Bug 997097 - (CVE-2013-4248) CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
CVE-2013-4248 php: hostname check bypassing vulnerability in SSL client
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130813,repor...
: Security
Depends On: 998340 998341 998348 998350 998585
Blocks: 952520 974906 996775
  Show dependency treegraph
 
Reported: 2013-08-14 12:17 EDT by Vincent Danen
Modified: 2015-10-15 13:57 EDT (History)
16 users (show)

See Also:
Fixed In Version: php 5.4.18, php 5.5.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-05 04:06:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 11258 None None None Never

  None (edit)
Description Vincent Danen 2013-08-14 12:17:02 EDT
Similar to Ruby (CVE-2013-4073) and Python (CVE-2013-4238), PHP also suffers from how it checked the hostname's identity when handling certificates that contain hostnames with NULL bytes.  An attacker could potentially exploit this flaw to conduct man-in-the-middle attacks to spoof SSL servers. Note that to exploit this issue, an attacker would need to obtain a carefully-crafted certificate signed by an authority that the client trusts.

This has been corrected in upstream git:

http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897

While PHP referenced the Ruby CVE, one has not yet been assigned to PHP (requested):

http://www.openwall.com/lists/oss-security/2013/08/14/4
Comment 1 Vincent Danen 2013-08-15 02:24:42 EDT
This was assigned CVE-2013-4248:

http://www.openwall.com/lists/oss-security/2013/08/15/3
Comment 2 Vincent Danen 2013-08-16 11:39:42 EDT
This is fixed in PHP 5.4.18:

http://www.php.net/ChangeLog-5.php#5.4.18

But they used the Ruby CVE name incorrectly.
Comment 3 Vincent Danen 2013-08-16 16:28:09 EDT
Also fixed in 5.5.2:

http://www.php.net/ChangeLog-5.php#5.5.2
Comment 5 Huzaifa S. Sidhpurwala 2013-08-19 01:16:47 EDT
Created php tracking bugs for this issue:

Affects: fedora-all [bug 998341]
Comment 14 Fedora Update System 2013-08-23 20:05:31 EDT
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Angelo Alvarez 2013-09-03 16:45:57 EDT
Any ideas when the fix for this CVE will make it into RHEL 5.9?
Comment 16 Fedora Update System 2013-09-08 19:25:47 EDT
php-5.4.19-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Tomas Hoger 2013-09-25 10:03:53 EDT
Related issue is CVE-2009-3291 / bug 524228, which correct similar problem in CommonName handling, but failed to correct subjectAltName handling corrected as part of this bug / CVE.
Comment 20 errata-xmlrpc 2013-09-30 18:15:04 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1307 https://rhn.redhat.com/errata/RHSA-2013-1307.html
Comment 27 errata-xmlrpc 2013-11-21 06:19:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1615 https://rhn.redhat.com/errata/RHSA-2013-1615.html
Comment 33 Huzaifa S. Sidhpurwala 2013-12-05 04:05:24 EST
Statement:

This issue does not affect the version of php as shipped with Red Hat Enterprise Linux 5 or the version of php54 as shipped with Red Hat Software Collections 1.

Note You need to log in before you can comment on or make changes to this bug.