The php Function OpenSSL_X509_Parse
The php function openssl_x509_parse is used for parsing the certificate data from x509certdata. A small helper function is also provided for converting the time stamps from the x509certdata to integer timestamp values.
A memory corruption flaw was discovered in the way the openssl_x509_parse() function of the PHP OpenSSL extension parsed X.509 certificates. A remote attacker could use this flaw to provide a malicious or self-signed certificate to a PHP application that calls openssl_x509_parse() and cause it to crash or execute arbitrary code with the privileges of the user running the web server.
This issue was caused by the fact that the parser within this helper function uses asn1_time_to_time_t() to convert timestamps from ASN1 string format into integer timestamp values - this function is not binary safe and can be tricked to write up to five NUL bytes outside of an allocated buffer - depending on how openssl_x509_parse() is used inside a web application this may result in a crash or arbitrary code execution. The flaw has been fixed in PHP 5.4.23 and later, but it can be triggered by a malicious certificate signed by a compromised/malicious CA or can be carried out with a self-signed certificate.
openssl_x509_parse() returns information about the supplied x509cert - fields such as subject name, issuer name, purposes, valid from and valid to dates etc are indexed here. The option shortnames controls how the fields are indexed - if this is TRUE then the fields will be indexed in their short form, otherwise the long name (e.g. CN) will be used - the structure of this returned data is (deliberately) not yet documented, as it is still subject to change.