http://advisories.mageia.org/MGASA-2015-0040.html

http://git.php.net/?p=php-src.git;a=commit;h=24125f0f26f3787c006e4a51611ba33ee3b841cb

http://git.php.net/?p=php-src.git;a=commit;h=2bcf69d073190e4f032d883f3416dea1b027a39e

http://git.php.net/?p=php-src.git;a=commit;h=fbf3a6bc1abcc8a5b5226b0ad9464c37f11ddbd6

APPLE-SA-2015-09-30-3

[oss-security] 20141229 Re: CVE Request: Double Free in PHP

RHSA-2015:1218

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

71800

https://bugs.php.net/bug.php?id=68676

GLSA-201503-03

https://support.apple.com/HT205267

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.5. It is, therefore, affected by multiple vulnerabilities:

 - An out-of-bounds read flaw in file 'cgi_main.c' exists when nmap is used to process an invalid file that begins with a hash character (#) but lacks a newline character. A remote attacker, using a specially crafted PHP file, can exploit this vulnerability to disclose memory contents, cause a denial of service, or possibly execute code. (CVE-2014-9427)

 - An out-of-bounds read issue exists in the GetCode_() function in 'gd_gif_in.c'. This allows a remote attacker to disclose memory contents. (CVE-2014-9709)

 - A use-after-free memory error exists in the process_nested_data() function in 'var_unserializer.re' due to improper handling of duplicate numerical keys within the serialized properties of an object. A remote attacker, using a crafted unserialize method call, can exploit this vulnerability to execute arbitrary code. (CVE-2015-0231)

 - A flaw exists in the exif_process_unicode() function in 'exif.c' that allows freeing an uninitialized pointer. A remote attacker, using specially crafted EXIF data in a JPEG image, can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-0232)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number and configuration, the remote Juniper Junos device is affected by multiple vulnerabilities in the included PHP version :

  - An unspecified flaw exists in the SQLite extension     that allows an unauthenticated, remote attacker to     bypass the 'open_basedir' constraint. (CVE-2012-3365)

  - A heap-based buffer overflow condition exists in file     ext/xml/xml.c due to not properly considering parsing     depth. An unauthenticated, remote attacker can exploit     this issue, via a specially crafted XML document that is     processed by the xml_parse_into_struct() function, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2013-4113)

  - A memory corruption issue exists in the PHP OpenSSL     extension in the openssl_x509_parse() function due to     improper sanitization of user-supplied input when     parsing 'notBefore' and 'notAfter' timestamps in X.509     certificates. An unauthenticated, remote attacker can     exploit this issue, via a specially crafted certificate,     to cause a denial of service condition or the execution     of arbitrary code. (CVE-2013-6420)

  - A double-free error exists in the     zend_ts_hash_graceful_destroy() function within file     Zend/zend_ts_hash.c that allows an unauthenticated,     remote attacker to cause a denial of service condition.
    (CVE-2014-9425)

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11 and is affected by multiple vulnerabilities in the following components : 

 - Address Book 
 - AirScan 
 - apache_mod_php 
 - Apple Online Store Kit 
 - AppleEvents 
 - Audio 
 - bash 
 - Certificate Trust Policy 
 - CFNetwork Cookies - CFNetwork FTPProtocol 
 - CFNetwork HTTPProtocol 
 - CFNetwork Proxies 
 - CFNetwork SSL 
 - CoreCrypto 
 - CoreText 
 - Dev Tools 
 - Disk Images 
 - dyld 
 - EFI 
 - Finder 
 - Game Center 
 - Heimdal 
 - ICU 
 - Install Framework Legacy 
 - Intel Graphics Driver 
 - IOAudioFamily 
 - IOGraphics 
 - IOHIDFamily 
 - IOStorageFamily 
 - Kernel 
 - libc 
 - libpthread 
 - libxpc 
 - Login Window 
 - lukemftpd 
 - Mail 
 - Multipeer Connectivity 
 - NetworkExtension 
 - Notes 
 - OpenSSH 
 - OpenSSL 
 - procmail 
 - remote_cmds 
 - removefile 
 - Ruby 
 - Safari 
 - Safari Downloads 
 - Safari Extensions 
 - Safari Safe Browsing 
 - Security 
 - SMB 
 - SQLite 
 - Telephony 
 - Terminal 
 - tidy 
 - Time Machine 
 - WebKit 
 - WebKit CSS 
 - WebKit JavaScript Bindings 
 - WebKit Page Loading 
 - WebKit Plug-ins

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Address Book
  - AirScan
  - apache_mod_php
  - Apple Online Store Kit
  - AppleEvents
  - Audio
  - bash
  - Certificate Trust Policy
  - CFNetwork Cookies
  - CFNetwork FTPProtocol
  - CFNetwork HTTPProtocol
  - CFNetwork Proxies
  - CFNetwork SSL
  - CoreCrypto
  - CoreText
  - Dev Tools
  - Disk Images
  - dyld
  - EFI
  - Finder
  - Game Center
  - Heimdal
  - ICU
  - Install Framework Legacy
  - Intel Graphics Driver
  - IOAudioFamily
  - IOGraphics
  - IOHIDFamily
  - IOStorageFamily
  - Kernel
  - libc
  - libpthread
  - libxpc
  - Login Window
  - lukemftpd
  - Mail
  - Multipeer Connectivity
  - NetworkExtension
  - Notes
  - OpenSSH
  - OpenSSL
  - procmail
  - remote_cmds
  - removefile
  - Ruby
  - Safari
  - Safari Downloads
  - Safari Extensions
  - Safari Safe Browsing
  - Security
  - SMB
  - SQLite
  - Telephony
  - Terminal
  - tidy
  - Time Machine
  - WebKit
  - WebKit CSS
  - WebKit JavaScript Bindings
  - WebKit Page Loading
  - WebKit Plug-ins

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024)

An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232)

An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)

Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)

It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598)

Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021)

A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705)

A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709)

A double free flaw was found in zend_ts_hash_graceful_destroy() function in the PHP ZTS module. This flaw could possibly cause a PHP application to crash. (CVE-2014-9425)

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024)

An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232)

An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)

Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)

It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598)

Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021)

A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705)

A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709)

A double free flaw was found in zend_ts_hash_graceful_destroy() function in the PHP ZTS module. This flaw could possibly cause a PHP application to crash. (CVE-2014-9425)

All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

From Red Hat Security Advisory 2015:1218 :

Updated php packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

A flaw was found in the way PHP parsed multipart HTTP POST requests. A specially crafted request could cause PHP to use an excessive amount of CPU time. (CVE-2015-4024)

An uninitialized pointer use flaw was found in PHP's Exif extension. A specially crafted JPEG or TIFF file could cause a PHP application using the exif_read_data() function to crash or, possibly, execute arbitrary code with the privileges of the user running that PHP application. (CVE-2015-0232)

An integer overflow flaw leading to a heap-based buffer overflow was found in the way PHP's FTP extension parsed file listing FTP server responses. A malicious FTP server could use this flaw to cause a PHP application to crash or, possibly, execute arbitrary code.
(CVE-2015-4022)

Multiple flaws were discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code. (CVE-2015-0273, CVE-2015-2787, CVE-2015-4147, CVE-2015-4148, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4603)

It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions. (CVE-2015-4026, CVE-2015-3411, CVE-2015-3412, CVE-2015-4598)

Multiple flaws were found in the way the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
(CVE-2015-2301, CVE-2015-2783, CVE-2015-3307, CVE-2015-3329, CVE-2015-4021)

A heap buffer overflow flaw was found in the enchant_broker_request_dict() function of PHP's enchant extension. An attacker able to make a PHP application enchant dictionaries could possibly cause it to crash. (CVE-2014-9705)

A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted GIF file could cause a PHP application using the imagecreatefromgif() function to crash. (CVE-2014-9709)

A double free flaw was found in zend_ts_hash_graceful_destroy() function in the PHP ZTS module. This flaw could possibly cause a PHP application to crash. (CVE-2014-9425)

All php users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Multiple vulnerabilities has been discovered and corrected in php :

It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270).

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345).

PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185).

A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238).

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721).

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597).

An integer overflow flaw in PHP's unserialize() function was reported.
If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089).

An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file.
This could possibly lead to file executable crash (CVE-2014-3710).

A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142).

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module.

S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232).

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352).

PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to the libmagic issues.

The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw.

A bug in the php zip extension that could cause a crash has been fixed (mga#13820)

Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23.

The remote host is affected by the vulnerability described in GLSA-201503-03 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker can leverage these vulnerabilities to execute       arbitrary code or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

PHP versions 5.5.x prior to 5.5.21, and 5.6.x prior to 5.6.5 are exposed to the following issues :

  - A flaw exists in the 'ereg(regex)' component due to a NULL pointer dereference condition. Specifically, this issue affects the '/regex/regcomp.c' source file. (Bug 68740) 

  - A use-after-free memory error exists in the 'opcache' component. Specifically, this issue affects the '/ext/opcache/zend_shared_alloc.c' source file. (Bug 68677 / CVE-2015-1351)

  - A flaw exists in the 'zend_ts_hash_graceful_destroy' function in the Zend Engine for PHP which exposes a double free vulnerability. Specifically, this issue affects the 'zend_ts_hash.c' source file. (Bug 68676 / CVE-2014-9425)

 - A flaw exists in the 'pgsql' component due to a NULL pointer dereference condition. Specifically, this issue affects the 'token' parameter of the '/ext/pgsql/pgsql.c' source file. (Bug 68697 / CVE-2015-1352)

A remote attacker could exploit these vulnerabilities to crash the affected application, denying service to legitimate users.

  - An out-of-bounds read issue exists in the 'GetCode_()' function in 'gd_gif_in.c'. This allows a remote attacker to disclose memory contents. (CVE-2014-9709)

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.5. It is, therefore, affected by multiple vulnerabilities:

  - A double free vulnerability in the     zend_ts_hash_graceful_destroy function in     zend_ts_hash.c in the Zend Engine could allow a remote     attacker to cause a denial of service. (CVE-2014-9425)

  - An out-of-bounds read flaw in file 'cgi_main.c' exists     when nmap is used to process an invalid file that begins     with a hash character (#) but lacks a newline character.
    A remote attacker, using a specially crafted PHP file,     can exploit this vulnerability to disclose memory     contents, cause a denial of service, or possibly execute     code. (CVE-2014-9427)

  - The mconvert function in softmagic.c does not properly     handle a certain string-length field during a copy of a     truncated version of a Pascal string, which could allow     a remote attacker to cause a denial of service.
    (CVE-2014-9652)

  - An out-of-bounds read issue exists in the GetCode_()     function in 'gd_gif_in.c'. This allows a remote attacker     to disclose memory contents. (CVE-2014-9709)

  - A use-after-free memory error exists in the     process_nested_data() function in 'var_unserializer.re'     due to improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in the exif_process_unicode() function in     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.21. It is, therefore, affected by multiple vulnerabilities:

  - A double free vulnerability in the     zend_ts_hash_graceful_destroy function in     zend_ts_hash.c in the Zend Engine could allow a remote     attacker to cause a denial of service. (CVE-2014-9425)

  - An out-of-bounds read flaw in file 'cgi_main.c' exists     when nmap is used to process an invalid file that begins     with a hash character (#) but lacks a newline character.
    A remote attacker, using a specially crafted PHP file,     can exploit this vulnerability to disclose memory     contents, cause a denial of service, or possibly execute     code. (CVE-2014-9427)

  - The mconvert function in softmagic.c does not properly     handle a certain string-length field during a copy of a     truncated version of a Pascal string, which could allow     a remote attacker to cause a denial of service.
    (CVE-2014-9652)

  - An out-of-bounds read issue exists in the GetCode_()     function in 'gd_gif_in.c'. This allows a remote attacker     to disclose memory contents. (CVE-2014-9709)

  - A use-after-free memory error exists in the     process_nested_data() function in 'var_unserializer.re'     due to improper handling of duplicate numerical keys     within the serialized properties of an object. A remote     attacker, using a crafted unserialize method call, can     exploit this vulnerability to execute arbitrary code.
    (CVE-2015-0231)

  - A flaw exists in the exif_process_unicode() function in     'exif.c' that allows freeing an uninitialized pointer. A     remote attacker, using specially crafted EXIF data in a     JPEG image, can exploit this to cause a denial of     service or to execute arbitrary code. (CVE-2015-0232)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98828	PHP 5.6.x < 5.6.5 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
102079	Juniper Junos PHP multiple vulnerabilities (JSA10804)	Nessus	Junos Local Security Checks	high
8982	Mac OS X < 10.11 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
86270	Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)	Nessus	MacOS X Local Security Checks	critical
84661	Scientific Linux Security Update : php on SL6.x i386/x86_64 (20150709)	Nessus	Scientific Linux Local Security Checks	critical
84660	RHEL 6 : php (RHSA-2015:1218)	Nessus	Red Hat Local Security Checks	critical
84659	Oracle Linux 6 : php (ELSA-2015-1218)	Nessus	Oracle Linux Local Security Checks	critical
84648	CentOS 6 : php (CESA-2015:1218)	Nessus	CentOS Local Security Checks	critical
82333	Mandriva Linux Security Advisory : php (MDVSA-2015:080)	Nessus	Mandriva Local Security Checks	high
81688	GLSA-201503-03 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
8909	PHP 5.5.x < 5.5.21 / 5.6.x < 5.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
81082	PHP 5.6.x < 5.6.5 Multiple Vulnerabilities	Nessus	CGI abuses	high
81081	PHP 5.5.x < 5.5.21 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2014-9425

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins