FEDORA-2015-eb896290d3

RHSA-2016:2750

http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup

[oss-security] 20151128 Re: Heap Overflow in PCRE

RHSA-2016:1132

https://bto.bluecoat.com/security-advisory/sa128

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

GLSA-201607-02

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.3. It is, therefore, affected by multiple vulnerabilities :

 - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)

 - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions.

 - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata.

 - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact.

 - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service.

 - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.

 - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-2554)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities :

 - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)

 - A flaw exists in file ext/standard/exec.c in the escapeshellcmd() and escapeshellarg() functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions.

 - A flaw exists in file ext/standard/streamsfuncs.c in the stream_get_meta_data() function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata.

 - A type confusion error exists in file ext/wddx/wddx.c in the php_wddx_pop_element() function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact.

 - A flaw exists in file ext/phar/phar_object.c in the PharFileInfo::getContent() method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in file ext/phar/tar.c in the phar_tar_setupmetadata() function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service.

 - An integer overflow condition exists in file ext/standard/iptc.c in the iptcembed() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.

 - An overflow condition exists in file ext/phar/tar.c in the phar_parse_tarfile() function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for pcre to version 8.39 (bsc#972127) fixes several issues. If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version. This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed :

  - CVE-2014-8964: Heap-based buffer overflow in PCRE     allowed remote attackers to cause a denial of service     (crash) or have other unspecified impact via a crafted     regular expression, related to an assertion that allows     zero repeats (bsc#906574).

  - CVE-2015-2325: Heap buffer overflow in compile_branch()     (bsc#924960).

  - CVE-2015-3210: Heap buffer overflow in pcre_compile2() /     compile_regex() (bsc#933288)

  - CVE-2015-3217: PCRE Library Call Stack Overflow     Vulnerability in match() (bsc#933878).

  - CVE-2015-5073: Library Heap Overflow Vulnerability in     find_fixedlength() (bsc#936227).

  - bsc#942865: heap overflow in compile_regex()

  - CVE-2015-8380: The pcre_exec function in pcre_exec.c     mishandled a // pattern with a \01 string, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly have     unspecified other impact via a crafted regular     expression, as demonstrated by a JavaScript RegExp     object encountered by Konqueror (bsc#957566).

  - CVE-2015-2327: PCRE mishandled certain patterns with     internal recursive back references, which allowed remote     attackers to cause a denial of service (segmentation     fault) or possibly have unspecified other impact via a     crafted regular expression, as demonstrated by a     JavaScript RegExp object encountered by Konqueror     (bsc#957567).

  - bsc#957598: Various security issues

  - CVE-2015-8381: Heap Overflow in compile_regex()     (bsc#957598).

  - CVE-2015-8382: Regular Expression Uninitialized Pointer     Information Disclosure Vulnerability     (ZDI-CAN-2547)(bsc#957598).

  - CVE-2015-8383: Buffer overflow caused by repeated     conditional group(bsc#957598).

  - CVE-2015-8384: Buffer overflow caused by recursive back     reference by name within certain group(bsc#957598).

  - CVE-2015-8385: Buffer overflow caused by forward     reference by name to certain group(bsc#957598).

  - CVE-2015-8386: Buffer overflow caused by lookbehind     assertion(bsc#957598).

  - CVE-2015-8387: Integer overflow in subroutine     calls(bsc#957598).

  - CVE-2015-8388: Buffer overflow caused by certain     patterns with an unmatched closing     parenthesis(bsc#957598).

  - CVE-2015-8389: Infinite recursion in JIT compiler when     processing certain patterns(bsc#957598).

  - CVE-2015-8390: Reading from uninitialized memory when     processing certain patterns(bsc#957598).

  - CVE-2015-8391: Some pathological patterns causes     pcre_compile() to run for a very long time(bsc#957598).

  - CVE-2015-8392: Buffer overflow caused by certain     patterns with duplicated named groups(bsc#957598).

  - CVE-2015-8393: Information leak when running pcgrep -q     on crafted binary(bsc#957598).

  - CVE-2015-8394: Integer overflow caused by missing check     for certain conditions(bsc#957598).

  - CVE-2015-8395: Buffer overflow caused by certain     references(bsc#957598).

  - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/     pattern and related patterns with certain recursion,     which allowed remote attackers to cause a denial of     service (segmentation fault) or possibly have     unspecified other impact via a crafted regular     expression (bsc#957600).

  - CVE-2016-1283: The pcre_compile2 function in     pcre_compile.c in PCRE mishandled certain patterns with     named subgroups, which allowed remote attackers to cause     a denial of service (heap-based buffer overflow) or     possibly have unspecified other impact via a crafted     regular expression (bsc#960837).

  - CVE-2016-3191: The compile_branch function in     pcre_compile.c in pcre2_compile.c mishandled patterns     containing an (*ACCEPT) substring in conjunction with     nested parentheses, which allowed remote attackers to     execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted regular     expression (bsc#971741).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for pcre to version 8.39 (bsc#972127) fixes several issues.

If you use pcre extensively please be aware that this is an update to a new version. Please make sure that your software works with the updated version.

This version fixes a number of vulnerabilities that affect pcre and applications using the libary when accepting untrusted input as regular expressions or as part thereof. Remote attackers could have caused the application to crash, disclose information or potentially execute arbitrary code. These security issues were fixed :

  - CVE-2014-8964: Heap-based buffer overflow in PCRE     allowed remote attackers to cause a denial of service     (crash) or have other unspecified impact via a crafted     regular expression, related to an assertion that allows     zero repeats (bsc#906574).

  - CVE-2015-2325: Heap buffer overflow in compile_branch()     (bsc#924960).

  - CVE-2015-3210: Heap buffer overflow in pcre_compile2() /     compile_regex() (bsc#933288)

  - CVE-2015-3217: PCRE Library Call Stack Overflow     Vulnerability in match() (bsc#933878).

  - CVE-2015-5073: Library Heap Overflow Vulnerability in     find_fixedlength() (bsc#936227).

  - bsc#942865: heap overflow in compile_regex()

  - CVE-2015-8380: The pcre_exec function in pcre_exec.c     mishandled a // pattern with a \01 string, which allowed     remote attackers to cause a denial of service     (heap-based buffer overflow) or possibly have     unspecified other impact via a crafted regular     expression, as demonstrated by a JavaScript RegExp     object encountered by Konqueror (bsc#957566).

  - CVE-2015-2327: PCRE mishandled certain patterns with     internal recursive back references, which allowed remote     attackers to cause a denial of service (segmentation     fault) or possibly have unspecified other impact via a     crafted regular expression, as demonstrated by a     JavaScript RegExp object encountered by Konqueror     (bsc#957567).

  - bsc#957598: Various security issues 

  - CVE-2015-8381: Heap Overflow in compile_regex()     (bsc#957598).

  - CVE-2015-8382: Regular Expression Uninitialized Pointer     Information Disclosure Vulnerability     (ZDI-CAN-2547)(bsc#957598).

  - CVE-2015-8383: Buffer overflow caused by repeated     conditional group(bsc#957598).

  - CVE-2015-8384: Buffer overflow caused by recursive back     reference by name within certain group(bsc#957598).

  - CVE-2015-8385: Buffer overflow caused by forward     reference by name to certain group(bsc#957598).

  - CVE-2015-8386: Buffer overflow caused by lookbehind     assertion(bsc#957598).

  - CVE-2015-8387: Integer overflow in subroutine     calls(bsc#957598).

  - CVE-2015-8388: Buffer overflow caused by certain     patterns with an unmatched closing     parenthesis(bsc#957598).

  - CVE-2015-8389: Infinite recursion in JIT compiler when     processing certain patterns(bsc#957598).

  - CVE-2015-8390: Reading from uninitialized memory when     processing certain patterns(bsc#957598).

  - CVE-2015-8391: Some pathological patterns causes     pcre_compile() to run for a very long time(bsc#957598).

  - CVE-2015-8392: Buffer overflow caused by certain     patterns with duplicated named groups(bsc#957598).

  - CVE-2015-8393: Information leak when running pcgrep -q     on crafted binary(bsc#957598).

  - CVE-2015-8394: Integer overflow caused by missing check     for certain conditions(bsc#957598).

  - CVE-2015-8395: Buffer overflow caused by certain     references(bsc#957598).

  - CVE-2015-2328: PCRE mishandled the /((?(R)a|(?1)))+/     pattern and related patterns with certain recursion,     which allowed remote attackers to cause a denial of     service (segmentation fault) or possibly have     unspecified other impact via a crafted regular     expression (bsc#957600).

  - CVE-2016-1283: The pcre_compile2 function in     pcre_compile.c in PCRE mishandled certain patterns with     named subgroups, which allowed remote attackers to cause     a denial of service (heap-based buffer overflow) or     possibly have unspecified other impact via a crafted     regular expression (bsc#960837).

  - CVE-2016-3191: The compile_branch function in     pcre_compile.c in pcre2_compile.c mishandled patterns     containing an (*ACCEPT) substring in conjunction with     nested parentheses, which allowed remote attackers to     execute arbitrary code or cause a denial of service     (stack-based buffer overflow) via a crafted regular     expression (bsc#971741).

These non-security issues were fixed :

  - JIT compiler improvements

  - performance improvements

  - The Unicode data tables have been updated to Unicode     7.0.0.

This update was imported from the SUSE:SLE-12:Update update project.

The Tenable SecurityCenter application installed on the remote host is either prior to version 5.3.0 or is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the Perl-Compatible Regular Expressions (PCRE) library bundled with PHP :

  - An overflow condition exists in the PCRE library due to     improper validation of user-supplied input when handling     repeated conditional groups. An attacker can exploit     this, via a specially crafted regular expression, to     cause a buffer overflow, resulting in a denial of     service condition. (CVE-2015-8383)

  - An overflow condition exists in the PCRE library due to     improper validation of user-supplied input when handling     mutual recursions within a 'lookbehind' assertion. An     attacker can exploit this to cause a stack-based buffer     overflow, resulting in a denial of service condition.
    (CVE-2015-8386)

  - An integer overflow condition exists in the PCRE library     due to improper validation of user-supplied input when     handling subroutine calls. An attacker can exploit this,     via a specially crafted regular expression, to cause a     denial of service condition. (CVE-2015-8387)

  - A flaw exists in the PCRE library due to improper     handling of the /(?:|a|){100}x/ pattern or other related     patterns. An attacker can exploit this, via a specially     crafted regular expression, to cause an infinite     recursion, resulting in a denial of service condition.
    (CVE-2015-8389)

  - A flaw exists in the PCRE library due to improper     handling of the [: and \\ substrings in character     classes. An attacker can exploit this, via a specially     crafted regular expression, to cause an uninitialized     memory read, resulting in a denial of service condition.
    (CVE-2015-8390)

  - A flaw exists in the PCRE library in the pcre_compile()     function in pcre_compile.c due to improper handling of     [: nesting. An attacker can exploit this, via a     specially crafted regular expression, to cause an     excessive consumption of CPU resources, resulting in a     denial of service condition. (CVE-2015-8391)

  - A flaw exists in the PCRE library due to improper     handling of the '-q' option for binary files. An     attacker can exploit this, via a specially crafted file,     to disclose sensitive information. (CVE-2015-8393)

  - An integer overflow condition exists in the PCRE library     due to improper validation of user-supplied input when     handling the (?(<digits>) and (?(R<digits>) conditions.
    An attacker can exploit this, via a specially crafted     regular expression, to cause a denial of service     condition. (CVE-2015-8394)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2015-8395 PCRE before 8.38 mishandles certain references, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8392.

CVE-2015-8394 PCRE before 8.38 mishandles the (?() and (?(R) conditions, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8392 PCRE before 8.38 mishandles certain instances of the (?| substring, which allows remote attackers to cause a denial of service (unintended recursion and buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8384 and CVE-2015-8395.

CVE-2015-8391 The pcre_compile function in pcre_compile.c in PCRE before 8.38 mishandles certain [: nesting, which allows remote attackers to cause a denial of service (CPU consumption) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8390 PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8389 PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8388 PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8387 PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8386 PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8385 PCRE before 8.38 mishandles the /(?|(\k'Pm')|(?'Pm'))/ pattern and related patterns with certain forward references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8384 PCRE before 8.38 mishandles the /(?J)(?'d'(?'d'\g{d}))/ pattern and related patterns with certain recursive back references, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, a related issue to CVE-2015-8392 and CVE-2015-8395.

CVE-2015-8383 PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8382 The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT )))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.

CVE-2015-8381 The compile_regex function in pcre_compile.c in PCRE before 8.38 and pcre2_compile.c in PCRE2 before 10.2x mishandles the /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R'))))/ and /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf )|s(?'R')))/ patterns, and related patterns with certain group references, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-8380 The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-2328 PCRE before 8.36 mishandles the /((?(R)a|(?1)))+/ pattern and related patterns with certain recursion, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-2327 PCRE before 8.36 mishandles the /(((a\2)|(a*)\g<-1>))*/ pattern and related patterns with certain internal recursive back references, which allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.

CVE-2015-3217 PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expression, as demonstrated by /^(?:(?(1)\\.|([^\\\\W_])?)+)+$/.

The remote host is affected by the vulnerability described in GLSA-201607-02 (libpcre: Multiple Vulnerabilities)

    Multiple vulnerabilities have been discovered in libpcre. Please review       the CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that PCRE incorrectly handled certain regular expressions. A remote attacker could use this issue to cause applications using PCRE to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 8.38 and fix various CVE's

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This release fixes these vulnerabilies: CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394. It also fixes compiling comments with auto-callouts, compiling expressions with negated classes in UCP mode, compiling expressions with an isolated \E between an item and its qualifier with auto-callouts, a crash in regexec() if REG_STARTEND option is set and pmatch argument is NULL, a stack overflow when formatting a 32-bit integer in pcregrep tool, compiling expressions with an empty \Q\E sequence between an item and its qualifier with auto-callouts, compiling expressions with global extended modifier that is disabled by local no-extended option at the start of the expression just after a whitespace, a possible crash in pcre_copy_named_substring() if a named substring has number greater than the space in the ovector, a buffer overflow when compiling an expression with named groups with a group that reset capture numbers, and a crash in pcre_get_substring_list() if the use of \K caused the start of the match to be earlier than the end.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.5.x prior to 5.5.32, or 5.6.x prior to 5.6.18, or 7.0.x prior to 7.0.3 are vulnerable to the following issues :

 - The Perl-Compatible Regular Expressions (PCRE) library is affected by multiple vulnerabilities related to the handling of regular expressions, subroutine calls, and binary files. A remote attacker can exploit these to cause a denial of service, obtain sensitive information, or have other unspecified impact.
 - A flaw exists in file 'ext/standard/exec.c' in the 'escapeshellcmd()' and 'escapeshellarg()' functions due to the program truncating NULL bytes in strings. A remote attacker can exploit this to bypass restrictions.
 - A flaw exists in file 'ext/standard/streamsfuncs.c' in the 'stream_get_meta_data()' function due to a failure to restrict writing user-supplied data to fields not already set. A remote attacker can exploit this to falsify the output of the function, resulting in the insertion of malicious metadata.
 - A type confusion error exists in file 'ext/wddx/wddx.c' in the 'php_wddx_pop_element()' function when deserializing WDDX packets. A remote attacker can exploit this to have an unspecified impact.
 - A flaw exists in file 'ext/phar/phar_object.c' in the 'PharFileInfo::getContent()' method due to the use of uninitialized memory causing improper validation of user-supplied input. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code.
 - A NULL pointer dereference flaw exists in file 'ext/phar/tar.c' in the 'phar_tar_setupmetadata()' function when parsing metadata from a crafted TAR file. A remote attacker can exploit this to cause a denial of service.
 - An integer overflow condition exists in file 'ext/standard/iptc.c' in the 'iptcembed()' function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.
 - An overflow condition exists in file 'ext/phar/tar.c' in the 'phar_parse_tarfile()' function due to improper validation of user-supplied input when decompressing TAR files. A remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.
 - A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.3. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

  - An uninitialized pointer flaw exists in the     phar_make_dirstream() function within file     ext/phar/dirstream.c due to improper handling of     ././@LongLink files. An unauthenticated, remote attacker     can exploit this, via a specially crafted TAR file, to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-4343)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.32. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

PHP reports :

- Core :

- Fixed bug #71039 (exec functions ignore length but look for NULL termination).

- Fixed bug #71323 (Output of stream_get_meta_data can be falsified by its input).

- Fixed bug #71459 (Integer overflow in iptcembed()).

- PCRE :

- Upgraded bundled PCRE library to 8.38.(CVE-2015-8383, CVE-2015-8386, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)

- Phar :

- Fixed bug #71354 (Heap corruption in tar/zip/phar parser).

- Fixed bug #71391 (NULL pointer Dereference in phar_tar_setupmetadata()).

- Fixed bug #71488 (Stack overflow when decompressing tar archives).
(CVE-2016-2554)

- WDDX :

- Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization).

ID	Name	Product	Family	Severity
98848	PHP 7.0.x < 7.0.3 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
98807	PHP 5.6.x < 5.6.18 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
95915	SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:3161-1)	Nessus	SuSE Local Security Checks	high
95754	openSUSE Security Update : pcre (openSUSE-2016-1448)	Nessus	SuSE Local Security Checks	high
95534	SUSE SLED12 / SLES12 Security Update : pcre (SUSE-SU-2016:2971-1)	Nessus	SuSE Local Security Checks	high
93343	Tenable SecurityCenter < 5.3.0 Multiple Vulnerabilities (TNS-2016-04)	Nessus	Misc.	medium
92667	F5 Networks BIG-IP : Multiple PCRE vulnerabilities (K20225390)	Nessus	F5 Networks Local Security Checks	high
91983	GLSA-201607-02 : libpcre: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
90306	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 : pcre3 vulnerabilities (USN-2943-1)	Nessus	Ubuntu Local Security Checks	high
89647	Fedora 23 : mingw-pcre-8.38-1.fc23 (2016-fd1199dbe2)	Nessus	Fedora Local Security Checks	high
89641	Fedora 22 : mingw-pcre-8.38-1.fc22 (2016-f59a8ff5d0)	Nessus	Fedora Local Security Checks	high
89447	Fedora 22 : pcre-8.38-1.fc22 (2015-eb896290d3)	Nessus	Fedora Local Security Checks	high
9093	PHP 5.5.x < 5.5.32 / 5.6.x < 5.6.18 / 7.0.x < 7.0.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	critical
88695	PHP 7.0.x < 7.0.3 Multiple Vulnerabilities	Nessus	CGI abuses	critical
88694	PHP 5.6.x < 5.6.18 Multiple Vulnerabilities	Nessus	CGI abuses	critical
88693	PHP 5.5.x < 5.5.32 Multiple Vulnerabilities	Nessus	CGI abuses	critical
88671	FreeBSD : php -- multiple vulnerabilities (85eb4e46-cf16-11e5-840f-485d605f4717)	Nessus	FreeBSD Local Security Checks	critical

CVE-2015-8383

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins