Bug 997097 (CVE-2013-4248)

Summary: CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: angelo.alvarez, bleanhar, btotty, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkurik, jorton, jtriplet, lmeyer, rcollet, rpm, tkramer, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.4.18, php 5.5.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-05 09:06:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 998340, 998341, 998348, 998350, 998585    
Bug Blocks: 952520, 974906, 996775    

Description Vincent Danen 2013-08-14 16:17:02 UTC 
Similar to Ruby (CVE-2013-4073) and Python (CVE-2013-4238), PHP also suffers from how it checked the hostname's identity when handling certificates that contain hostnames with NULL bytes.  An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

This has been corrected in upstream git:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897

While PHP referenced the Ruby CVE, one has not yet been assigned to PHP (requested):

http://www.openwall.com/lists/oss-security/2013/08/14/4
Comment 1 Vincent Danen 2013-08-15 06:24:42 UTC 
This was assigned CVE-2013-4248:

http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 2 Vincent Danen 2013-08-16 15:39:42 UTC 
This is fixed in PHP 5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

But they used the Ruby CVE name incorrectly.
Comment 3 Vincent Danen 2013-08-16 20:28:09 UTC 
Also fixed in 5.5.2:

http://www.php.net/ChangeLog-5.php#5.5.2
Comment 5 Huzaifa S. Sidhpurwala 2013-08-19 05:16:47 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 998341]
Comment 11 Remi Collet 2013-08-19 09:06:16 UTC 
PHP 5.3 related commits:

http://git.php.net/?p=php-src.git;a=commitdiff;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b

PHP 5.4 and 5.5 related commits:

http://git.php.net/?p=php-src.git;a=commitdiff;h=2874696a5a8d46639d261571f915c493cd875897
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b

The second commit is a fix for the fix.
Comment 14 Fedora Update System 2013-08-24 00:05:31 UTC 
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Angelo Alvarez 2013-09-03 20:45:57 UTC 
Any ideas when the fix for this CVE will make it into RHEL 5.9?
Comment 16 Fedora Update System 2013-09-08 23:25:47 UTC 
php-5.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Tomas Hoger 2013-09-25 14:03:53 UTC 
Related issue is CVE-2009-3291 / bug 524228, which correct similar problem in CommonName handling, but failed to correct subjectAltName handling corrected as part of this bug / CVE.
Comment 20 errata-xmlrpc 2013-09-30 22:15:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 27 errata-xmlrpc 2013-11-21 11:19:09 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 33 Huzaifa S. Sidhpurwala 2013-12-05 09:05:24 UTC 
Statement:

This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 or the version of php54 as shipped with Red Hat Software Collections 1.