Bug 997097 (CVE-2013-4248) - CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Summary: CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4248
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 998340 998341 998348 998350 998585
Blocks: 952520 974906 996775
TreeView+ depends on / blocked
 
Reported: 2013-08-14 16:17 UTC by Vincent Danen
Modified: 2021-02-17 07:25 UTC (History)
16 users (show)

Fixed In Version: php 5.4.18, php 5.5.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-05 09:06:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 11258 0 None None None Never
Red Hat Product Errata RHSA-2013:1307 0 normal SHIPPED_LIVE Moderate: php53 security, bug fix and enhancement update 2013-10-01 00:31:22 UTC
Red Hat Product Errata RHSA-2013:1615 0 normal SHIPPED_LIVE Moderate: php security, bug fix, and enhancement update 2013-11-20 21:38:52 UTC

Description Vincent Danen 2013-08-14 16:17:02 UTC 
Similar to Ruby (CVE-2013-4073) and Python (CVE-2013-4238), PHP also suffers from how it checked the hostname's identity when handling certificates that contain hostnames with NULL bytes.  An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

This has been corrected in upstream git:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897

While PHP referenced the Ruby CVE, one has not yet been assigned to PHP (requested):

http://www.openwall.com/lists/oss-security/2013/08/14/4
Comment 1 Vincent Danen 2013-08-15 06:24:42 UTC 
This was assigned CVE-2013-4248:

http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 2 Vincent Danen 2013-08-16 15:39:42 UTC 
This is fixed in PHP 5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

But they used the Ruby CVE name incorrectly.
Comment 3 Vincent Danen 2013-08-16 20:28:09 UTC 
Also fixed in 5.5.2:

http://www.php.net/ChangeLog-5.php#5.5.2
Comment 5 Huzaifa S. Sidhpurwala 2013-08-19 05:16:47 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 998341]
Comment 11 Remi Collet 2013-08-19 09:06:16 UTC 
PHP 5.3 related commits:

http://git.php.net/?p=php-src.git;a=commitdiff;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b

PHP 5.4 and 5.5 related commits:

http://git.php.net/?p=php-src.git;a=commitdiff;h=2874696a5a8d46639d261571f915c493cd875897
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b

The second commit is a fix for the fix.
Comment 14 Fedora Update System 2013-08-24 00:05:31 UTC 
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Angelo Alvarez 2013-09-03 20:45:57 UTC 
Any ideas when the fix for this CVE will make it into RHEL 5.9?
Comment 16 Fedora Update System 2013-09-08 23:25:47 UTC 
php-5.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Tomas Hoger 2013-09-25 14:03:53 UTC 
Related issue is CVE-2009-3291 / bug 524228, which correct similar problem in CommonName handling, but failed to correct subjectAltName handling corrected as part of this bug / CVE.
Comment 20 errata-xmlrpc 2013-09-30 22:15:04 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 27 errata-xmlrpc 2013-11-21 11:19:09 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 33 Huzaifa S. Sidhpurwala 2013-12-05 09:05:24 UTC 
Statement:

This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 or the version of php54 as shipped with Red Hat Software Collections 1.
Note You need to log in before you can comment on or make changes to this bug.