http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

openSUSE-SU-2016:1274

SUSE-SU-2016:1277

openSUSE-SU-2016:1373

RHSA-2016:2750

[oss-security] 20160423 Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases

http://www.php.net/ChangeLog-5.php

87470

USN-2952-1

USN-2952-2

https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817

https://bugs.php.net/bug.php?id=64938

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The get_icu_disp_value_src_php function in     ext/intl/locale/locale_methods.c in PHP before 5.3.29,     5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not     properly restrict calls to the ICU uresbund.cpp     component, which allows remote attackers to cause a     denial of service (buffer overflow) or possibly have     unspecified other impact via a locale_get_display_name     call with a long first argument.(CVE-2014-9912)

  - Use-after-free vulnerability in the spl_ptr_heap_insert     function in ext/spl/spl_heap.c in PHP before 5.5.27 and     5.6.x before 5.6.11 allows remote attackers to execute     arbitrary code by triggering a failed     SplMinHeap::compare operation.(CVE-2015-4116)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7803)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7804)

  - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x     before 5.6.6, when PHP-FPM is used, does not isolate     each thread from libxml_disable_entity_loader changes     in other threads, which allows remote attackers to     conduct XML External Entity (XXE) and XML Entity     Expansion (XEE) attacks via a crafted XML document, a     related issue to CVE-2015-5161.(CVE-2015-8866)

  - Stack consumption vulnerability in GD in PHP before     5.6.12 allows remote attackers to cause a denial of     service via a crafted imagefilltoborder     call.(CVE-2015-8874)

  - It was found that the exif_convert_any_to_int()     function in PHP was vulnerable to floating point     exceptions when parsing tags in image files. A remote     attacker with the ability to upload a malicious image     could crash PHP, causing a Denial of     Service.(CVE-2016-10158)

  - Integer overflow in the phar_parse_pharfile function in     ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before     7.0.15 allows remote attackers to cause a denial of     service (memory consumption or application crash) via a     truncated manifest entry in a PHAR     archive.(CVE-2016-10159)

  - The php_url_parse_ex function in ext/standard/url.c in     PHP before 5.5.38 allows remote attackers to cause a     denial of service (buffer over-read) or possibly have     unspecified other impact via vectors involving the     smart_str data type.(CVE-2016-6288)

  - The exif_process_IFD_in_MAKERNOTE function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (out-of-bounds array access     and memory corruption), obtain sensitive information     from process memory, or possibly have unspecified other     impact via a crafted JPEG image.(CVE-2016-6291)

  - The exif_process_user_comment function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via a crafted JPEG     image.(CVE-2016-6292)

  - The locale_accept_from_http function in     ext/intl/locale/locale_methods.c in PHP before 5.5.38,     5.6.x before 5.6.24, and 7.x before 7.0.9 does not     properly restrict calls to the ICU     uloc_acceptLanguageFromHTTP function, which allows     remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a call with a long argument.(CVE-2016-6294)

  - ext/session/session.c in PHP before 5.6.25 and 7.x     before 7.0.10 skips invalid session names in a way that     triggers incorrect parsing, which allows remote     attackers to inject arbitrary-type session data by     leveraging control of a session name, as demonstrated     by object injection.(CVE-2016-7125)

  - The exif_process_IFD_in_TIFF function in     ext/exif/exif.c in PHP before 5.6.25 and 7.x before     7.0.10 mishandles the case of a thumbnail offset that     exceeds the file size, which allows remote attackers to     obtain sensitive information from process memory via a     crafted TIFF image.(CVE-2016-7128)

  - The php_wddx_push_element function in ext/wddx/wddx.c     in PHP before 5.6.26 and 7.x before 7.0.11 allows     remote attackers to cause a denial of service (invalid     pointer access and out-of-bounds read) or possibly have     unspecified other impact via an incorrect boolean     element in a wddxPacket XML document, leading to     mishandling in a wddx_deserialize call.(CVE-2016-7418)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x     before 7.1.7, a stack-based buffer overflow in the     zend_ini_do_op() function in Zend/zend_ini_parser.c     could cause a denial of service or potentially allow     executing code. NOTE: this is only relevant for PHP     applications that accept untrusted input (instead of     the system's php.ini file) for the parse_ini_string or     parse_ini_file function, e.g., a web application for     syntax validation of php.ini     directives.(CVE-2017-11628)

  - An issue was discovered in PHP before 5.6.35, 7.0.x     before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before     7.2.4. Dumpable FPM child processes allow bypassing     opcache access controls because fpm_unix.c makes a     PR_SET_DUMPABLE prctl call, allowing one user (in a     multiuser environment) to obtain sensitive information     from the process memory of a second user's PHP     applications by running gcore on the PID of the PHP-FPM     worker process.(CVE-2018-10545)

  - An issue was discovered in ext/phar/phar_object.c in     PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before     7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS     on the PHAR 403 and 404 error pages via request data of     a request for a .phar file.(CVE-2018-10547)

  - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP     before 5.6.37, 7.0.x before 7.0.31, 7.1.x before     7.1.20, and 7.2.x before 7.2.8 allows remote attackers     to cause a denial of service (out-of-bounds read and     application crash) via a crafted JPEG     file.(CVE-2018-14851)

  - A cross-site scripting (XSS) vulnerability in Apache2     component of PHP was found. When using     'Transfer-Encoding: chunked', the request allows remote     attackers to potentially run a malicious script in a     victim's browser. This vulnerability can be exploited     only by producing malformed requests and it's believed     it's unlikely to be used in practical cross-site     scripting attack.(CVE-2018-17082)

  - gd_gif_in.c in the GD Graphics Library (aka libgd), as     used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x     before 7.1.13, and 7.2.x before 7.2.1, has an integer     signedness error that leads to an infinite loop via a     crafted GIF file, as demonstrated by a call to the     imagecreatefromgif or imagecreatefromstring PHP     function. This is related to GetCode_ and     gdImageCreateFromGifCtx.(CVE-2018-5711)

  - An issue was discovered in PHP before 5.6.33, 7.0.x     before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before     7.2.1. There is Reflected XSS on the PHAR 404 error     page via the URI of a request for a .phar     file.(CVE-2018-5712)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An out-of-bounds write flaw was found in the     fpm_log_write() logging function of PHP's FastCGI     Process Manager service. A remote attacker could     repeatedly send maliciously crafted requests to force     FPM to exhaust file system space, creating a denial of     service and preventing further logging.(CVE-2016-5114)

  - spl_array.c in the SPL extension in PHP before 5.5.37     and 5.6.x before 5.6.23 improperly interacts with the     unserialize implementation and garbage collection,     which allows remote attackers to execute arbitrary code     or cause a denial of service (use-after-free and     application crash) via crafted serialized     data.(CVE-2016-5771)

  - php_zip.c in the zip extension in PHP before 5.5.37,     5.6.x before 5.6.23, and 7.x before 7.0.8 improperly     interacts with the unserialize implementation and     garbage collection, which allows remote attackers to     execute arbitrary code or cause a denial of service     (use-after-free and application crash) via crafted     serialized data containing a ZipArchive     object.(CVE-2016-5773)

  - Integer overflow in the fread function in     ext/standard/file.c in PHP before 5.5.36 and 5.6.x     before 5.6.22 allows remote attackers to cause a denial     of service or possibly have unspecified other impact     via a large integer in the second     argument.(CVE-2016-5096)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP     before 5.5.35, 5.6.x before 5.6.21, and 7.x before     7.0.6 accepts a negative integer for the scale     argument, which allows remote attackers to cause a     denial of service or possibly have unspecified other     impact via a crafted call.(CVE-2016-4537)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP     before 5.5.35, 5.6.x before 5.6.21, and 7.x before     7.0.6 modifies certain data structures without     considering whether they are copies of the _zero_,
    _one_, or _two_ global variable, which allows remote     attackers to cause a denial of service or possibly have     unspecified other impact via a crafted     call.(CVE-2016-4538)

  - The file_check_mem function in funcs.c in file before     5.23, as used in the Fileinfo component in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5,     mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of     service (buffer overflow and application crash) or     possibly execute arbitrary code via a crafted magic     file.(CVE-2015-8865)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-5590)

  - Use-after-free vulnerability in the wddx_stack_destroy     function in ext/wddx/wddx.c in PHP before 5.6.26 and     7.x before 7.0.11 allows remote attackers to cause a     denial of service or possibly have unspecified other     impact via a wddxPacket XML document that lacks an     end-tag for a recordset field element, leading to     mishandling in a wddx_deserialize call.(CVE-2016-7413)

  - Integer overflow in the phar_parse_pharfile function in     ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before     7.0.15 allows remote attackers to cause a denial of     service (memory consumption or application crash) via a     truncated manifest entry in a PHAR     archive.(CVE-2016-10159)

  - It was found that the exif_convert_any_to_int()     function in PHP was vulnerable to floating point     exceptions when parsing tags in image files. A remote     attacker with the ability to upload a malicious image     could crash PHP, causing a Denial of     Service.(CVE-2016-10158)

  - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x     before 5.6.6, when PHP-FPM is used, does not isolate     each thread from libxml_disable_entity_loader changes     in other threads, which allows remote attackers to     conduct XML External Entity (XXE) and XML Entity     Expansion (XEE) attacks via a crafted XML document, a     related issue to CVE-2015-5161.(CVE-2015-8866)

  - Use-after-free vulnerability in the spl_ptr_heap_insert     function in ext/spl/spl_heap.c in PHP before 5.5.27 and     5.6.x before 5.6.11 allows remote attackers to execute     arbitrary code by triggering a failed     SplMinHeap::compare operation.(CVE-2015-4116)

  - Integer overflow in the virtual_file_ex function in     TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x     before 5.6.24, and 7.x before 7.0.9 allows remote     attackers to cause a denial of service (stack-based     buffer overflow) or possibly have unspecified other     impact via a crafted extract operation on a ZIP     archive.(CVE-2016-6289)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.6. It is, therefore, affected by multiple vulnerabilities :

 - A heap-based buffer overflow flaw in the GNU C Library (glibc) due to improperly validating user-supplied input in the glibc functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). This allows a remote attacker to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2015-0235)

 - A use-after-free flaw exists in the function php_date_timezone_initialize_from_hash() within the 'ext/date/php_date.c' script. An attacker can exploit this to access sensitive information or crash applications linked to PHP. (CVE-2015-0273)

 - An XML External Entity (XXE) flaw exists in the PHP-FPM component due to improper parsing of XML data. A remote attacker can exploit this, via specially crafted XML data, to disclose sensitive information or cause a denial of service. (CVE-2015-8866)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

This update for php5 fixes the following security issues :

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

  - CVE-2016-4071: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string formatting in     php_snmp_error() (bsc#977000)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.5.x prior to 5.5.37, or 5.6.x prior to 5.6.23, or 7.0.x prior to 7.0.8 are vulnerable to the following issues :

 - PHP 'ext/mysqlnd/mysqlnd.c' contains a flaw that is due to the program failing to properly enforce the requirement of an SSL/TLS connection when the '--ssl client' option is used. This may allow a MitM (Man-in-the-Middle) attacker to downgrade the connection to plain HTTP when expected to be HTTPS. (CVE-2015-8838)
 - An integer overflow condition exists in the 'getFromIndex()'' and 'getFromName()' methods of 'ZipArchive'. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted ZIP file. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-3078)
 - An XXE (Xml eXternal Entity) injection and expansion flaw affects the 'libxml_disable_entity_loader()' function in the source file 'ext/libxml/libxml.c' in PHP-FPM that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to sensitive information or cause a denial of service. (CVE-2015-8866)
 - An integer overflow condition exists in the 'php_filter_encode_url()' function in 'ext/filter/sanitizing_filters.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)
 - The program contains an out-of-bounds read flaw in 'ext/intl/grapheme/grapheme_string.c' that is triggered when handling negative offsets in 'zif_grapheme_stripos'. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4540, CVE-2016-4541)
 - An out-of-bounds read flaw exists in the 'php_str2num()' function in 'ext/bcmath/bcmath.c' that is triggered when accepting negative scales. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4537, CVE-2016-4538)
 - An out-of-bounds read flaw exists in the 'exif_read_data()' function in 'ext/exif/exif.c' that is triggered when handling exif headers. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
 - A flaw in the 'xml_parse_into_struct()' function in 'ext/xml/xml.c' is triggered during the handling of a specially crafted XML content. This may allow a remote attacker to cause a denial of service. (CVE-2016-4539)
 - A double-free flaw exists in the 'php_formatted_print()' function in 'ext/standard/formatted_print.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-8880)
 - A flaw exists in 'main/php_open_temporary_file.c' that is triggered as thread safety is not ensured during the handling of temporary directories. This may allow a remote attacker to cause a denial of service. (CVE-2015-8878)
 - An integer overflow flaw exists in the 'php_html_entities()' and 'php_filter_full_special_chars()' functions in 'ext/standard/html.c' that is triggered as input is not properly validated. This may allow a remote attacker to have an unspecified impact. No further details have been provided. (CVE-2016-5094, CVE-2016-5095)
 - An integer underflow issue exists in 'ext/standard/file.c' that is triggered as input is not properly validated. This may allow a remote attacker to cause a NULL write and cause a process linked against PHP to crash. (CVE-2016-5096)
 - An out-of-bounds read flaw exists in the '_gdContributionsCalc()' function in 'ext/gd/libgd/gd_interpolation.c'. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2013-7456)
 - An out-of-bounds read flaw exists in the 'get_icu_value_internal()' function within 'ext/intl/locale/locale_methods.c' that is triggered when handling user-supplied input. This may allow a remote attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-5093)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'header()' function does not filter input passed via HTTP headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8935)
 - A use-after-free error exists in the garbage collection algorithm in 'ext/zip/php_zip.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5773)
 - An integer overflow condition exists in the 'json_decode()' and 'json_utf8_to_utf16()' functions in 'ext/standard/php_smart_str.h'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.
 - An out-of-bounds read flaw exists within the 'pass2_no_dither()' function inside 'ext/gd/libgd/gd_topal.c' that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw exists within the '_php_mb_regex_ereg_replace_exec()' function inside 'ext/mbstring/php_mbregex.c' that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)
 - An integer overflow condition exists in 'ext/spl/spl_directory.c'. The issue is triggered by an 'int/size_t' confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)
 - An integer overflow condition exists in 'ext/mcrypt/mcrypt.c'. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)
 - An integer overflow condition exists within the 'nl2br()' function inside 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.
 - An integer overflow condition exists within multiple functions in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw within the 'php_wddx_process_data()' function inside 'ext/wddx/wddx.c' that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)
 - An integer overflow condition exists witin the 'gdImagePaletteToTrueColor()' function inside 'ext/gd/libgd/gd.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)
 - An invalid free flaw exists within the 'phar_extract_file()' function inside 'ext/phar/phar_object.c'. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)
 - An integer overflow condition exists within the '_gd2GetHeader()' function inside 'ext/gd/libgd/gd_gd2.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)
 - A use-after-free error exists within the garbage collection algorithm inside 'ext/spl/spl_array.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5771)

This update for php53 fixes the following issues :

  - CVE-2016-5093: A get_icu_value_internal out-of-bounds     read could crash the php interpreter (bsc#982010)

  - CVE-2016-5094,CVE-2016-5095: Don't allow creating     strings with lengths outside int range, avoids overflows     (bsc#982011,bsc#982012)

  - CVE-2016-5096: A int/size_t confusion in fread could     corrupt memory (bsc#982013)

  - CVE-2016-5114: A fpm_log.c memory leak and buffer     overflow could leak information out of the php process     or overwrite a buffer by 1 byte (bsc#982162)

  - CVE-2016-4346: A heap overflow was fixed in     ext/standard/string.c (bsc#977994)

  - CVE-2016-4342: A heap corruption was fixed in     tar/zip/phar parser (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

  - CVE-2015-8879: odbc_bindcols function in     ext/odbc/php_odbc.c mishandles driver behavior for     SQL_WVARCHAR (bsc#981050)

Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS :

  - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM     (bnc#973792).

  - CVE-2015-8835: SoapClient s_call method suffered from a     type confusion issue that could have lead to crashes     [bsc#973351]

  - CVE-2016-2554: A NULL pointer dereference in     phar_get_fp_offset could lead to crashes. [bsc#968284]

  - CVE-2015-7803: A Stack overflow vulnerability when     decompressing tar phar archives could potentially lead     to code execution. [bsc#949961]

  - CVE-2016-3141: A use-after-free / double-free in the     WDDX deserialization could lead to crashes or potential     code execution. [bsc#969821]

  - CVE-2016-3142: An Out-of-bounds read in     phar_parse_zipfile() could lead to crashes. [bsc#971912]

  - CVE-2014-9767: A directory traversal when extracting zip     files was fixed that could lead to overwritten files.
    [bsc#971612]

  - CVE-2016-3185: A type confusion vulnerability in     make_http_soap_request() could lead to crashes or     potentially code execution. [bsc#971611]

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

  - CVE-2016-4071: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string formatting in     php_snmp_error() (bsc#977000)

This update was imported from the SUSE:SLE-12:Update update project.

This update for php53 fixes the following security issues :

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2016-3074: Signedness vulnerability in bundled libgd     may have resulted in a heap overflow when processing     compressed gd2 data. (boo#976775)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

  - CVE-2016-4071: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string formatting in     php_snmp_error() (bsc#977000)

According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.6. It is, therefore, affected by multiple vulnerabilities :

  - A heap-based buffer overflow flaw in the     enchant_broker_request_dict function in     ext/enchant/enchant.c could allow a remote attacker     to cause a buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2014-9705)

  - A heap-based buffer overflow flaw in the GNU C Library     (glibc) due to improperly validating user-supplied input     in the glibc functions __nss_hostname_digits_dots(),     gethostbyname(), and gethostbyname2(). This allows a     remote attacker to cause a buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2015-0235)

  - A use-after-free flaw exists in the function     php_date_timezone_initialize_from_hash() within the     'ext/date/php_date.c' script. An attacker can exploit     this to access sensitive information or crash     applications linked to PHP. (CVE-2015-0273)

  - A use-after-free vulnerability in the     phar_rename_archive function in phar_object.c could     allow a remote attacker to cause a denial of service.
    (CVE-2015-2301)

  - An XML External Entity (XXE) flaw exists in the PHP-FPM     component due to improper parsing of XML data. A remote     attacker can exploit this, via specially crafted XML     data, to disclose sensitive information or cause a     denial of service. (CVE-2015-8866)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.22. It is, therefore, affected by multiple vulnerabilities :

  - A heap-based buffer overflow flaw in the     enchant_broker_request_dict function in     ext/enchant/enchant.c could allow a remote attacker     to cause a buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2014-9705)

  - A heap-based buffer overflow flaw in the GNU C Library     (glibc) due to improperly validating user-supplied input     in the glibc functions __nss_hostname_digits_dots(),     gethostbyname(), and gethostbyname2(). This allows a     remote attacker to cause a buffer overflow, resulting in     a denial of service condition or the execution of     arbitrary code. (CVE-2015-0235)

  - A use-after-free flaw exists in the function     php_date_timezone_initialize_from_hash() within the     'ext/date/php_date.c' script. An attacker can exploit     this to access sensitive information or crash     applications linked to PHP. (CVE-2015-0273)

  - A use-after-free vulnerability in the     phar_rename_archive function in phar_object.c could     allow a remote attacker to cause a denial of service.
    (CVE-2015-2301)

  - An XML External Entity (XXE) flaw exists in the PHP-FPM     component due to improper parsing of XML data. A remote     attacker can exploit this, via specially crafted XML     data, to disclose sensitive information or cause a     denial of service. (CVE-2015-8866)     Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
137966	EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)	Nessus	Huawei Local Security Checks	critical
132184	EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)	Nessus	Huawei Local Security Checks	critical
129178	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984)	Nessus	Huawei Local Security Checks	high
128917	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-1865)	Nessus	Huawei Local Security Checks	high
98829	PHP 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)	Web Application Scanning	Component Vulnerability	critical
119976	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1277-1)	Nessus	SuSE Local Security Checks	high
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
9393	PHP 5.5.x < 5.5.37 / 5.6.x < 5.6.23 / 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
91665	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)	Nessus	SuSE Local Security Checks	critical
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	high
91290	openSUSE Security Update : php5 (openSUSE-2016-626)	Nessus	SuSE Local Security Checks	high
91247	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1310-1)	Nessus	SuSE Local Security Checks	high
91071	openSUSE Security Update : php5 (openSUSE-2016-576)	Nessus	SuSE Local Security Checks	high
81512	PHP 5.6.x < 5.6.6 Multiple Vulnerabilities (GHOST)	Nessus	CGI abuses	critical
81511	PHP 5.5.x < 5.5.22 Multiple Vulnerabilities (GHOST)	Nessus	CGI abuses	critical

CVE-2015-8866

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins