Bug 181546 - security/php53-openssl: Fix CVE-2013-4073
Summary: security/php53-openssl: Fix CVE-2013-4073
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Florian Smeets
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-26 12:10 UTC by Renato Botelho
Modified: 2013-08-29 17:48 UTC (History)
0 users

See Also:

Attachments
file.diff (3.89 KB, patch)
2013-08-26 12:10 UTC, Renato Botelho 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2013-08-26 12:11:50 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->flo

Over to maintainer (via the GNATS Auto Assign Tool)
Comment 2 Florian Smeets 2013-08-26 23:16:29 UTC 
Approved. Thanks. Not sure why there is no 5.3.28, yet.
Comment 3 Renato Botelho freebsd_committer freebsd_triage 2013-08-26 23:54:42 UTC 
On 26-08-2013 19:16, Florian Smeets wrote:
> Approved. Thanks. Not sure why there is no 5.3.28, yet.
> 


Thank you!

5.3.27 was the latest release of 5.3 series.

-- 
Renato Botelho <garga     @ FreeBSD.org>
               <garga.bsd @ gmail.com>
GnuPG Key: http://www.FreeBSD.org/~garga/pubkey.asc
Comment 4 dfilter service freebsd_committer freebsd_triage 2013-08-27 11:33:59 UTC 
Author: garga
Date: Tue Aug 27 10:33:45 2013
New Revision: 325434
URL: http://svnweb.freebsd.org/changeset/ports/325434

Log:
  - Add a patch to fix CVE-2013-4073
  - Bump php53-openssl PORTREVISION
  
  PR:		ports/181546
  Submitted by:	garga@
  Approved by:	flo@ (maintainer)
  Obtained from:	http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/openssl/openssl.c;h=c32748cb6443a4d8e4bb14fe96ad72e32ec8acff;hp=d7ac117e51c8f5d8ab0632c276af48d610b4b19e;hb=2874696a5a8d46639d261571f915c493cd875897;hpb=f4dc2240a048050a87a6e3e31573f13a2256cf2e
  Security:	CVE-2013-4073

Added:
  head/lang/php53/files/patch-ext_openssl_openssl.c   (contents, props changed)
Modified:
  head/security/php53-openssl/Makefile   (contents, props changed)

Added: head/lang/php53/files/patch-ext_openssl_openssl.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/lang/php53/files/patch-ext_openssl_openssl.c	Tue Aug 27 10:33:45 2013	(r325434)
@@ -0,0 +1,111 @@
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index d7ac117..c32748c 100644
+--- ext/openssl/openssl.c
++++ ext/openssl/openssl.c
+@@ -1398,6 +1398,74 @@ PHP_FUNCTION(openssl_x509_check_private_key)
+ }
+ /* }}} */
+ 
++/* Special handling of subjectAltName, see CVE-2013-4073
++ * Christian Heimes
++ */
++
++static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
++{
++	GENERAL_NAMES *names;
++	const X509V3_EXT_METHOD *method = NULL;
++	long i, length, num;
++	const unsigned char *p;
++
++	method = X509V3_EXT_get(extension);
++	if (method == NULL) {
++		return -1;
++	}
++
++	p = extension->value->data;
++	length = extension->value->length;
++	if (method->it) {
++		names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
++						       ASN1_ITEM_ptr(method->it)));
++	} else {
++		names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
++	}
++	if (names == NULL) {
++		return -1;
++	}
++
++	num = sk_GENERAL_NAME_num(names);
++	for (i = 0; i < num; i++) {
++			GENERAL_NAME *name;
++			ASN1_STRING *as;
++			name = sk_GENERAL_NAME_value(names, i);
++			switch (name->type) {
++				case GEN_EMAIL:
++					BIO_puts(bio, "email:");
++					as = name->d.rfc822Name;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				case GEN_DNS:
++					BIO_puts(bio, "DNS:");
++					as = name->d.dNSName;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				case GEN_URI:
++					BIO_puts(bio, "URI:");
++					as = name->d.uniformResourceIdentifier;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				default:
++					/* use builtin print for GEN_OTHERNAME, GEN_X400,
++					 * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
++					 */
++					GENERAL_NAME_print(bio, name);
++			}
++			/* trailing ', ' except for last element */
++			if (i < (num - 1)) {
++				BIO_puts(bio, ", ");
++			}
++	}
++	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
++
++	return 0;
++}
++
+ /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
+    Returns an array of the fields/values of the CERT */
+ PHP_FUNCTION(openssl_x509_parse)
+@@ -1494,15 +1562,29 @@ PHP_FUNCTION(openssl_x509_parse)
+ 
+ 
+ 	for (i = 0; i < X509_get_ext_count(cert); i++) {
++		int nid;
+ 		extension = X509_get_ext(cert, i);
+-		if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
++		nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
++		if (nid != NID_undef) {
+ 			extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
+ 		} else {
+ 			OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
+ 			extname = buf;
+ 		}
+ 		bio_out = BIO_new(BIO_s_mem());
+-		if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
++		if (nid == NID_subject_alt_name) {
++			if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
++				add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
++			} else {
++				zval_dtor(return_value);
++				if (certresource == -1 && cert) {
++					X509_free(cert);
++				}
++				BIO_free(bio_out);
++				RETURN_FALSE;
++			}
++		}
++		else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+ 			BIO_get_mem_ptr(bio_out, &bio_buf);
+ 			add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+ 		} else {

Modified: head/security/php53-openssl/Makefile
==============================================================================
--- head/security/php53-openssl/Makefile	Tue Aug 27 09:08:47 2013	(r325433)
+++ head/security/php53-openssl/Makefile	Tue Aug 27 10:33:45 2013	(r325434)
@@ -5,6 +5,8 @@
 # $FreeBSD$
 #
 
+PORTREVISION=	1
+
 CATEGORIES=	security
 
 MASTERDIR=	${.CURDIR}/../../lang/php53
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 5 dfilter service freebsd_committer freebsd_triage 2013-08-27 13:03:03 UTC 
Author: garga
Date: Tue Aug 27 12:02:49 2013
New Revision: 325438
URL: http://svnweb.freebsd.org/changeset/ports/325438

Log:
  MFH 325434:
  
  - Add a patch to fix CVE-2013-4073
  - Bump php53-openssl PORTREVISION
  
  PR:		ports/181546
  Submitted by:	garga@
  Approved by:	portmgr (erwin), flo@ (maintainer)
  Obtained from:	http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/openssl/openssl.c;h=c32748cb6443a4d8e4bb14fe96ad72e32ec8acff;hp=d7ac117e51c8f5d8ab0632c276af48d610b4b19e;hb=2874696a5a8d46639d261571f915c493cd875897;hpb=f4dc2240a048050a87a6e3e31573f13a2256cf2e
  Security:	CVE-2013-4073

Added:
  branches/RELENG_9_2_0/lang/php53/files/patch-ext_openssl_openssl.c
     - copied unchanged from r325434, head/lang/php53/files/patch-ext_openssl_openssl.c
Modified:
  branches/RELENG_9_2_0/security/php53-openssl/Makefile   (contents, props changed)
Directory Properties:
  branches/RELENG_9_2_0/   (props changed)

Copied: branches/RELENG_9_2_0/lang/php53/files/patch-ext_openssl_openssl.c (from r325434, head/lang/php53/files/patch-ext_openssl_openssl.c)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/RELENG_9_2_0/lang/php53/files/patch-ext_openssl_openssl.c	Tue Aug 27 12:02:49 2013	(r325438, copy of r325434, head/lang/php53/files/patch-ext_openssl_openssl.c)
@@ -0,0 +1,111 @@
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index d7ac117..c32748c 100644
+--- ext/openssl/openssl.c
++++ ext/openssl/openssl.c
+@@ -1398,6 +1398,74 @@ PHP_FUNCTION(openssl_x509_check_private_key)
+ }
+ /* }}} */
+ 
++/* Special handling of subjectAltName, see CVE-2013-4073
++ * Christian Heimes
++ */
++
++static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
++{
++	GENERAL_NAMES *names;
++	const X509V3_EXT_METHOD *method = NULL;
++	long i, length, num;
++	const unsigned char *p;
++
++	method = X509V3_EXT_get(extension);
++	if (method == NULL) {
++		return -1;
++	}
++
++	p = extension->value->data;
++	length = extension->value->length;
++	if (method->it) {
++		names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
++						       ASN1_ITEM_ptr(method->it)));
++	} else {
++		names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
++	}
++	if (names == NULL) {
++		return -1;
++	}
++
++	num = sk_GENERAL_NAME_num(names);
++	for (i = 0; i < num; i++) {
++			GENERAL_NAME *name;
++			ASN1_STRING *as;
++			name = sk_GENERAL_NAME_value(names, i);
++			switch (name->type) {
++				case GEN_EMAIL:
++					BIO_puts(bio, "email:");
++					as = name->d.rfc822Name;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				case GEN_DNS:
++					BIO_puts(bio, "DNS:");
++					as = name->d.dNSName;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				case GEN_URI:
++					BIO_puts(bio, "URI:");
++					as = name->d.uniformResourceIdentifier;
++					BIO_write(bio, ASN1_STRING_data(as),
++						  ASN1_STRING_length(as));
++					break;
++				default:
++					/* use builtin print for GEN_OTHERNAME, GEN_X400,
++					 * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
++					 */
++					GENERAL_NAME_print(bio, name);
++			}
++			/* trailing ', ' except for last element */
++			if (i < (num - 1)) {
++				BIO_puts(bio, ", ");
++			}
++	}
++	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
++
++	return 0;
++}
++
+ /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
+    Returns an array of the fields/values of the CERT */
+ PHP_FUNCTION(openssl_x509_parse)
+@@ -1494,15 +1562,29 @@ PHP_FUNCTION(openssl_x509_parse)
+ 
+ 
+ 	for (i = 0; i < X509_get_ext_count(cert); i++) {
++		int nid;
+ 		extension = X509_get_ext(cert, i);
+-		if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
++		nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
++		if (nid != NID_undef) {
+ 			extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
+ 		} else {
+ 			OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
+ 			extname = buf;
+ 		}
+ 		bio_out = BIO_new(BIO_s_mem());
+-		if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
++		if (nid == NID_subject_alt_name) {
++			if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
++				add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
++			} else {
++				zval_dtor(return_value);
++				if (certresource == -1 && cert) {
++					X509_free(cert);
++				}
++				BIO_free(bio_out);
++				RETURN_FALSE;
++			}
++		}
++		else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+ 			BIO_get_mem_ptr(bio_out, &bio_buf);
+ 			add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+ 		} else {

Modified: branches/RELENG_9_2_0/security/php53-openssl/Makefile
==============================================================================
--- branches/RELENG_9_2_0/security/php53-openssl/Makefile	Tue Aug 27 11:39:42 2013	(r325437)
+++ branches/RELENG_9_2_0/security/php53-openssl/Makefile	Tue Aug 27 12:02:49 2013	(r325438)
@@ -5,6 +5,8 @@
 # $FreeBSD$
 #
 
+PORTREVISION=	1
+
 CATEGORIES=	security
 
 MASTERDIR=	${.CURDIR}/../../lang/php53
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
Comment 6 Florian Smeets freebsd_committer freebsd_triage 2013-08-29 17:48:07 UTC 
State Changed
From-To: open->closed

This has been committed