http://git.php.net/?p=php-src.git;a=commit;h=8f4a5373bb71590352fd934028d6dde5bc18530b

56829

MDVSA-2014:027

http://www.php.net/ChangeLog-5.php

65533

1029767

USN-2126-1

https://bugs.php.net/bug.php?id=66356

https://bugzilla.redhat.com/show_bug.cgi?id=1065108

php-cve20137226-bo(91099)

https://github.com/php/php-src/commit/2938329ce19cb8c4197dec146c3ec887c6f61d01

According to its banner, the version of PHP installed on the remote host is a development version of 5.6.0. It is, therefore, affected by multiple vulnerabilities.

Note that Nessus has not attempted to exploit this issue but has instead relied only on application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201408-11 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker can cause arbitrary code execution, create       a Denial of Service condition, read or write arbitrary files, impersonate       other servers, hijack a web session, or have other unspecified impact.
      Additionally, a local attacker could gain escalated privileges.
  Workaround :

    There is no known workaround at this time.

Bernd Melchers discovered that PHP's embedded libmagic library incorrectly handled indirect offset values. An attacker could use this issue to cause PHP to consume resources or crash, resulting in a denial of service. (CVE-2014-1943)

It was discovered that PHP incorrectly handled certain values when using the imagecrop function. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 13.10. (CVE-2013-7226, CVE-2013-7327, CVE-2013-7328, CVE-2014-2020).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.5.x prior to 5.5.9 are exposed to the following issues related to the GD extension :

  - A heap-based buffer overflow error exists related to the functions 'gdImageCrop' and 'imagecrop' that could allow denial of service attacks and possibly arbitrary code execution. (CVE-2013-7226)

  - An error exists in the function 'gdImageCrop' related to return value checking that could lead to use of NULL pointers and denial of service attacks. (CVE-2013-7327)

 - Multiple integer signedness errors exist in the function 'gdImageCrop' that could allow denial of service attacks and information disclosure. (CVE-2013-7328)

 - A data type checking error exists that could allow information disclosure. (CVE-2014-2020)



According to its banner, the version of PHP 5.5.x installed on the remote host is a version prior to 5.5.9.  It is, therefore, potentially affected by the following vulnerabilities related to the GD extension :

  - A heap-based buffer overflow error exists related to     the functions 'gdImageCrop' and 'imagecrop' that could     allow denial of service attacks and possibly arbitrary     code execution. (CVE-2013-7226) 

  - An error exists in the function 'gdImageCrop' related     to return value checking that could lead to use of     NULL pointers and denial of service attacks.
    (CVE-2013-7327)

  - Multiple integer signedness errors exist in the     function 'gdImageCrop' that could allow denial of     service attacks and information disclosure.
    (CVE-2013-7328)

  - A data type checking error exists that could allow     information disclosure. (CVE-2014-2020)

Note that this plugin does not attempt to exploit these issues, but instead relies only on PHP's self-reported version number.

A vulnerability has been discovered and corrected in php :

  - Fixed bug #66356 (Heap Overflow Vulnerability in     imagecrop()) (CVE-2013-7226).

The updated php packages have been upgraded to the 5.5.9 version which is not vulnerable to this issue.

Additionally, the PECL packages which requires so has been rebuilt for php-5.5.9. The libmbfl packages has been synced with the changes as of php-5.5.9 and the onig packages has been upgraded to the 5.9.5 version.

ID	Name	Product	Family	Severity
78556	PHP 5.6.0 Multiple Vulnerabilities	Nessus	CGI abuses	high
77455	GLSA-201408-11 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
72799	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : php5 vulnerabilities (USN-2126-1)	Nessus	Ubuntu Local Security Checks	medium
8125	PHP 5.5.x < 5.5.9 GD Extension Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
72511	PHP 5.5.x < 5.5.9 GD Extension Multiple Vulnerabilities	Nessus	CGI abuses	medium
72468	Mandriva Linux Security Advisory : php (MDVSA-2014:027)	Nessus	Mandriva Local Security Checks	medium

CVE-2013-7226

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

medium

high

medium

medium