Fix CVE-2013-6420 - memory corruption in openssl_x509_parse

author: Stanislav Malyshev <stas@php.net> 2013-12-08 11:40:18 -0800
committer: Stanislav Malyshev <stas@php.net> 2013-12-10 11:03:49 -0800
commit: c1224573c773b6845e83505f717fbf820fc18415 (patch)
tree: 5e98dac7a7db8d9ec28387112d46da239c90b3b4
parent: 32873cd0ddea7df8062213bb025beb6fb070e59d (diff)
download: php-git-c1224573c773b6845e83505f717fbf820fc18415.tar.gz
4 files changed, 64 insertions, 5 deletions
diff --git a/NEWS b/NEWS
index 70461d97d8..8abf65e05b 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,12 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2013, PHP 5.3.28
+12 Dec 2013, PHP 5.3.28
 
 - Openssl:
   . Fixed handling null bytes in subjectAltName (CVE-2013-4073).
     (Christian Heimes)
+  . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).
+    (Stefan Esser).
 
 11 Jul 2013, PHP 5.3.27
 
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e7672e4a34..0d2d6442df 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
 	char * thestr;
 	long gmadjust = 0;
 
-	if (timestr->length < 13) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
+	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
 		return (time_t)-1;
 	}
 
-	strbuf = estrdup((char *)timestr->data);
+	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
+		return (time_t)-1;
+	}
+
+	if (ASN1_STRING_length(timestr) < 13) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to parse time string %s correctly", timestr->data);
+		return (time_t)-1;
+	}
+
+	strbuf = estrdup((char *)ASN1_STRING_data(timestr));
 
 	memset(&thetime, 0, sizeof(thetime));
 
 	/* we work backwards so that we can use atoi more easily */
 
-	thestr = strbuf + timestr->length - 3;
+	thestr = strbuf + ASN1_STRING_length(timestr) - 3;
 
 	thetime.tm_sec = atoi(thestr);
 	*thestr = '\0';
diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt
new file mode 100644
index 0000000000..454331468b
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
+VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
+S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
+cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
+ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
+ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
+b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
+ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
+A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
+dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
+wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
+0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
+pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
+SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
+1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
+EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
+BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
+8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
+VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
+lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
+o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
+Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
+-----END CERTIFICATE-----
+
+
diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
new file mode 100644
index 0000000000..b946cf0dd9
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.phpt
@@ -0,0 +1,18 @@
+--TEST--
+CVE-2013-6420
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php
+$crt = substr(__FILE__, 0, -4).'.crt';
+$info = openssl_x509_parse("file://$crt");
+var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
+?>
+Done
+--EXPECTF--
+%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
+string(27) "stefan.esser@sektioneins.de"
+int(-1)
+Done
author	Stanislav Malyshev <stas@php.net>	2013-12-08 11:40:18 -0800
committer	Stanislav Malyshev <stas@php.net>	2013-12-10 11:03:49 -0800
commit	c1224573c773b6845e83505f717fbf820fc18415 (patch)
tree	5e98dac7a7db8d9ec28387112d46da239c90b3b4
parent	32873cd0ddea7df8062213bb025beb6fb070e59d (diff)
download	php-git-c1224573c773b6845e83505f717fbf820fc18415.tar.gz