It looks like new upstream versions of PHP will be released on December 12, fixing a new security issue fixed in this commit: http://git.php.net/?p=php-src.git;a=commit;h=c1224573c773b6845e83505f717fbf820fc18415 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
RedHat has issued an advisory for this today (December 11): https://rhn.redhat.com/errata/RHSA-2013-1813.html
URL: (none) => http://lwn.net/Vulnerabilities/576584/
Ubuntu has issued an advisory for this today (December 12): http://www.ubuntu.com/usn/usn-2055-1/ It includes another CVE, CVE-2013-6712.
Summary: php new security issue CVE-2013-6420 => php new security issue CVE-2013-6420 and CVE-2013-6712
LWN reference for CVE-2013-6712: http://lwn.net/Vulnerabilities/576780/
Ahh, I just noticed that Oden previously filed a bug for CVE-2013-6712. We can handle that on this bug, so I'll close that one. Here's the information he gave on it earlier. Name: CVE-2013-6712 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131108 Category: Reference: MISC:https://bugs.php.net/bug.php?id=66060 Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=12fe4e90be7bfa2a763197079f68f5568a14e071 The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
*** Bug 11804 has been marked as a duplicate of this bug. ***
CC: (none) => oe
Blocks: (none) => 11726
5.5.7 is out, which fixes these in Cauldron: http://www.php.net/ChangeLog-5.php#5.5.7 I've committed it to SVN and confirmed that it builds in Cauldron. Is there anything else that needs to be updated along with this? Also, what needs to be rebuilt once this is pushed? I'll ask for a freeze push request once everything's ready to go.
For Mageia 3, 5.4.23 has been released, fixing this: http://www.php.net/ChangeLog-5.php#5.4.23 I haven't done anything with this yet.
Oden has built PHP 5.4.23 for updates_testing. php-ini-5.4.23-1.mga3 apache-mod_php-5.4.23-1.mga3 php-cli-5.4.23-1.mga3 php-cgi-5.4.23-1.mga3 libphp5_common5-5.4.23-1.mga3 php-devel-5.4.23-1.mga3 php-openssl-5.4.23-1.mga3 php-zlib-5.4.23-1.mga3 php-doc-5.4.23-1.mga3 php-bcmath-5.4.23-1.mga3 php-bz2-5.4.23-1.mga3 php-calendar-5.4.23-1.mga3 php-ctype-5.4.23-1.mga3 php-curl-5.4.23-1.mga3 php-dba-5.4.23-1.mga3 php-dom-5.4.23-1.mga3 php-enchant-5.4.23-1.mga3 php-exif-5.4.23-1.mga3 php-fileinfo-5.4.23-1.mga3 php-filter-5.4.23-1.mga3 php-ftp-5.4.23-1.mga3 php-gd-5.4.23-1.mga3 php-gettext-5.4.23-1.mga3 php-gmp-5.4.23-1.mga3 php-hash-5.4.23-1.mga3 php-iconv-5.4.23-1.mga3 php-imap-5.4.23-1.mga3 php-interbase-5.4.23-1.mga3 php-intl-5.4.23-1.mga3 php-json-5.4.23-1.mga3 php-ldap-5.4.23-1.mga3 php-mbstring-5.4.23-1.mga3 php-mcrypt-5.4.23-1.mga3 php-mssql-5.4.23-1.mga3 php-mysql-5.4.23-1.mga3 php-mysqli-5.4.23-1.mga3 php-mysqlnd-5.4.23-1.mga3 php-odbc-5.4.23-1.mga3 php-pcntl-5.4.23-1.mga3 php-pdo-5.4.23-1.mga3 php-pdo_dblib-5.4.23-1.mga3 php-pdo_firebird-5.4.23-1.mga3 php-pdo_mysql-5.4.23-1.mga3 php-pdo_odbc-5.4.23-1.mga3 php-pdo_pgsql-5.4.23-1.mga3 php-pdo_sqlite-5.4.23-1.mga3 php-pgsql-5.4.23-1.mga3 php-phar-5.4.23-1.mga3 php-posix-5.4.23-1.mga3 php-readline-5.4.23-1.mga3 php-recode-5.4.23-1.mga3 php-session-5.4.23-1.mga3 php-shmop-5.4.23-1.mga3 php-snmp-5.4.23-1.mga3 php-soap-5.4.23-1.mga3 php-sockets-5.4.23-1.mga3 php-sqlite3-5.4.23-1.mga3 php-sybase_ct-5.4.23-1.mga3 php-sysvmsg-5.4.23-1.mga3 php-sysvsem-5.4.23-1.mga3 php-sysvshm-5.4.23-1.mga3 php-tidy-5.4.23-1.mga3 php-tokenizer-5.4.23-1.mga3 php-xml-5.4.23-1.mga3 php-xmlreader-5.4.23-1.mga3 php-xmlrpc-5.4.23-1.mga3 php-xmlwriter-5.4.23-1.mga3 php-xsl-5.4.23-1.mga3 php-wddx-5.4.23-1.mga3 php-zip-5.4.23-1.mga3 php-fpm-5.4.23-1.mga3 from php-5.4.23-1.mga3.src.rpm
Summary: php new security issue CVE-2013-6420 and CVE-2013-6712 => php new security issues CVE-2013-6420 and CVE-2013-6712
(In reply to David Walser from comment #6) > 5.5.7 is out, which fixes these in Cauldron: > http://www.php.net/ChangeLog-5.php#5.5.7 > > I've committed it to SVN and confirmed that it builds in Cauldron. > > Is there anything else that needs to be updated along with this? > > Also, what needs to be rebuilt once this is pushed? > > I'll ask for a freeze push request once everything's ready to go. Please submit these: php-apc php-manual-en (5.5.7) I think only php-apc needs to be rebuilt.
(In reply to David Walser from comment #8) > Oden has built PHP 5.4.23 for updates_testing. > > php-ini-5.4.23-1.mga3 > apache-mod_php-5.4.23-1.mga3 > php-cli-5.4.23-1.mga3 > php-cgi-5.4.23-1.mga3 > libphp5_common5-5.4.23-1.mga3 > php-devel-5.4.23-1.mga3 > php-openssl-5.4.23-1.mga3 > php-zlib-5.4.23-1.mga3 > php-doc-5.4.23-1.mga3 > php-bcmath-5.4.23-1.mga3 > php-bz2-5.4.23-1.mga3 > php-calendar-5.4.23-1.mga3 > php-ctype-5.4.23-1.mga3 > php-curl-5.4.23-1.mga3 > php-dba-5.4.23-1.mga3 > php-dom-5.4.23-1.mga3 > php-enchant-5.4.23-1.mga3 > php-exif-5.4.23-1.mga3 > php-fileinfo-5.4.23-1.mga3 > php-filter-5.4.23-1.mga3 > php-ftp-5.4.23-1.mga3 > php-gd-5.4.23-1.mga3 > php-gettext-5.4.23-1.mga3 > php-gmp-5.4.23-1.mga3 > php-hash-5.4.23-1.mga3 > php-iconv-5.4.23-1.mga3 > php-imap-5.4.23-1.mga3 > php-interbase-5.4.23-1.mga3 > php-intl-5.4.23-1.mga3 > php-json-5.4.23-1.mga3 > php-ldap-5.4.23-1.mga3 > php-mbstring-5.4.23-1.mga3 > php-mcrypt-5.4.23-1.mga3 > php-mssql-5.4.23-1.mga3 > php-mysql-5.4.23-1.mga3 > php-mysqli-5.4.23-1.mga3 > php-mysqlnd-5.4.23-1.mga3 > php-odbc-5.4.23-1.mga3 > php-pcntl-5.4.23-1.mga3 > php-pdo-5.4.23-1.mga3 > php-pdo_dblib-5.4.23-1.mga3 > php-pdo_firebird-5.4.23-1.mga3 > php-pdo_mysql-5.4.23-1.mga3 > php-pdo_odbc-5.4.23-1.mga3 > php-pdo_pgsql-5.4.23-1.mga3 > php-pdo_sqlite-5.4.23-1.mga3 > php-pgsql-5.4.23-1.mga3 > php-phar-5.4.23-1.mga3 > php-posix-5.4.23-1.mga3 > php-readline-5.4.23-1.mga3 > php-recode-5.4.23-1.mga3 > php-session-5.4.23-1.mga3 > php-shmop-5.4.23-1.mga3 > php-snmp-5.4.23-1.mga3 > php-soap-5.4.23-1.mga3 > php-sockets-5.4.23-1.mga3 > php-sqlite3-5.4.23-1.mga3 > php-sybase_ct-5.4.23-1.mga3 > php-sysvmsg-5.4.23-1.mga3 > php-sysvsem-5.4.23-1.mga3 > php-sysvshm-5.4.23-1.mga3 > php-tidy-5.4.23-1.mga3 > php-tokenizer-5.4.23-1.mga3 > php-xml-5.4.23-1.mga3 > php-xmlreader-5.4.23-1.mga3 > php-xmlrpc-5.4.23-1.mga3 > php-xmlwriter-5.4.23-1.mga3 > php-xsl-5.4.23-1.mga3 > php-wddx-5.4.23-1.mga3 > php-zip-5.4.23-1.mga3 > php-fpm-5.4.23-1.mga3 > > from php-5.4.23-1.mga3.src.rpm + these: php-gd-bundled-5.4.23-1.mga3 php-apc-3.1.14-7.5.mga3
Thanks Oden! Freeze push request has been sent to the dev ml.
(In reply to Oden Eriksson from comment #10) > + these: > php-gd-bundled-5.4.23-1.mga3 > php-apc-3.1.14-7.5.mga3 + this: php-apc-admin-3.1.14-7.5.mga3 from SRPMS: php-gd-bundled-5.4.23-1.mga3.src.rpm php-apc-3.1.14-7.5.mga3.src.rpm
Updated packages built for Mageia 3 and Cauldron. Note to QA: RedHat has rated CVE-2013-6420 as critical severity, and linked to a page with a PoC here: https://www.sektioneins.de/advisories/advisory-012013-php-openssl_x509_parse-memory-corruption-vulnerability.html Advisory: ======================== Updated php packages fix security vulnerabilities: Stefan Esser discovered that PHP incorrectly parsed certificates. An attacker could use a malformed certificate to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2013-6420). It was discovered that PHP incorrectly handled DateInterval objects. An attacker could use this issue to cause PHP to crash, resulting in a denial of service (CVE-2013-6712). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6420 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6712 http://www.php.net/ChangeLog-5.php#5.4.23 http://www.ubuntu.com/usn/usn-2055-1/ ======================== Updated packages in core/updates_testing: ======================== php-ini-5.4.23-1.mga3 apache-mod_php-5.4.23-1.mga3 php-cli-5.4.23-1.mga3 php-cgi-5.4.23-1.mga3 libphp5_common5-5.4.23-1.mga3 php-devel-5.4.23-1.mga3 php-openssl-5.4.23-1.mga3 php-zlib-5.4.23-1.mga3 php-doc-5.4.23-1.mga3 php-bcmath-5.4.23-1.mga3 php-bz2-5.4.23-1.mga3 php-calendar-5.4.23-1.mga3 php-ctype-5.4.23-1.mga3 php-curl-5.4.23-1.mga3 php-dba-5.4.23-1.mga3 php-dom-5.4.23-1.mga3 php-enchant-5.4.23-1.mga3 php-exif-5.4.23-1.mga3 php-fileinfo-5.4.23-1.mga3 php-filter-5.4.23-1.mga3 php-ftp-5.4.23-1.mga3 php-gd-5.4.23-1.mga3 php-gettext-5.4.23-1.mga3 php-gmp-5.4.23-1.mga3 php-hash-5.4.23-1.mga3 php-iconv-5.4.23-1.mga3 php-imap-5.4.23-1.mga3 php-interbase-5.4.23-1.mga3 php-intl-5.4.23-1.mga3 php-json-5.4.23-1.mga3 php-ldap-5.4.23-1.mga3 php-mbstring-5.4.23-1.mga3 php-mcrypt-5.4.23-1.mga3 php-mssql-5.4.23-1.mga3 php-mysql-5.4.23-1.mga3 php-mysqli-5.4.23-1.mga3 php-mysqlnd-5.4.23-1.mga3 php-odbc-5.4.23-1.mga3 php-pcntl-5.4.23-1.mga3 php-pdo-5.4.23-1.mga3 php-pdo_dblib-5.4.23-1.mga3 php-pdo_firebird-5.4.23-1.mga3 php-pdo_mysql-5.4.23-1.mga3 php-pdo_odbc-5.4.23-1.mga3 php-pdo_pgsql-5.4.23-1.mga3 php-pdo_sqlite-5.4.23-1.mga3 php-pgsql-5.4.23-1.mga3 php-phar-5.4.23-1.mga3 php-posix-5.4.23-1.mga3 php-readline-5.4.23-1.mga3 php-recode-5.4.23-1.mga3 php-session-5.4.23-1.mga3 php-shmop-5.4.23-1.mga3 php-snmp-5.4.23-1.mga3 php-soap-5.4.23-1.mga3 php-sockets-5.4.23-1.mga3 php-sqlite3-5.4.23-1.mga3 php-sybase_ct-5.4.23-1.mga3 php-sysvmsg-5.4.23-1.mga3 php-sysvsem-5.4.23-1.mga3 php-sysvshm-5.4.23-1.mga3 php-tidy-5.4.23-1.mga3 php-tokenizer-5.4.23-1.mga3 php-xml-5.4.23-1.mga3 php-xmlreader-5.4.23-1.mga3 php-xmlrpc-5.4.23-1.mga3 php-xmlwriter-5.4.23-1.mga3 php-xsl-5.4.23-1.mga3 php-wddx-5.4.23-1.mga3 php-zip-5.4.23-1.mga3 php-fpm-5.4.23-1.mga3 php-gd-bundled-5.4.23-1.mga3 php-apc-3.1.14-7.5.mga3 php-apc-admin-3.1.14-7.5.mga3 from SRPMS: php-5.4.23-1.mga3.src.rpm php-gd-bundled-5.4.23-1.mga3.src.rpm php-apc-3.1.14-7.5.mga3.src.rpm
Version: Cauldron => 3Blocks: 11726 => (none)Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO => (none)Severity: normal => critical
Testing complete mga3 64 Script to test with.. $ cat test.php <?php $cert = file_get_contents('test.crt'); $ssl = openssl_x509_parse($cert); print_r ($ssl); ?> test.crt is the one from the bottom of the PoC with any leading spaces removed. I'll attach it. Before ------ Valgrind starts with.. $ valgrind php test.php ==8779== Memcheck, a memory error detector ==8779== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==8779== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==8779== Command: php test.php ==8779== ==8779== Use of uninitialised value of size 8 ==8779== at 0x54AFB53: ____strtol_l_internal (in /usr/lib64/libc-2.17.so) ==8779== by 0x88932F2: ??? (in /usr/lib64/php/extensions/openssl.so) ==8779== by 0x8897C3C: zif_openssl_x509_parse (in /usr/lib64/php/extensions/openssl.so) ==8779== by 0x511B590: ??? (in /usr/lib64/libphp5_common.so.5.3.0) ==8779== by 0x50CF5BE: execute (in /usr/lib64/libphp5_common.so.5.3.0) ==8779== by 0x5063A1B: zend_execute_scripts (in /usr/lib64/libphp5_common.so.5.3.0) ==8779== by 0x4FF9E92: php_execute_script (in /usr/lib64/libphp5_common.so.5.3.0) ==8779== by 0x4061D3: ??? (in /usr/bin/php) ==8779== by 0x404959: main (in /usr/bin/php) ..and ends with.. ==8779== HEAP SUMMARY: ==8779== in use at exit: 79,054 bytes in 2,590 blocks ==8779== total heap usage: 20,177 allocs, 17,587 frees, 3,716,337 bytes allocated ==8779== ==8779== LEAK SUMMARY: ==8779== definitely lost: 502 bytes in 10 blocks ==8779== indirectly lost: 78,520 bytes in 2,579 blocks ==8779== possibly lost: 0 bytes in 0 blocks ==8779== still reachable: 32 bytes in 1 blocks ==8779== suppressed: 0 bytes in 0 blocks ==8779== Rerun with --leak-check=full to see details of leaked memory ==8779== ==8779== For counts of detected and suppressed errors, rerun with: -v ==8779== Use --track-origins=yes to see where uninitialised values come from ==8779== ERROR SUMMARY: 12 errors from 12 contexts (suppressed: 2 from 2) After ----- Valgrind starts with.. $ valgrind php test.php ==11771== Memcheck, a memory error detector ==11771== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al. ==11771== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info ==11771== Command: php test.php ==11771== Array ( [name] => /C=DE/ST=Nordrhein-Westfalen/L=K\xC3\x83\xC2\xB6ln/O=SektionEins/OU=Malicious Cert Section/CN=malicious.sektioneins.de/emailAddress=stefan.esser@sektioneins.de [subject] => Array ( [C] => DE [ST] => Nordrhein-Westfalen [L] => Köln [O] => SektionEins [OU] => Malicious Cert Section [CN] => malicious.sektioneins.de [emailAddress] => stefan.esser@sektioneins.de ..and ends with.. ==11771== HEAP SUMMARY: ==11771== in use at exit: 79,054 bytes in 2,590 blocks ==11771== total heap usage: 20,178 allocs, 17,588 frees, 3,716,434 bytes allocated ==11771== ==11771== LEAK SUMMARY: ==11771== definitely lost: 502 bytes in 10 blocks ==11771== indirectly lost: 78,520 bytes in 2,579 blocks ==11771== possibly lost: 0 bytes in 0 blocks ==11771== still reachable: 32 bytes in 1 blocks ==11771== suppressed: 0 bytes in 0 blocks ==11771== Rerun with --leak-check=full to see details of leaked memory ==11771== ==11771== For counts of detected and suppressed errors, rerun with: -v ==11771== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 2 from 2) So looks like the CVE is closed, if I'm reading the results correctly. Tested generally with zoneminder, phpmyadmin and php-apc
Whiteboard: (none) => has_procedure mga3-64-ok
Created attachment 4639 [details] test.crt
advisory uploaded.
Whiteboard: has_procedure mga3-64-ok => has_procedure advisory mga3-64-ok
Testing complete mga3 32 Validating Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure advisory mga3-64-ok => has_procedure advisory mga3-64-ok mga3-32-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0379.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED