Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 902365 - (CVE-2012-6113) CVE-2012-6113 php (openssl extension): Process memory sensitive information disclosure due to missing variable initialization
CVE-2012-6113 php (openssl extension): Process memory sensitive information d...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120316,reported=2...
: Security
Depends On:
Blocks: 902366
  Show dependency treegraph
 
Reported: 2013-01-21 08:50 EST by Jan Lieskovsky
Modified: 2015-07-31 02:57 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-30 00:58:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Jan Lieskovsky 2013-01-21 08:50:16 EST 
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-6113 to the following vulnerability:

The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.

References:
[1] http://openwall.com/lists/oss-security/2013/01/18/6
[2] http://git.php.net/?p=php-src.git;a=commit;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e
[3] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793
[4] https://bugs.php.net/bug.php?id=61413
Comment 2 Remi Collet 2013-01-21 09:20:32 EST 
I think this doesn't affects php (RHEL-6) nor php53 (RHEL-5) which are 5.3.3 based.

According to CVE, issue was introduced, int php-5.3.9, by
http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb

After check, this is not applied in any of our patches.
Comment 4 Huzaifa S. Sidhpurwala 2013-01-30 00:58:21 EST 
Statement:

Not Vulnerable. This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of php53 as shipped with Red Hat Enterprise Linux 5.
Comment 5 Huzaifa S. Sidhpurwala 2013-01-30 00:58:57 EST 
This issue did NOT affect the versions of the php package, as shipped with Fedora release of 16, 17, and 18.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.