Bug 997097 (CVE-2013-4248)

Summary: CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: angelo.alvarez, bleanhar, btotty, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkurik, jorton, jtriplet, lmeyer, rcollet, rpm, tkramer, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20130813,reported=20130813,source=mageia,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/php=notaffected,rhel-5/php53=affected,rhel-6/php=affected,rhel-7/php=notaffected,rhscl-1/php54-php=affected,fedora-all/php=affected
Fixed In Version: php 5.4.18, php 5.5.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-05 04:06:03 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 998340, 998341, 998348, 998350, 998585    
Bug Blocks: 952520, 974906, 996775    

Description Vincent Danen 2013-08-14 12:17:02 EDT
Similar to Ruby (CVE-2013-4073) and Python (CVE-2013-4238), PHP also suffers from how it checked the hostname's identity when handling certificates that contain hostnames with NULL bytes.  An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

This has been corrected in upstream git:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897

While PHP referenced the Ruby CVE, one has not yet been assigned to PHP (requested):

http://www.openwall.com/lists/oss-security/2013/08/14/4
Comment 1 Vincent Danen 2013-08-15 02:24:42 EDT
This was assigned CVE-2013-4248:

http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 2 Vincent Danen 2013-08-16 11:39:42 EDT
This is fixed in PHP 5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

But they used the Ruby CVE name incorrectly.
Comment 3 Vincent Danen 2013-08-16 16:28:09 EDT
Also fixed in 5.5.2:

http://www.php.net/ChangeLog-5.php#5.5.2
Comment 5 Huzaifa S. Sidhpurwala 2013-08-19 01:16:47 EDT
Created php tracking bugs for this issue:

Affects: fedora-all [bug 998341]
Comment 14 Fedora Update System 2013-08-23 20:05:31 EDT
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Angelo Alvarez 2013-09-03 16:45:57 EDT
Any ideas when the fix for this CVE will make it into RHEL 5.9?
Comment 16 Fedora Update System 2013-09-08 19:25:47 EDT
php-5.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Tomas Hoger 2013-09-25 10:03:53 EDT
Related issue is CVE-2009-3291 / bug 524228, which correct similar problem in CommonName handling, but failed to correct subjectAltName handling corrected as part of this bug / CVE.
Comment 20 errata-xmlrpc 2013-09-30 18:15:04 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 27 errata-xmlrpc 2013-11-21 06:19:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 33 Huzaifa S. Sidhpurwala 2013-12-05 04:05:24 EST
Statement:

This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 or the version of php54 as shipped with Red Hat Software Collections 1.