-fileinfo-5.4.23-1.mga3
php-filter-5.4.23-1.mga3
php-ftp-5.4.23-1.mga3
php-gd-5.4.23-1.mga3
php-gettext-5.4.23-1.mga3
php-gmp-5.4.23-1.mga3
php-hash-5.4.23-1.mga3
php-iconv-5.4.23-1.mga3
php-imap-5.4.23-1.mga3
php-interbase-5.4.23-1.mga3
php-intl-5.4.23-1.mga3
php-json-5.4.23-1.mga3
php-ldap-5.4.23-1.mga3
php-mbstring-5.4.23-1.mga3
php-mcrypt-5.4.23-1.mga3
php-mssql-5.4.23-1.mga3
php-mysql-5.4.23-1.mga3
php-mysqli-5.4.23-1.mga3
php-mysqlnd-5.4.23-1.mga3
php-odbc-5.4.23-1.mga3
php-pcntl-5.4.23-1.mga3
php-pdo-5.4.23-1.mga3
php-pdo_dblib-5.4.23-1.mga3
php-pdo_firebird-5.4.23-1.mga3
php-pdo_mysql-5.4.23-1.mga3
php-pdo_odbc-5.4.23-1.mga3
php-pdo_pgsql-5.4.23-1.mga3
php-pdo_sqlite-5.4.23-1.mga3
php-pgsql-5.4.23-1.mga3
php-phar-5.4.23-1.mga3
php-posix-5.4.23-1.mga3
php-readline-5.4.23-1.mga3
php-recode-5.4.23-1.mga3
php-session-5.4.23-1.mga3
php-shmop-5.4.23-1.mga3
php-snmp-5.4.23-1.mga3
php-soap-5.4.23-1.mga3
php-sockets-5.4.23-1.mga3
php-sqlite3-5.4.23-1.mga3
php-sybase_ct-5.4.23-1.mga3
php-sysvmsg-5.4.23-1.mga3
php-sysvsem-5.4.23-1.mga3
php-sysvshm-5.4.23-1.mga3
php-tidy-5.4.23-1.mga3
php-tokenizer-5.4.23-1.mga3
php-xml-5.4.23-1.mga3
php-xmlreader-5.4.23-1.mga3
php-xmlrpc-5.4.23-1.mga3
php-xmlwriter-5.4.23-1.mga3
php-xsl-5.4.23-1.mga3
php-wddx-5.4.23-1.mga3
php-zip-5.4.23-1.mga3
php-fpm-5.4.23-1.mga3
php-gd-bundled-5.4.23-1.mga3
php-apc-3.1.14-7.5.mga3
php-apc-admin-3.1.14-7.5.mga3

from SRPMS:
php-5.4.23-1.mga3.src.rpm
php-gd-bundled-5.4.23-1.mga3.src.rpm
php-apc-3.1.14-7.5.mga3.src.rpm
Comment 14 claire robinson 2013-12-18 18:32:37 CET
Testing complete mga3 64

Script to test with..

$ cat test.php 
<?php
$cert = file_get_contents('test.crt');
$ssl = openssl_x509_parse($cert);
print_r ($ssl);
?>

test.crt is the one from the bottom of the PoC with any leading spaces removed. I'll attach it.


Before
------
Valgrind starts with..

$ valgrind php test.php
==8779== Memcheck, a memory error detector
==8779== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==8779== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==8779== Command: php test.php
==8779== 
==8779== Use of uninitialised value of size 8
==8779==    at 0x54AFB53: ____strtol_l_internal (in /usr/lib64/libc-2.17.so)
==8779==    by 0x88932F2: ??? (in /usr/lib64/php/extensions/openssl.so)
==8779==    by 0x8897C3C: zif_openssl_x509_parse (in /usr/lib64/php/extensions/openssl.so)
==8779==    by 0x511B590: ??? (in /usr/lib64/libphp5_common.so.5.3.0)
==8779==    by 0x50CF5BE: execute (in /usr/lib64/libphp5_common.so.5.3.0)
==8779==    by 0x5063A1B: zend_execute_scripts (in /usr/lib64/libphp5_common.so.5.3.0)
==8779==    by 0x4FF9E92: php_execute_script (in /usr/lib64/libphp5_common.so.5.3.0)
==8779==    by 0x4061D3: ??? (in /usr/bin/php)
==8779==    by 0x404959: main (in /usr/bin/php)

..and ends with..

==8779== HEAP SUMMARY:
==8779==     in use at exit: 79,054 bytes in 2,590 blocks
==8779==   total heap usage: 20,177 allocs, 17,587 frees, 3,716,337 bytes allocated
==8779== 
==8779== LEAK SUMMARY:
==8779==    definitely lost: 502 bytes in 10 blocks
==8779==    indirectly lost: 78,520 bytes in 2,579 blocks
==8779==      possibly lost: 0 bytes in 0 blocks
==8779==    still reachable: 32 bytes in 1 blocks
==8779==         suppressed: 0 bytes in 0 blocks
==8779== Rerun with --leak-check=full to see details of leaked memory
==8779== 
==8779== For counts of detected and suppressed errors, rerun with: -v
==8779== Use --track-origins=yes to see where uninitialised values come from
==8779== ERROR SUMMARY: 12 errors from 12 contexts (suppressed: 2 from 2)



After
-----
Valgrind starts with..

$ valgrind php test.php
==11771== Memcheck, a memory error detector
==11771== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==11771== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==11771== Command: php test.php
==11771== 
Array
(
    [name] => /C=DE/ST=Nordrhein-Westfalen/L=K\xC3\x83\xC2\xB6ln/O=SektionEins/OU=Malicious Cert Section/CN=malicious.sektioneins.de/emailAddress=stefan.esser@sektioneins.de
    [subject] => Array
        (
            [C] => DE
            [ST] => Nordrhein-Westfalen
            [L] => Köln
            [O] => SektionEins
            [OU] => Malicious Cert Section
            [CN] => malicious.sektioneins.de
            [emailAddress] => stefan.esser@sektioneins.de

..and ends with..

==11771== HEAP SUMMARY:
==11771==     in use at exit: 79,054 bytes in 2,590 blocks
==11771==   total heap usage: 20,178 allocs, 17,588 frees, 3,716,434 bytes allocated
==11771== 
==11771== LEAK SUMMARY:
==11771==    definitely lost: 502 bytes in 10 blocks
==11771==    indirectly lost: 78,520 bytes in 2,579 blocks
==11771==      possibly lost: 0 bytes in 0 blocks
==11771==    still reachable: 32 bytes in 1 blocks
==11771==         suppressed: 0 bytes in 0 blocks
==11771== Rerun with --leak-check=full to see details of leaked memory
==11771== 
==11771== For counts of detected and suppressed errors, rerun with: -v
==11771== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2)


So looks like the CVE is closed, if I'm reading the results correctly.
Tested generally with zoneminder, phpmyadmin and php-apc
Comment 15 claire robinson 2013-12-18 18:33:17 CET
Created attachment 4639 [details]
test.crt
Comment 16 claire robinson 2013-12-18 18:45:10 CET
advisory uploaded.
Comment 17 claire robinson 2013-12-19 09:48:30 CET
Testing complete mga3 32

Validating

Could sysadmin please push from 3 core/updates_testing to updates

Thanks!
Comment 18 Thomas Backlund 2013-12-19 22:12:29 CET
Update pushed: 
http://advisories.mageia.org/MGASA-2013-0379.html

Note You need to log in before you can comment on or make changes to this bug.