[tracking] Check php crypto primatives
Closed, ResolvedPublic

Description

Several php-specific issues were called out in,

http://seclists.org/oss-sec/2016/q1/5

  • libraries using phpecc are vulnerable to timing attacks with ecdsa signatures (we're not using them, afair), but should probably verify that across all extensions
  • They critique a common implementation of hash_equals, which I think we use, showing that you need to use mb_strlen. Check if that applies to us
  • They make vague allegations against php-gpg. We should look into those with @Tgr.
csteipp created this task.Jan 4 2016, 3:50 PM
csteipp updated the task description. (Show Details)
csteipp raised the priority of this task from to Needs Triage.
csteipp added a project: Security.
csteipp changed the visibility from "Public (No Login Required)" to "Custom Policy".
csteipp changed the edit policy from "All Users" to "Custom Policy".
csteipp changed Security from None to Software security bug.
csteipp added subscribers: csteipp, Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 4 2016, 3:50 PM
Anomie added a subscriber: Anomie.Jan 4 2016, 5:39 PM

They critique a common implementation of hash_equals, which I think we use, showing that you need to use mb_strlen.

Or don't use mbstring.func_overload = 2. Do we support that configuration?

Bawolff added a subscriber: Bawolff.Jan 4 2016, 6:19 PM

Installer should stop people, but they could enable it after the fact:

protected function envCheckMbstring() {
        if ( wfIniGetBool( 'mbstring.func_overload' ) ) {
                $this->showError( 'config-mbstring' );

                return false;
        }

        return true;
}
Tgr added a comment.EditedJan 4 2016, 6:36 PM

They make vague allegations against php-gpg. We should look into those with @Tgr.

That seems to be about php-gpg (a pure-PHP reimplementation of GPG, down to crypto primitives), not gnupg (which is a frontend for the gpg binary). Also, the two MediaWiki extensions that AFAIK use GPG (SecurePoll and GPGMail) call the binary directly (although I want to add gnupg support to GPGMail eventually).

Anomie added a comment.Jan 4 2016, 7:16 PM

Installer should stop people, but they could enable it after the fact:

protected function envCheckMbstring() {
        if ( wfIniGetBool( 'mbstring.func_overload' ) ) {
                $this->showError( 'config-mbstring' );
 
                return false;
        }
 
        return true;
}

So,

?

csteipp triaged this task as Normal priority.Jan 12 2016, 10:29 PM
csteipp updated the task description. (Show Details)Jan 14 2016, 10:16 PM
csteipp closed this task as Resolved.Jan 14 2016, 10:20 PM
csteipp claimed this task.

Deployed

.

Looked through our extensions for any using phpecc-- none in our repos. I originally thought php-jwt was vulnerable, but it's using openssl.

mmodell added a subscriber: mmodell.Mar 8 2016, 9:04 PM

this should have been removed from /srv/patches?

this should have been removed from /srv/patches?

No, it should still be applied until 1.26.3 is released.

demon changed the visibility from "Custom Policy" to "Public (No Login Required)".May 20 2016, 5:27 PM
demon changed the edit policy from "Custom Policy" to "All Users".
demon changed Security from Software security bug to None.
Restricted Application added a subscriber: Malyacko. · View Herald TranscriptMay 20 2016, 5:27 PM