http://git.php.net/?p=php-src.git;a=commit;h=777c39f4042327eac4b63c7ee87dc1c7a09a3115

APPLE-SA-2015-09-30-3

[oss-security] 20150124 Re: CVE Request: PHP

RHSA-2015:1053

RHSA-2015:1066

MDVSA-2015:079

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

71929

https://bugs.php.net/bug.php?id=68677

GLSA-201606-10

https://support.apple.com/HT205267

This update for php5 fixes the following issues :

Security issues fixed :

CVE-2019-11039: Fixed a heap-buffer-overflow on php_jpg_get16 (bsc#1138173).

CVE-2019-11040: Fixed an out-of-bounds read due to an integer overflow in iconv.c:_php_iconv_mime_decode() (bsc#1138172).

CVE-2015-1351: Fixed a use after free in opcache extension (bsc#1137633).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.8. It is, therefore, affected by multiple vulnerabilities :

 - An unspecified use-after-free error exists in the _zend_shared_memdup() function within file ext/opcache/zend_shared_alloc.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2015-1351)

 - A NULL pointer dereference flaw exists in the build_tablename() function within file pgsql.c in the PostgreSQL extension due to a failure to validate token extraction for table names. An authenticated, remote attacker can exploit this, via a crafted name, to cause a denial of service condition. ( CVE-2015-1352)

 - An out-of-bounds read error exists in the Phar component due to improper validation of user-supplied input when handling phar parsing during unserialize() function calls. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the disclosure of memory contents. (CVE-2015-2783)

 - A memory corruption issue exists in the phar_parse_metadata() function in file ext/phar/phar.c due to improper validation of user-supplied input when parsing a specially crafted TAR archive. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3307)

 - Multiple stack-based buffer overflow conditions exist in the phar_set_inode() function in file phar_internal.h when handling archive files, such as tar, zip, or phar files. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution or arbitrary code. (CVE-2015-3329)

 - A flaw exists in the Apache2handler SAPI component when handling pipelined HTTP requests that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-3330)

 - A flaw exists in multiple functions due to a failure to check for NULL byte (%00) sequences in a path when processing or reading a file. An unauthenticated, remote attacker can exploit this, via specially crafted input to an application calling those functions, to bypass intended restrictions and disclose potentially sensitive information. (CVE-2015-3411, CVE-2015-3412)

 - A type confusion error exists in multiple functions within file ext/soap/soap.c that is triggered when calling unserialize(). An unauthenticated, remote attacker can exploit this to disclose memory contents, cause a denial of service condition, or execute arbitrary code. (CVE-2015-4599, CVE-2015- 4600)

 - Multiple type confusion errors exist within files ext/soap/php_encoding.c, ext/soap/php_http.c, and ext/soap/soap.c that allow an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4601)

 - A type confusion error exists in the __PHP_Incomplete_Class() function within file ext/standard/incomplete_class.c that allows an unauthenticated, remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4602)

 - A type confusion error exists in the exception::getTraceAsString() function within file Zend/zend_exceptions.c that allows a remote attacker to execute arbitrary code. (CVE-2015-4603)

 - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mget() function within file softmagic.c. The function fails to maintain a certain pointer relationship. An unauthenticated, remote attacker can exploit this, via a crafted string, to crash the application. (CVE-2015-4604)

 - A denial of service vulnerability exists due to a flaw in the bundled libmagic library, specifically in the mcopy() function within file softmagic.c. The function fails to properly handle an offset that exceeds 'bytecnt'. An unauthenticated, remote attacker can exploit this, via a crafted string , to crash the application. (CVE-2015-4605)

 - A use-after-free error exists in the sqlite3_close() function within file /ext/sqlite3/sqlite3.c when closing database connections. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A flaw exists in the ZEND_VM_HELPER_EX() function within file /Zend/zend_vm_def.h when handling a __get() function call. An unauthenticated, remote attacker can exploit this to cause a cause a denial of service condition.

 - A type confusion error exists in the php_stream_url_wrap_http_ex() function within file ext/standard/http_fopen_wrapper.c that allows an unauthenticated, remote attacker to execute arbitrary code.

 - A use-after-free error exists in the php_curl() function within file ext/curl/interface.c that allows an unauthenticated, remote attacker to execute arbitrary code.

 - A use-after-free error exists in the SPL component, specifically in the spl_object_storage_get_gc() function within file ext/spl/spl_observer.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A NULL pointer dereference flaw exists within file /ext/ereg/regex/regcomp.c that allows an unauthenticated, remote attacker attacker to cause a denial of service condition.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11 and is affected by multiple vulnerabilities in the following components : 

 - Address Book 
 - AirScan 
 - apache_mod_php 
 - Apple Online Store Kit 
 - AppleEvents 
 - Audio 
 - bash 
 - Certificate Trust Policy 
 - CFNetwork Cookies - CFNetwork FTPProtocol 
 - CFNetwork HTTPProtocol 
 - CFNetwork Proxies 
 - CFNetwork SSL 
 - CoreCrypto 
 - CoreText 
 - Dev Tools 
 - Disk Images 
 - dyld 
 - EFI 
 - Finder 
 - Game Center 
 - Heimdal 
 - ICU 
 - Install Framework Legacy 
 - Intel Graphics Driver 
 - IOAudioFamily 
 - IOGraphics 
 - IOHIDFamily 
 - IOStorageFamily 
 - Kernel 
 - libc 
 - libpthread 
 - libxpc 
 - Login Window 
 - lukemftpd 
 - Mail 
 - Multipeer Connectivity 
 - NetworkExtension 
 - Notes 
 - OpenSSH 
 - OpenSSL 
 - procmail 
 - remote_cmds 
 - removefile 
 - Ruby 
 - Safari 
 - Safari Downloads 
 - Safari Extensions 
 - Safari Safe Browsing 
 - Security 
 - SMB 
 - SQLite 
 - Telephony 
 - Terminal 
 - tidy 
 - Time Machine 
 - WebKit 
 - WebKit CSS 
 - WebKit JavaScript Bindings 
 - WebKit Page Loading 
 - WebKit Plug-ins

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Address Book
  - AirScan
  - apache_mod_php
  - Apple Online Store Kit
  - AppleEvents
  - Audio
  - bash
  - Certificate Trust Policy
  - CFNetwork Cookies
  - CFNetwork FTPProtocol
  - CFNetwork HTTPProtocol
  - CFNetwork Proxies
  - CFNetwork SSL
  - CoreCrypto
  - CoreText
  - Dev Tools
  - Disk Images
  - dyld
  - EFI
  - Finder
  - Game Center
  - Heimdal
  - ICU
  - Install Framework Legacy
  - Intel Graphics Driver
  - IOAudioFamily
  - IOGraphics
  - IOHIDFamily
  - IOStorageFamily
  - Kernel
  - libc
  - libpthread
  - libxpc
  - Login Window
  - lukemftpd
  - Mail
  - Multipeer Connectivity
  - NetworkExtension
  - Notes
  - OpenSSH
  - OpenSSL
  - procmail
  - remote_cmds
  - removefile
  - Ruby
  - Safari
  - Safari Downloads
  - Safari Extensions
  - Safari Safe Browsing
  - Security
  - SMB
  - SQLite
  - Telephony
  - Terminal
  - tidy
  - Time Machine
  - WebKit
  - WebKit CSS
  - WebKit JavaScript Bindings
  - WebKit Page Loading
  - WebKit Plug-ins

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Versions of PHP 5.4.x earlier than 5.4.40, 5.5.x earlier than 5.5.24, or 5.6.x earlier than 5.6.8 are exposed to the following issues :

  - An out-of-bounds read overflow error exists in the function 'GetCode_()' in file 'gd_gif_in.c' that allows denial of service attacks or disclosure of memory contents. (CVE-2014-9709)
  - A use-after-free error exists in the OPcache extension in the '_zend_shared_memdup()' function within the file 'zend_shared_alloc.c'. A remote attacker can exploit this to cause a denial of service or possibly have other unspecified impact. (CVE-2015-1351)
  - The function 'build_tablename()' in file 'pgsql.c' in the PostgreSQL extension does not properly validate token extraction for table names. A remote attacker, using a crafted name, can exploit this to cause a NULL pointer deference, leading to a denial of service. (CVE-2015-1352)
  - A use-after-free error exists in the function 'phar_rename_archive()' in file 'phar_object.c'. A remote attacker, by attempting to rename a phar archive to an already existing file name, can exploit this to cause a denial of service. (CVE-2015-2301)
  - A buffer read overflow error exists in the Phar component due to user-supplied input not being validated properly when handling phar parsing during 'unserialize()' function calls. An attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-2783)
  - A buffer overflow flaw exists in the 'phar_set_inode()' function in file 'phar_internal.h' when handling archive files, such as tar, zip, or phar files. A remote attacker can exploit this to execute arbitrary code or cause a denial of service. (CVE-2015-3329)
  - A flaw exists in the Apache2handler SAPI component, when handling pipelined HTTP requests, that a remote attacker can exploit to execute arbitrary code. (CVE-2015-3330)
  - An information disclosure vulnerability exists because of a type confusion error. Specifically, this issue occurs when the 'unserialize()' function is used with SoapFault object's '__toString()' function. An attacker can exploit this issue to leak arbitrary memory blocks.
  - A flaw exists in the 'phar_parse_metadata()' function in 'ext/phar/phar.c'. The issue is triggered as user-supplied input is not properly validated when parsing a specially crafted TAR file. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2015-3307)
  - A type confusion flaw exists in the '__toString()' method in 'incomplete_class.c' that may allow a context-dependent attacker to leak arbitrary memory blocks or potentially cause a denial of service. (CVE-2015-4602)
  - Multiple unspecified issues exist in '/soap/php_http.c' and '/soap/php_encoding.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-4601)
  - A denial of service vulnerability affects Fine Free File, a common component used in PHP known as 'file'. Specifically, this issue affects the source file 'libmagic/softmagic.c' because it fails to properly handle offsets that exceed 'bytecnt' or vice versa. (CVE-2015-4605)

16 Apr 2015, **PHP 5.5.24**

Apache2handler :

  - Fixed bug #69218 (potential remote code execution with     apache 2.4 apache2handler). (Gerrit Venema)

Core :

  - Fixed bug #66609 (php crashes with __get() and ++     operator in some cases). (Dmitry, Laruence)

    - Fixed bug #67626 (User exceptions not properly handled       in streams). (Julian)

    - Fixed bug #68021 (get_browser() browser_name_regex       returns non-utf-8 characters). (Tjerk)

    - Fixed bug #68917 (parse_url fails on some partial       urls). (Wei Dai)

    - Fixed bug #69134 (Per Directory Values overrides       PHP_INI_SYSTEM configuration options). (Anatol Belski)

    - Additional fix for bug #69152 (Type confusion       vulnerability in exception::getTraceAsString). (Stas)

    - Fixed bug #69212 (Leaking VIA_HANDLER func when       exception thrown in __call/... arg passing). (Nikita)

    - Fixed bug #69221 (Segmentation fault when using a       generator in combination with an Iterator). (Nikita)

    - Fixed bug #69337 (php_stream_url_wrap_http_ex()       type-confusion vulnerability). (Stas)

    - Fixed bug #69353 (Missing null byte checks for paths       in various PHP extensions). (Stas)

Curl :

  - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)

    - Fixed bug #69316 (Use-after-free in php_curl related       to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)

Date :

  - Export date_get_immutable_ce so that it can be used by     extensions. (Derick Rethans)

    - Fixed bug #69336 (Issues with 'last day of       <monthname>'). (Derick Rethans)

Enchant :

  - Fixed bug #65406 (Enchant broker plugins are in the     wrong place in windows builds). (Anatol)

Fileinfo :

  - Fixed bug #68819 (Fileinfo on specific file causes     spurious OOM and/or segfault). (Anatol Belski)

Filter :

  - Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored     unless other flags are used). (Jeff Welch)

    - Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip       ASCII 127). (Jeff Welch)

Mbstring :

  - Fixed bug #68846 (False detection of CJK Unified     Ideographs Extension E). (Masaki Kagaya)

OPCache

  - Fixed bug #68677 (Use After Free). (CVE-2015-1351)     (Laruence)

    - Fixed bug #69281 (opcache_is_script_cached no longer       works). (danack)

OpenSSL :

  - Fixed bug #67403 (Add signatureType to     openssl_x509_parse).

    - Add a check for RAND_egd to allow compiling against       LibreSSL (Leigh)

Phar :

  - Fixed bug #64343 (PharData::extractTo fails for tarball     created by BSD tar). (Mike)

    - Fixed bug #64931 (phar_add_file is too restrictive on       filename). (Mike)

    - Fixed bug #65467 (Call to undefined method       cli_arg_typ_string). (Mike)

    - Fixed bug #67761 (Phar::mapPhar fails for Phars inside       a path containing '.tar'). (Mike)

    - Fixed bug #69324 (Buffer Over-read in unserialize when       parsing Phar). (Stas)

    - Fixed bug #69441 (Buffer Overflow when parsing       tar/zip/phar in phar_set_inode). (Stas)

Postgres :

  - Fixed bug #68741 (NULL pointer dereference).
    (CVE-2015-1352) (Laruence)

SPL :

  - Fixed bug #69227 (Use after free in zval_scan caused by     spl_object_storage_get_gc). (adam dot scarr at 99designs     dot com)

SOAP :

  - Fixed bug #69293 (NEW segfault when using     SoapClient::__setSoapHeader (bisected, regression)).
    (thomas at shadowweb dot org, Laruence)

SQLITE :

  - Fixed bug #68760 (SQLITE segfaults if custom collator     throws an exception). (Dan Ackroyd)

    - Fixed bug #69287 (Upgrade bundled sqlite to 3.8.8.3).
      (Anatol)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The PHP project reports :

The PHP development team announces the immediate availability of PHP 5.4.40. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.5.24. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.6.8. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are encouraged to upgrade to this version.

16 Apr 2015, **PHP 5.6.8**

Core :

  - Fixed bug #66609 (php crashes with __get() and ++     operator in some cases). (Dmitry, Laruence)

    - Fixed bug #68021 (get_browser() browser_name_regex       returns non-utf-8 characters). (Tjerk)

    - Fixed bug #68917 (parse_url fails on some partial       urls). (Wei Dai)

    - Fixed bug #69134 (Per Directory Values overrides       PHP_INI_SYSTEM configuration options). (Anatol Belski)

    - Additional fix for bug #69152 (Type confusion       vulnerability in exception::getTraceAsString). (Stas)

    - Fixed bug #69210 (serialize function return corrupted       data when sleep has non-string values). (Juan Basso)

    - Fixed bug #69212 (Leaking VIA_HANDLER func when       exception thrown in __call/... arg passing). (Nikita)

    - Fixed bug #69221 (Segmentation fault when using a       generator in combination with an Iterator). (Nikita)

    - Fixed bug #69337 (php_stream_url_wrap_http_ex()       type-confusion vulnerability). (Stas)

    - Fixed bug #69353 (Missing null byte checks for paths       in various PHP extensions). (Stas)

Apache2handler :

  - Fixed bug #69218 (potential remote code execution with     apache 2.4 apache2handler). (Gerrit Venema)

cURL :

  - Implemented FR#69278 (HTTP2 support). (Masaki Kagaya)

    - Fixed bug #68739 (Missing break / control flow).
      (Laruence)

    - Fixed bug #69316 (Use-after-free in php_curl related       to CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence)

Date :

  - Fixed bug #69336 (Issues with 'last day of     <monthname>'). (Derick Rethans)

Enchant :

  - Fixed bug #65406 (Enchant broker plugins are in the     wrong place in windows builds). (Anatol)

Ereg :

  - Fixed bug #68740 (NULL pointer Dereference). (Laruence)

Fileinfo :

  - Fixed bug #68819 (Fileinfo on specific file causes     spurious OOM and/or segfault). (Anatol Belski)

Filter :

  - Fixed bug #69202: (FILTER_FLAG_STRIP_BACKTICK ignored     unless other flags are used). (Jeff Welch)

    - Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip       ASCII 127). (Jeff Welch)

OPCache :

  - Fixed bug #69297 (function_exists strange behavior with     OPCache on disabled function). (Laruence)

    - Fixed bug #69281 (opcache_is_script_cached no longer       works). (danack)

    - Fixed bug #68677 (Use After Free). (CVE-2015-1351)       (Laruence)

OpenSSL

  - Fixed bugs #68853, #65137 (Buffered crypto stream data     breaks IO polling in stream_select() contexts) (Chris     Wright)

    - Fixed bug #69197 (openssl_pkcs7_sign handles default       value incorrectly) (Daniel Lowrey)

    - Fixed bug #69215 (Crypto servers should send client CA       list) (Daniel Lowrey)

    - Add a check for RAND_egd to allow compiling against       LibreSSL (Leigh)

Phar :

  - Fixed bug #64343 (PharData::extractTo fails for tarball     created by BSD tar). (Mike)

    - Fixed bug #64931 (phar_add_file is too restrictive on       filename). (Mike)

    - Fixed bug #65467 (Call to undefined method       cli_arg_typ_string). (Mike)

    - Fixed bug #67761 (Phar::mapPhar fails for Phars inside       a path containing '.tar'). (Mike)

    - Fixed bug #69324 (Buffer Over-read in unserialize when       parsing Phar). (Stas)

    - Fixed bug #69441 (Buffer Overflow when parsing       tar/zip/phar in phar_set_inode). (Stas)

Postgres :

  - Fixed bug #68741 (NULL pointer dereference).
    (CVE-2015-1352) (Laruence)

SPL :

  - Fixed bug #69227 (Use after free in zval_scan caused by     spl_object_storage_get_gc). (adam dot scarr at 99designs     dot com)

SOAP :

  - Fixed bug #69293 (NEW segfault when using     SoapClient::__setSoapHeader (bisected, regression)).
    (Laruence)

Sqlite3 :

  - Fixed bug #68760 (SQLITE segfaults if custom collator     throws an exception). (Dan Ackroyd)

    - Fixed bug #69287 (Upgrade bundled libsqlite to       3.8.8.3). (Anatol)

    - Fixed bug #66550 (SQLite prepared statement       use-after-free). (Sean Heelan)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.8. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified use-after-free error exists in the
    _zend_shared_memdup() function within file     ext/opcache/zend_shared_alloc.c that allows an     unauthenticated, remote attacker to have an unspecified     impact. (CVE-2015-1351)

  - A NULL pointer dereference flaw exists in the     build_tablename() function within file pgsql.c in the     PostgreSQL extension due to a failure to validate token     extraction for table names. An authenticated, remote     attacker can exploit this, via a crafted name, to cause     a denial of service condition. (CVE-2015-1352)

  - An out-of-bounds read error exists in the Phar component     due to improper validation of user-supplied input when     handling phar parsing during unserialize() function     calls. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     disclosure of memory contents. (CVE-2015-2783)

  - A memory corruption issue exists in the     phar_parse_metadata() function in file ext/phar/phar.c     due to improper validation of user-supplied input when     parsing a specially crafted TAR archive. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2015-3307)

  - Multiple stack-based buffer overflow conditions exist in     the phar_set_inode() function in file phar_internal.h     when handling archive files, such as tar, zip, or phar     files. An unauthenticated, remote attacker can exploit     these to cause a denial of service condition or the     execution or arbitrary code. (CVE-2015-3329)

  - A flaw exists in the Apache2handler SAPI component when     handling pipelined HTTP requests that allows an     unauthenticated, remote attacker to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-3330)

  - A flaw exists in multiple functions due to a failure to     check for NULL byte (%00) sequences in a path when     processing or reading a file. An unauthenticated, remote     attacker can exploit this, via specially crafted input     to an application calling those functions, to bypass     intended restrictions and disclose potentially     sensitive information. (CVE-2015-3411, CVE-2015-3412)

  - A type confusion error exists in multiple functions     within file ext/soap/soap.c that is triggered when     calling unserialize(). An unauthenticated, remote     attacker can exploit this to disclose memory contents,     cause a denial of service condition, or execute     arbitrary code. (CVE-2015-4599, CVE-2015-4600)

  - Multiple type confusion errors exist within files     ext/soap/php_encoding.c, ext/soap/php_http.c, and     ext/soap/soap.c that allow an unauthenticated, remote     attacker to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-4601)

  - A type confusion error exists in the
    __PHP_Incomplete_Class() function within file     ext/standard/incomplete_class.c that allows an     unauthenticated, remote attacker to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-4602)

  - A type confusion error exists in the     exception::getTraceAsString() function within file     Zend/zend_exceptions.c that allows a remote attacker to     execute arbitrary code. (CVE-2015-4603)

  - A denial of service vulnerability exists due to a flaw     in the bundled libmagic library, specifically in the     mget() function within file softmagic.c. The function     fails to maintain a certain pointer relationship. An     unauthenticated, remote attacker can exploit this, via a     crafted string, to crash the application.
    (CVE-2015-4604)

  - A denial of service vulnerability exists due to a flaw     in the bundled libmagic library, specifically in the     mcopy() function within file softmagic.c. The function     fails to properly handle an offset that exceeds     'bytecnt'. An unauthenticated, remote attacker can     exploit this, via a crafted string, to crash the     application. (CVE-2015-4605)

  - A use-after-free error exists in the sqlite3_close()     function within file /ext/sqlite3/sqlite3.c when closing     database connections. An unauthenticated, remote     attacker can exploit this to execute arbitrary code.

  - A flaw exists in the ZEND_VM_HELPER_EX() function within     file /Zend/zend_vm_def.h when handling a __get()     function call. An unauthenticated, remote attacker can     exploit this to cause a cause a denial of service     condition.

  - A type confusion error exists in the     php_stream_url_wrap_http_ex() function within file     ext/standard/http_fopen_wrapper.c that allows an     unauthenticated, remote attacker to execute arbitrary     code.

  - A use-after-free error exists in the php_curl() function     within file ext/curl/interface.c that allows an     unauthenticated, remote attacker to execute arbitrary     code.

  - A use-after-free error exists in the SPL component,     specifically in the spl_object_storage_get_gc() function     within file ext/spl/spl_observer.c. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

  - A NULL pointer dereference flaw exists within file     /ext/ereg/regex/regcomp.c that allows an     unauthenticated, remote attacker attacker to cause a     denial of service condition.

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.24. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified use-after-free error exists in the
    _zend_shared_memdup() function within file     ext/opcache/zend_shared_alloc.c that allows an     unauthenticated, remote attacker to have an unspecified     impact. (CVE-2015-1351)

  - A NULL pointer dereference flaw exists in the     build_tablename() function within file pgsql.c in the     PostgreSQL extension due to a failure to validate token     extraction for table names. An authenticated, remote     attacker can exploit this, via a crafted name, to cause     a denial of service condition. (CVE-2015-1352)

  - An out-of-bounds read error exists in the Phar component     due to improper validation of user-supplied input when     handling phar parsing during unserialize() function     calls. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     disclosure of memory contents. (CVE-2015-2783)

  - A memory corruption issue exists in the     phar_parse_metadata() function in file ext/phar/phar.c     due to improper validation of user-supplied input when     parsing a specially crafted TAR archive. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2015-3307)

  - Multiple stack-based buffer overflow conditions exist in     the phar_set_inode() function in file phar_internal.h     when handling archive files, such as tar, zip, or phar     files. An unauthenticated, remote attacker can exploit     these to cause a denial of service condition or the     execution or arbitrary code. (CVE-2015-3329)

  - A flaw exists in the Apache2handler SAPI component when     handling pipelined HTTP requests that allows an     unauthenticated, remote attacker to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-3330)

  - A flaw exists in multiple functions due to a failure to     check for NULL byte (%00) sequences in a path when     processing or reading a file. An unauthenticated, remote     attacker can exploit this, via specially crafted input     to an application calling those functions, to bypass     intended restrictions and disclose potentially     sensitive information. (CVE-2015-3411, CVE-2015-3412)

  - A type confusion error exists in multiple functions     within file ext/soap/soap.c that is triggered when     calling unserialize(). An unauthenticated, remote     attacker can exploit this to disclose memory contents,     cause a denial of service condition, or execute     arbitrary code. (CVE-2015-4599, CVE-2015-4600)

  - Multiple type confusion errors exist within files     ext/soap/php_encoding.c, ext/soap/php_http.c, and     ext/soap/soap.c that allow an unauthenticated, remote     attacker to cause a denial of service condition or the     execution of arbitrary code. (CVE-2015-4601)

  - A type confusion error exists in the
    __PHP_Incomplete_Class() function within file     ext/standard/incomplete_class.c that allows an     unauthenticated, remote attacker to cause a denial of     service condition or the execution of arbitrary code.
    (CVE-2015-4602)

  - A type confusion error exists in the     exception::getTraceAsString() function within file     Zend/zend_exceptions.c that allows a remote attacker to     execute arbitrary code. (CVE-2015-4603)

  - A denial of service vulnerability exists due to a flaw     in the bundled libmagic library, specifically in the     mget() function within file softmagic.c. The function     fails to maintain a certain pointer relationship. An     unauthenticated, remote attacker can exploit this, via a     crafted string, to crash the application.
    (CVE-2015-4604)

  - A denial of service vulnerability exists due to a flaw     in the bundled libmagic library, specifically in the     mcopy() function within file softmagic.c. The function     fails to properly handle an offset that exceeds     'bytecnt'. An unauthenticated, remote attacker can     exploit this, via a crafted string, to crash the     application. (CVE-2015-4605)

  - A flaw exists in the ZEND_VM_HELPER_EX() function within     file /Zend/zend_vm_def.h when handling a __get()     function call. An unauthenticated, remote attacker can     exploit this to cause a cause a denial of service     condition.

  - A type confusion error exists in the     php_stream_url_wrap_http_ex() function within file     ext/standard/http_fopen_wrapper.c that allows an     unauthenticated, remote attacker to execute arbitrary     code.

  - A use-after-free error exists in the php_curl() function     within file ext/curl/interface.c that allows an     unauthenticated, remote attacker to execute arbitrary     code.

  - A use-after-free error exists in the SPL component,     specifically in the spl_object_storage_get_gc() function     within file ext/spl/spl_observer.c. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.

A use-after-free flaw was found in PHP's OPcache extension. This flaw could possibly lead to a disclosure of portion of server memory.
(CVE-2015-1351)

A NULL pointer dereference flaw was found in PHP's pgsql extension. A specially crafted table name passed to function as pg_insert() or pg_select() could cause a PHP application to crash. (CVE-2015-1352)

A buffer overflow flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash or, possibly, execute arbitrary code when opened.
(CVE-2015-3329)

Multiple vulnerabilities has been discovered and corrected in php :

It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943).

A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270).

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345).

PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185).

A flaw was found in the way file's Composite Document Files (CDF) format parser handle CDF files with many summary info entries. The cdf_unpack_summary_info() function unnecessarily repeatedly read the info from the same offset. This led to many file_printf() calls in cdf_file_property_info(), which caused file to use an excessive amount of CPU time when parsing a specially crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files. A property entry with 0 elements triggers an infinite loop (CVE-2014-0238).

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue related to the SPL ArrayObject and SPLObjectStorage Types (CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer overflow in the DNS TXT record parsing. A malicious server or man-in-the-middle attacker could possibly use this flaw to execute arbitrary code as the PHP interpreter if a PHP application uses dns_get_record() to perform a DNS query (CVE-2014-4049).

A flaw was found in the way file parsed property information from Composite Document Files (CDF) files, where the mconvert() function did not correctly compute the truncated pascal string size (CVE-2014-3478).

Multiple flaws were found in the way file parsed property information from Composite Document Files (CDF) files, due to insufficient boundary checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type Confusion issue that can cause it to leak arbitrary process memory (CVE-2014-4721).

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule, due to an incomplete fix for CVE-2013-7345 (CVE-2014-3538).

Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dns_get_record function and the dn_expand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597).

An integer overflow flaw in PHP's unserialize() function was reported.
If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089).

An out-of-bounds read flaw was found in file's donote() function in the way the file utility determined the note headers of a elf file.
This could possibly lead to file executable crash (CVE-2014-3710).

A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize() (CVE-2014-8142).

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module.

S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image (CVE-2015-0232).

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352).

PHP contains a bundled copy of the file utility's libmagic library, so it was vulnerable to the libmagic issues.

The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw.

A bug in the php zip extension that could cause a crash has been fixed (mga#13820)

Additionally the jsonc and timezonedb packages has been upgraded to the latest versions and the PECL packages which requires so has been rebuilt for php-5.5.23.

Multiple vulnerabilities has been discovered and corrected in php :

S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231).

An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352).

The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw.

Additionally the php-xdebug package has been upgraded to the latest 2.3.2 and the PECL packages which requires so has been rebuilt for php-5.5.23.

PHP versions 5.5.x prior to 5.5.21, and 5.6.x prior to 5.6.5 are exposed to the following issues :

  - A flaw exists in the 'ereg(regex)' component due to a NULL pointer dereference condition. Specifically, this issue affects the '/regex/regcomp.c' source file. (Bug 68740) 

  - A use-after-free memory error exists in the 'opcache' component. Specifically, this issue affects the '/ext/opcache/zend_shared_alloc.c' source file. (Bug 68677 / CVE-2015-1351)

  - A flaw exists in the 'zend_ts_hash_graceful_destroy' function in the Zend Engine for PHP which exposes a double free vulnerability. Specifically, this issue affects the 'zend_ts_hash.c' source file. (Bug 68676 / CVE-2014-9425)

 - A flaw exists in the 'pgsql' component due to a NULL pointer dereference condition. Specifically, this issue affects the 'token' parameter of the '/ext/pgsql/pgsql.c' source file. (Bug 68697 / CVE-2015-1352)

A remote attacker could exploit these vulnerabilities to crash the affected application, denying service to legitimate users.

  - An out-of-bounds read issue exists in the 'GetCode_()' function in 'gd_gif_in.c'. This allows a remote attacker to disclose memory contents. (CVE-2014-9709)

Stefan Esser discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-8142, CVE-2015-0231)

Brian Carpenter discovered that the PHP CGI component incorrectly handled invalid files. A local attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)

It was discovered that PHP incorrectly handled certain pascal strings in the fileinfo extension. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9652)

Alex Eubanks discovered that PHP incorrectly handled EXIF data in JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2015-0232)

It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1351)

It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-1352).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
126500	SUSE SLES12 Security Update : php5 (SUSE-SU-2019:1746-1)	Nessus	SuSE Local Security Checks	high
98831	PHP 5.6.x < 5.6.8 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
91704	GLSA-201606-10 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
8982	Mac OS X < 10.11 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
86270	Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)	Nessus	MacOS X Local Security Checks	critical
8784	PHP 5.4.x < 5.4.40 / 5.5.x < 5.5.24 / 5.6.x < 5.6.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
83093	Fedora 20 : php-5.5.24-1.fc20 (2015-6399)	Nessus	Fedora Local Security Checks	high
83080	FreeBSD : Several vulnerabilities found in PHP (1e232a0c-eb57-11e4-b595-4061861086c1)	Nessus	FreeBSD Local Security Checks	high
83044	Fedora 21 : php-5.6.8-1.fc21 (2015-6407)	Nessus	Fedora Local Security Checks	high
83035	PHP 5.6.x < 5.6.8 Multiple Vulnerabilities	Nessus	CGI abuses	critical
83034	PHP 5.5.x < 5.5.24 Multiple Vulnerabilities	Nessus	CGI abuses	critical
83018	Fedora 22 : php-5.6.8-1.fc22 (2015-6195)	Nessus	Fedora Local Security Checks	high
82923	Slackware 14.0 / 14.1 / current : php (SSA:2015-111-10)	Nessus	Slackware Local Security Checks	high
82858	Amazon Linux AMI : php56 (ALAS-2015-511)	Nessus	Amazon Linux Local Security Checks	high
82857	Amazon Linux AMI : php55 (ALAS-2015-510)	Nessus	Amazon Linux Local Security Checks	high
82333	Mandriva Linux Security Advisory : php (MDVSA-2015:080)	Nessus	Mandriva Local Security Checks	high
82332	Mandriva Linux Security Advisory : php (MDVSA-2015:079)	Nessus	Mandriva Local Security Checks	high
8909	PHP 5.5.x < 5.5.21 / 5.6.x < 5.6.5 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
81399	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2501-1)	Nessus	Ubuntu Local Security Checks	high

CVE-2015-1351

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins