[packages/php/PHP_5_2] backport CVE-2013-6420 from PHP 5.3 branch

Tue Dec 17 20:56:38 CET 2013

commit 4950739b41c5ce3b7f73692921bbc871741909a6
Author: Elan Ruusamäe <glen at delfi.ee>
Date:   Tue Dec 17 21:35:48 2013 +0200

    backport CVE-2013-6420 from PHP 5.3 branch

 CVE-2013-6420.patch | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 php.spec            |   4 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
---

diff --git a/php.spec b/php.spec
index 9fd16fd..d92c536 100644
--- a/php.spec
+++ b/php.spec
@@ -111,7 +111,7 @@ ERROR: You need to select at least one Apache SAPI to build shared modules.
 %define		magic_mime	/usr/share/misc/magic.mime
 %endif
 
-%define		rel		4
+%define		rel		5
 %define		orgname	php
 %define		ver_suffix 52
 %define		php_suffix %{!?with_default_php:%{ver_suffix}}
@@ -215,6 +215,7 @@ Patch69:	bug-50563.patch
 Patch70:	php-crypt-null.patch
 Patch71:	php-apache24.patch
 Patch72:	exif-crash-bug-36.patch
+Patch73:	CVE-2013-6420.patch
 # CENTALT patches
 # Backport from 5.3.6
 Patch311:	php-5.3.6-bug-47435.patch
@@ -1930,6 +1931,7 @@ done
 %patch70 -p1
 %patch71 -p1
 %patch72 -p1
+%patch73 -p1
 
 # Bugfix backport from 5.3.6
 %patch311 -p1 -b .bug-47435
diff --git a/CVE-2013-6420.patch b/CVE-2013-6420.patch
new file mode 100644
index 0000000..84900ff
--- /dev/null
+++ b/CVE-2013-6420.patch
@@ -0,0 +1,105 @@
+From: Stanislav Malyshev <stas at php.net>
+Date: Sun, 8 Dec 2013 19:40:18 +0000 (-0800)
+Subject: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
+X-Git-Tag: php-5.3.28~1
+X-Git-Url: http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415
+
+Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
+---
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index e7672e4..0d2d644 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
+ 	char * thestr;
+ 	long gmadjust = 0;
+ 
+-	if (timestr->length < 13) {
+-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
++	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
+ 		return (time_t)-1;
+ 	}
+ 
+-	strbuf = estrdup((char *)timestr->data);
++	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
++		return (time_t)-1;
++	}
++
++	if (ASN1_STRING_length(timestr) < 13) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);
++		return (time_t)-1;
++	}
++
++	strbuf = estrdup((char *)ASN1_STRING_data(timestr));
+ 
+ 	memset(&thetime, 0, sizeof(thetime));
+ 
+ 	/* we work backwards so that we can use atoi more easily */
+ 
+-	thestr = strbuf + timestr->length - 3;
++	thestr = strbuf + ASN1_STRING_length(timestr) - 3;
+ 
+ 	thetime.tm_sec = atoi(thestr);
+ 	*thestr = '\0';
+diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt
+new file mode 100644
+index 0000000..4543314
+--- /dev/null
++++ b/ext/openssl/tests/cve-2013-6420.crt
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
++VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
++S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
++cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
++ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
++ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
++b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
++ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
++A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
++dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
++DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
++wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
++0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
++pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
++SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
++1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
++EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
++BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
++8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
++VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
++lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
++o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
++Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
++-----END CERTIFICATE-----
++
++
+diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
+new file mode 100644
+index 0000000..b946cf0
+--- /dev/null
++++ b/ext/openssl/tests/cve-2013-6420.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++CVE-2013-6420
++--SKIPIF--
++<?php 
++if (!extension_loaded("openssl")) die("skip"); 
++?>
++--FILE--
++<?php
++$crt = substr(__FILE__, 0, -4).'.crt';
++$info = openssl_x509_parse("file://$crt");
++var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
++?>
++Done
++--EXPECTF--
++%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
++string(27) "stefan.esser at sektioneins.de"
++int(-1)
++Done
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/b16376f618a0ed658ea12b1aa52e4360bca2176e

