http://git.php.net/?p=php-src.git;a=commit;h=1ddf72180a52d247db88ea42a3e35f824a8fbda1

APPLE-SA-2015-12-08-3

openSUSE-SU-2016:0251

DSA-3380

[oss-security] 20151005 CVE request: issues fixed in PHP 5.6.14 and 5.5.30

http://www.php.net/ChangeLog-5.php

76959

SSA:2016-034-04

USN-2786-1

https://bugs.php.net/bug.php?id=70433

GLSA-201606-10

https://support.apple.com/HT205637

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.14. It is, therefore, affected by multiple vulnerabilities :

 - A NULL pointer dereference flaw exists in the phar_get_fp_offset() function in ext/phar/util.c that is triggered when pointing to a non-existent file. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An uninitialized pointer flaw exists in the phar_make_dirstream() function in ext/phar/dirstream.c that is triggered when handling a zip entry filename that is a single forward slash. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or to disclose
sensitive information.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the remote pfSense install is prior to 2.2.5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The remote host is affected by the vulnerability described in GLSA-201606-10 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.2 and is affected by multiple vulnerabilities in the following components :

 - apache_mod_php
 - AppSandbox
 - Bluetooth
 - CFNetwork HTTPProtocol
 - Compression
 - Configuration Profiles
 - CoreGraphics
 - CoreMedia Playback
 - Disk Images
 - EFI
 - File Bookmark
 - Hypervisor
 - iBooks
 - ImageIO
 - Intel Graphics Driver
 - IOAcceleratorFamily
 - IOHIDFamily
 - IOKit SCSI
 - IOThunderboltFamily
 - Kernel
 - kext tools
 - Keychain Access
 - libarchive
 - libc
 - libexpat
 - libxml2
 - OpenGL
 - OpenLDAP
 - OpenSSH
 - QuickLook
 - Sandbox
 - Security
 - System Integrity Protection

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.

This update for php5 fixes the following issues :

  - CVE-2015-7803: Specially crafted .phar files with a     crafted TAR archive entry allowed remote attackers to     cause a Denial of Service (DoS) [bsc#949961]

  - CVE-2015-7804: Specially crafted .phar files with a     crafted ZIP archive entry referencing a file '/' allowed     remote attackers to cause a Denial of Service (DoS) or     potentially leak unspecified memory content [bsc#949961]

  - CVE-2016-1903: Specially crafted image files could     allowed remote attackers read unspecified memory when     rotating images [bsc#962057]

The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-005 or 2015-008. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - AppSandbox
  - Bluetooth
  - CFNetwork HTTPProtocol
  - Compression
  - Configuration Profiles
  - CoreGraphics
  - CoreMedia Playback
  - Disk Images
  - EFI
  - File Bookmark
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit SCSI
  - IOThunderboltFamily
  - Kernel
  - kext tools
  - Keychain Access
  - libarchive
  - libc
  - libexpat
  - libxml2
  - OpenGL
  - OpenLDAP
  - OpenSSH
  - QuickLook
  - Sandbox
  - Security
  - System Integrity Protection

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.2. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - AppSandbox
  - Bluetooth
  - CFNetwork HTTPProtocol
  - Compression
  - Configuration Profiles
  - CoreGraphics
  - CoreMedia Playback
  - Disk Images
  - EFI
  - File Bookmark
  - Hypervisor
  - iBooks
  - ImageIO
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit SCSI
  - IOThunderboltFamily
  - Kernel
  - kext tools
  - Keychain Access
  - libarchive
  - libc
  - libexpat
  - libxml2
  - OpenGL
  - OpenLDAP
  - OpenSSH
  - QuickLook
  - Sandbox
  - Security
  - System Integrity Protection

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

- CVE-2015-6831 Use after free vulnerability was found in     unserialize() function. We can create ZVAL and free it     via Serializable::unserialize. However the unserialize()     will still allow to use R: or r: to set references to     that already freed memory. It is possible to     use-after-free attack and execute arbitrary code     remotely.

  - CVE-2015-6832 Dangling pointer in the unserialization of     ArrayObject items.

  - CVE-2015-6833 Files extracted from archive may be placed     outside of destination directory

  - CVE-2015-6834 Use after free vulnerability was found in     unserialize() function. We can create ZVAL and free it     via Serializable::unserialize. However the unserialize()     will still allow to use R: or r: to set references to     that already freed memory. It is possible to     use-after-free attack and execute arbitrary code     remotely.

  - CVE-2015-6836 A type confusion occurs within SOAP     serialize_function_call due to an insufficient     validation of the headers field. In the SoapClient's
    __call method, the verify_soap_headers_array check is     applied only to headers retrieved from     zend_parse_parameters; problem is that a few lines     later, soap_headers could be updated or even replaced     with values from the __default_headers object fields.

  - CVE-2015-6837 The XSLTProcessor class misses a few     checks on the input from the libxslt library. The     valuePop() function call is able to return NULL pointer     and php does not check that.

  - CVE-2015-6838 The XSLTProcessor class misses a few     checks on the input from the libxslt library. The     valuePop() function call is able to return NULL pointer     and php does not check that.

  - CVE-2015-7803 A NULL pointer dereference flaw was found     in the way PHP's Phar extension parsed Phar archives. A     specially crafted archive could cause PHP to crash.

  - CVE-2015-7804 An uninitialized pointer use flaw was     found in the phar_make_dirstream() function of PHP's     Phar extension. A specially crafted phar file in the ZIP     format with a directory entry with a file name '/ZIP'     could cause a PHP application function to crash.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that the PHP phar extension incorrectly handled certain files. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2015-7803, CVE-2015-7804).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Two vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

  - CVE-2015-7803     The phar extension could crash with a NULL pointer     dereference when processing tar archives containing     links referring to non-existing files. This could lead     to a denial of service.

  - CVE-2015-7804     The phar extension does not correctly process directory     entries found in archive files with the name '/',     leading to a denial of service and, potentially,     information disclosure.

The update for Debian stable (jessie) contains additional bug fixes from PHP upstream version 5.6.14, as described in the upstream changelog :

  - Note to users of the oldstable distribution (wheezy): PHP 5.4 has reached end-of-life on September 14th, 2015. As a result, there will be no more new upstream releases. The security support of PHP 5.4 in Debian oldstable (wheezy) will be best effort only, and you are strongly advised to upgrade to latest Debian stable release (jessie), which includes PHP 5.6.

As reported upstream, A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. (CVE-2015-7803 )

A flaw was discovered in the way PHP performed object unserialization.
Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
(CVE-2015-6834 , CVE-2015-6835 , CVE-2015-6836)

A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use of PHP functions to be used as XSLT functions within XSL stylesheets.
(CVE-2015-6837 , CVE-2015-6838)

As reported upstream, an uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name '/ZIP' could cause a PHP application function to crash. (CVE-2015-7804)

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.14. It is, therefore, affected by multiple vulnerabilities :

  - A NULL pointer dereference flaw exists in the     phar_get_fp_offset() function in ext/phar/util.c that is     triggered when pointing to a non-existent file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2015-7803)

  - An uninitialized pointer flaw exists in the     phar_make_dirstream() function in ext/phar/dirstream.c     that is triggered when handling a zip entry filename     that is a single forward slash. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or to disclose sensitive information.
    (CVE-2015-7804)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.30. It is, therefore, affected by the following vulnerabilities :

  - A NULL pointer dereference flaw exists in the     phar_get_fp_offset() function in ext/phar/util.c that is     triggered when pointing to a non-existent file. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2015-7803)

  - An uninitialized pointer flaw exists in the     phar_make_dirstream() function in ext/phar/dirstream.c     that is triggered when handling a zip entry filename     that consists of a single forward slash. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or to disclose     sensitive information. (CVE-2015-7804)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of PHP 5.5.x prior to 5.5.30, or 5.6.x prior to 5.6.14 are vulnerable to the following issues :

  - A NULL pointer dereference flaw affects the phar_get_fp_offset() function in 'ext/phar/util.c' that is triggered when pointing to a non-existent file. This may allow a remote attacker to cause a denial of service.
 - An uninitialized pointer flaw affects the phar_make_dirstream() function in 'lext/phar/dirstream.c' that is triggered when handling a zip entry filename that is '/', which can result in a crash or potentially a data leak.

PHP reports :

Phar :

- Fixed bug #69720 (NULL pointer dereference in phar_get_fp_offset()).

- Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip entry filename is '/').

ID	Name	Product	Family	Severity
98806	PHP 5.6.x < 5.6.14 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
106497	pfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)	Nessus	Firewalls	high
91704	GLSA-201606-10 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
9325	Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
88567	Slackware 14.0 / 14.1 / current : php (SSA:2016-034-04)	Nessus	Slackware Local Security Checks	medium
88533	openSUSE Security Update : php5 (openSUSE-2016-100)	Nessus	SuSE Local Security Checks	medium
87321	Mac OS X Multiple Vulnerabilities (Security Updates 2015-005 / 2015-008)	Nessus	MacOS X Local Security Checks	critical
87314	Mac OS X 10.11.x < 10.11.2 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
86794	Debian DLA-341-1 : php5 security update	Nessus	Debian Local Security Checks	high
86651	Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : php5 vulnerabilities (USN-2786-1)	Nessus	Ubuntu Local Security Checks	medium
86618	Debian DSA-3380-1 : php5 - security update	Nessus	Debian Local Security Checks	medium
86496	Amazon Linux AMI : php55 (ALAS-2015-602)	Nessus	Amazon Linux Local Security Checks	high
86495	Amazon Linux AMI : php56 (ALAS-2015-601)	Nessus	Amazon Linux Local Security Checks	high
86301	PHP 5.6.x < 5.6.14 Multiple Vulnerabilities	Nessus	CGI abuses	medium
86300	PHP 5.5.x < 5.5.30 Multiple Vulnerabilities	Nessus	CGI abuses	medium
8956	PHP 5.5.x < 5.5.30 / 5.6.x < 5.6.14 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
86267	FreeBSD : php -- multiple vulnerabilities (c1da8b75-6aef-11e5-9909-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2015-7804

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins