Page MenuHomePhabricator
Create Task
Maniphest T122807

[tracking] Check php crypto primatives
Closed, ResolvedPublic
Actions

Description

Several php-specific issues were called out in,

http://seclists.org/oss-sec/2016/q1/5

  • libraries using phpecc are vulnerable to timing attacks with ecdsa signatures (we're not using them, afair), but should probably verify that across all extensions
  • They critique a common implementation of hash_equals, which I think we use, showing that you need to use mb_strlen. Check if that applies to us
  • They make vague allegations against php-gpg. We should look into those with @Tgr.

Related Objects
Search...

Event Timeline

csteipp created this task.Jan 4 2016, 3:50 PM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a project: acl*security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2016, 3:50 PM
Anomie subscribed.Jan 4 2016, 5:39 PM

They critique a common implementation of hash_equals, which I think we use, showing that you need to use mb_strlen.

Or don't use mbstring.func_overload = 2. Do we support that configuration?

Bawolff subscribed.Jan 4 2016, 6:19 PM

Installer should stop people, but they could enable it after the fact:

protected function envCheckMbstring() {
        if ( wfIniGetBool( 'mbstring.func_overload' ) ) {
                $this->showError( 'config-mbstring' );

                return false;
        }

        return true;
}
Tgr added a comment.EditedJan 4 2016, 6:36 PM

They make vague allegations against php-gpg. We should look into those with @Tgr.

That seems to be about php-gpg (a pure-PHP reimplementation of GPG, down to crypto primitives), not gnupg (which is a frontend for the gpg binary). Also, the two MediaWiki extensions that AFAIK use GPG (SecurePoll and GPGMail) call the binary directly (although I want to add gnupg support to GPGMail eventually).

Anomie added a comment.Jan 4 2016, 7:16 PM
In T122807#1914677, @Bawolff wrote:

Installer should stop people, but they could enable it after the fact:

protected function envCheckMbstring() {
        if ( wfIniGetBool( 'mbstring.func_overload' ) ) {
                $this->showError( 'config-mbstring' );

                return false;
        }

        return true;
}

So,

0001-SECURITY-Check-for-mbstring.func_overload-at-runtime.patch1 KBDownload
?

csteipp triaged this task as Medium priority.Jan 12 2016, 10:29 PM
csteipp updated the task description. (Show Details)Jan 14 2016, 10:16 PM
csteipp closed this task as Resolved.Jan 14 2016, 10:20 PM
csteipp claimed this task.

Deployed

0001-SECURITY-Check-for-mbstring.func_overload-at-runtime.patch1 KBDownload
.

Looked through our extensions for any using phpecc-- none in our repos. I originally thought php-jwt was vulnerable, but it's using openssl.

csteipp added a parent task: T124940: MediaWiki 1.26.3 security release.Jan 28 2016, 1:34 AM
mmodell subscribed.Mar 8 2016, 9:04 PM

this should have been removed from /srv/patches?

csteipp added a comment.Mar 8 2016, 9:10 PM
In T122807#2100642, @mmodell wrote:

this should have been removed from /srv/patches?

No, it should still be applied until 1.26.3 is released.

demon mentioned this in T124940: MediaWiki 1.26.3 security release.Apr 20 2016, 3:09 PM
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:27 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:27 PM
chasemp added a project: Security.Feb 10 2020, 10:59 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:17 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL