http://git.php.net/?p=php-src.git;a=commit;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9

[oss-security] 20150618 Re: PHP 5.6.10 / 5.5.26 / 5.4.42 CVE request

http://php.net/ChangeLog-5.php

75290

1032709

https://bugs.php.net/bug.php?id=69646

GLSA-201606-10

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.10. It is, therefore, affected by multiple vulnerabilities :

 - Multiple heap buffer overflow conditions exist in the bundled Perl-Compatible Regular Expression (PCRE) library due to improper validation of user-supplied input to the compile_branch() and pcre_compile2() functions. A remote attacker can exploit these conditions to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2325, CVE-2015-2326)

 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of quotes in collation sequence names. A remote attacker can exploit this to cause uninitialized memory access, resulting in denial of service condition. (CVE-2015-3414)

 - A denial of service vulnerability exists in the bundled SQLite component due to an improper implementation of comparison operators in the sqlite3VdbeExec() function in vdbe.c. A remote attacker can exploit this to cause an invalid free operation, resulting in a denial of service condition. (CVE- 2015-3415)

 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of precision and width values during floating-point conversions in the sqlite3VXPrintf() function in printf.c. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-3416)

 - A security bypass vulnerability exists due to a failure in multiple extensions to check for NULL bytes in a path when processing or reading a file. A remote attacker can exploit this, by combining the '\\0' character with a safe file extension, to bypass access restrictions. (CVE-2015-4598)

 - An arbitrary command injection vulnerability exists due to a flaw in the php_escape_shell_arg() function in exec.c. A remote attacker can exploit this, via the escapeshellarg() PHP method, to inject arbitrary operating system commands. (CVE-2015-4642)

 - A heap buffer overflow condition exists in the ftp_genlist() function in ftp.c. due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4643) - A denial of service vulnerability exists due to a NULL pointer dereference flaw in the build_tablename() function in pgsql.c. An authenticated, remote attacker can exploit this to cause an application crash. (CVE-2015-4644)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the remote pfSense install is prior to 2.2.3. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.

Upstream reports that several bugs have been fixed as well as several security issues into some bundled libraries (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416 , CVE-2015-2325 and CVE-2015-2326). All PHP 5.6 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

Upstream reports that several bugs have been fixed as well as several security issues into some bundled libraries (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416 , CVE-2015-2325 and CVE-2015-2326). All PHP 5.5 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

Upstream reports that six security-related issues in PHP were fixed in this release, as well as several security issues in bundled sqlite library (CVE-2015-3414 , CVE-2015-3415 , CVE-2015-3416). All PHP 5.4 users are encouraged to upgrade to this version. Please see the upstream release notes for full details.

According to its banner, the version of PHP 5.6.x running on the remote web server is prior to 5.6.10. It is, therefore, affected by multiple vulnerabilities :

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x running on the remote web server is prior to 5.5.26. It is, therefore, affected by multiple vulnerabilities :    

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.4.x running on the remote web server is prior to 5.4.42. It is, therefore, affected by multiple vulnerabilities :

  - Multiple heap buffer overflow conditions exist in the     bundled Perl-Compatible Regular Expression (PCRE)     library due to improper validation of user-supplied     input to the compile_branch() and pcre_compile2()     functions. A remote attacker can exploit these     conditions to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2015-2325,     CVE-2015-2326)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of quotes     in collation sequence names. A remote attacker can     exploit this to cause uninitialized memory access,     resulting in denial of service condition.
    (CVE-2015-3414)

  - A denial of service vulnerability exists in the bundled     SQLite component due to an improper implementation of     comparison operators in the sqlite3VdbeExec() function     in vdbe.c. A remote attacker can exploit this to cause     an invalid free operation, resulting in a denial of     service condition. (CVE-2015-3415)

  - A denial of service vulnerability exists in the bundled     SQLite component due to improper handling of precision     and width values during floating-point conversions in     the sqlite3VXPrintf() function in printf.c. A remote     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2015-3416)

  - A security bypass vulnerability exists due to a failure     in multiple extensions to check for NULL bytes in a path     when processing or reading a file. A remote attacker can     exploit this, by combining the '\0' character with a     safe file extension, to bypass access restrictions.
    (CVE-2015-4598)

  - An arbitrary command injection vulnerability exists due     to a flaw in the php_escape_shell_arg() function in     exec.c. A remote attacker can exploit this, via the     escapeshellarg() PHP method, to inject arbitrary     operating system commands. (CVE-2015-4642)

  - A heap buffer overflow condition exists in the     ftp_genlist() function in ftp.c. due to improper     validation of user-supplied input. A remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2015-4643)     
  - A denial of service vulnerability exists due to a NULL     pointer dereference flaw in the build_tablename()     function in pgsql.c. An authenticated, remote attacker     can exploit this to cause an application crash.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of PHP 5.5.x prior to 5.5.26, or 5.6.x prior to 5.6.10 are exposed to the following vulnerabilities :

 - Multiple heap buffer overflow conditions exist in the bundled Perl-Compatible Regular Expression (PCRE) library due to improper validation of user-supplied input to the 'compile_branch()' and 'pcre_compile2()' functions. A remote attacker can exploit these conditions to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-2325, CVE-2015-2326)
 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of quotes in collation sequence names. A remote attacker can exploit this to cause uninitialized memory access, resulting in denial of service condition. (CVE-2015-3414)
 - A denial of service vulnerability exists in the bundled SQLite component due to an improper implementation of comparison operators in the 'sqlite3VdbeExec()' function in 'vdbe.c'. A remote attacker can exploit this to cause an invalid free operation, resulting in a denial of service condition. (CVE-2015-3415)
 - A denial of service vulnerability exists in the bundled SQLite component due to improper handling of precision and width values during floating-point conversions in the 'sqlite3VXPrintf()' function in 'printf.c'. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-3416)
 - A security bypass vulnerability exists due to a failure in multiple extensions to check for NULL bytes in a path when processing or reading a file. A remote attacker can exploit this, by combining the '\0' character with a safe file extension, to bypass access restrictions. (CVE-2015-4598)
 - An arbitrary command injection vulnerability exists due to a flaw in the 'php_escape_shell_arg()' function in 'exec.c'. A remote attacker can exploit this, via the 'escapeshellarg()' PHP method, to inject arbitrary operating system commands. (CVE-2015-4642)
 - A heap buffer overflow condition exists in the 'ftp_genlist()' function in 'ftp.c'. due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-4643)
 - A denial of service vulnerability exists due to a NULL pointer dereference flaw in the 'build_tablename()' function in 'pgsql.c'. An authenticated, remote attacker can exploit this to cause an application crash. (CVE-2015-4644)

ID	Name	Product	Family	Severity
98802	PHP 5.6.x < 5.6.10 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
106495	pfSense < 2.2.3 Multiple Vulnerabilities (SA-15_07) (Logjam)	Nessus	Firewalls	critical
91704	GLSA-201606-10 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
84830	Slackware 14.0 / 14.1 / current : php (SSA:2015-198-02) (BACKRONYM)	Nessus	Slackware Local Security Checks	critical
84625	Amazon Linux AMI : php56 (ALAS-2015-563)	Nessus	Amazon Linux Local Security Checks	critical
84624	Amazon Linux AMI : php55 (ALAS-2015-562)	Nessus	Amazon Linux Local Security Checks	critical
84623	Amazon Linux AMI : php54 (ALAS-2015-561)	Nessus	Amazon Linux Local Security Checks	critical
84364	PHP 5.6.x < 5.6.10 Multiple Vulnerabilities	Nessus	CGI abuses	critical
84363	PHP 5.5.x < 5.5.26 Multiple Vulnerabilities	Nessus	CGI abuses	critical
84362	PHP 5.4.x < 5.4.42 Multiple Vulnerabilities	Nessus	CGI abuses	critical
8787	PHP 5.5.x < 5.5.26 / 5.6.x < 5.6.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high

CVE-2015-4642

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins