openSUSE-SU-2016:1524

http://php.net/ChangeLog-5.php

RHSA-2016:2750

DSA-3587

USN-2987-1

https://bugs.php.net/bug.php?id=66387

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The get_icu_disp_value_src_php function in     ext/intl/locale/locale_methods.c in PHP before 5.3.29,     5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not     properly restrict calls to the ICU uresbund.cpp     component, which allows remote attackers to cause a     denial of service (buffer overflow) or possibly have     unspecified other impact via a locale_get_display_name     call with a long first argument.(CVE-2014-9912)

  - Use-after-free vulnerability in the spl_ptr_heap_insert     function in ext/spl/spl_heap.c in PHP before 5.5.27 and     5.6.x before 5.6.11 allows remote attackers to execute     arbitrary code by triggering a failed     SplMinHeap::compare operation.(CVE-2015-4116)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7803)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7804)

  - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x     before 5.6.6, when PHP-FPM is used, does not isolate     each thread from libxml_disable_entity_loader changes     in other threads, which allows remote attackers to     conduct XML External Entity (XXE) and XML Entity     Expansion (XEE) attacks via a crafted XML document, a     related issue to CVE-2015-5161.(CVE-2015-8866)

  - Stack consumption vulnerability in GD in PHP before     5.6.12 allows remote attackers to cause a denial of     service via a crafted imagefilltoborder     call.(CVE-2015-8874)

  - It was found that the exif_convert_any_to_int()     function in PHP was vulnerable to floating point     exceptions when parsing tags in image files. A remote     attacker with the ability to upload a malicious image     could crash PHP, causing a Denial of     Service.(CVE-2016-10158)

  - Integer overflow in the phar_parse_pharfile function in     ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before     7.0.15 allows remote attackers to cause a denial of     service (memory consumption or application crash) via a     truncated manifest entry in a PHAR     archive.(CVE-2016-10159)

  - The php_url_parse_ex function in ext/standard/url.c in     PHP before 5.5.38 allows remote attackers to cause a     denial of service (buffer over-read) or possibly have     unspecified other impact via vectors involving the     smart_str data type.(CVE-2016-6288)

  - The exif_process_IFD_in_MAKERNOTE function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (out-of-bounds array access     and memory corruption), obtain sensitive information     from process memory, or possibly have unspecified other     impact via a crafted JPEG image.(CVE-2016-6291)

  - The exif_process_user_comment function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via a crafted JPEG     image.(CVE-2016-6292)

  - The locale_accept_from_http function in     ext/intl/locale/locale_methods.c in PHP before 5.5.38,     5.6.x before 5.6.24, and 7.x before 7.0.9 does not     properly restrict calls to the ICU     uloc_acceptLanguageFromHTTP function, which allows     remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a call with a long argument.(CVE-2016-6294)

  - ext/session/session.c in PHP before 5.6.25 and 7.x     before 7.0.10 skips invalid session names in a way that     triggers incorrect parsing, which allows remote     attackers to inject arbitrary-type session data by     leveraging control of a session name, as demonstrated     by object injection.(CVE-2016-7125)

  - The exif_process_IFD_in_TIFF function in     ext/exif/exif.c in PHP before 5.6.25 and 7.x before     7.0.10 mishandles the case of a thumbnail offset that     exceeds the file size, which allows remote attackers to     obtain sensitive information from process memory via a     crafted TIFF image.(CVE-2016-7128)

  - The php_wddx_push_element function in ext/wddx/wddx.c     in PHP before 5.6.26 and 7.x before 7.0.11 allows     remote attackers to cause a denial of service (invalid     pointer access and out-of-bounds read) or possibly have     unspecified other impact via an incorrect boolean     element in a wddxPacket XML document, leading to     mishandling in a wddx_deserialize call.(CVE-2016-7418)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x     before 7.1.7, a stack-based buffer overflow in the     zend_ini_do_op() function in Zend/zend_ini_parser.c     could cause a denial of service or potentially allow     executing code. NOTE: this is only relevant for PHP     applications that accept untrusted input (instead of     the system's php.ini file) for the parse_ini_string or     parse_ini_file function, e.g., a web application for     syntax validation of php.ini     directives.(CVE-2017-11628)

  - An issue was discovered in PHP before 5.6.35, 7.0.x     before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before     7.2.4. Dumpable FPM child processes allow bypassing     opcache access controls because fpm_unix.c makes a     PR_SET_DUMPABLE prctl call, allowing one user (in a     multiuser environment) to obtain sensitive information     from the process memory of a second user's PHP     applications by running gcore on the PID of the PHP-FPM     worker process.(CVE-2018-10545)

  - An issue was discovered in ext/phar/phar_object.c in     PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before     7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS     on the PHAR 403 and 404 error pages via request data of     a request for a .phar file.(CVE-2018-10547)

  - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP     before 5.6.37, 7.0.x before 7.0.31, 7.1.x before     7.1.20, and 7.2.x before 7.2.8 allows remote attackers     to cause a denial of service (out-of-bounds read and     application crash) via a crafted JPEG     file.(CVE-2018-14851)

  - A cross-site scripting (XSS) vulnerability in Apache2     component of PHP was found. When using     'Transfer-Encoding: chunked', the request allows remote     attackers to potentially run a malicious script in a     victim's browser. This vulnerability can be exploited     only by producing malformed requests and it's believed     it's unlikely to be used in practical cross-site     scripting attack.(CVE-2018-17082)

  - gd_gif_in.c in the GD Graphics Library (aka libgd), as     used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x     before 7.1.13, and 7.2.x before 7.2.1, has an integer     signedness error that leads to an infinite loop via a     crafted GIF file, as demonstrated by a call to the     imagecreatefromgif or imagecreatefromstring PHP     function. This is related to GetCode_ and     gdImageCreateFromGifCtx.(CVE-2018-5711)

  - An issue was discovered in PHP before 5.6.33, 7.0.x     before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before     7.2.1. There is Reflected XSS on the PHAR 404 error     page via the URI of a request for a .phar     file.(CVE-2018-5712)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the gd package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - Stack consumption vulnerability in GD in PHP before     5.6.12 allows remote attackers to cause a denial of     service via a crafted imagefilltoborder     call.(CVE-2015-8874)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.x prior to 7.0.0. It is, therefore, affected by the following vulnerabilities:

  - A directory traversal vulnerability in the     ZipArchive::extractTo function of ext/zip/php_zip.c     script. An unauthenticated, remote attacker can exploit     this, by sending a crafted ZIP archive with empty     directories, to disclose the contents of files located     outside of the server's restricted path. (CVE-2014-9767)

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out. (CVE-2015-8867)

  - A denial of service (DoS) vulnerability exists in the GD     graphics library in the gdImageFillToBorder() function     within file gd.c when handling crafted images that have     an overly large negative coordinate. An unauthenticated,     remote attacker can exploit this, via a crafted image,     to crash processes linked against the library.
    (CVE-2015-8874)

  - A denial of service (DoS) vulnerability exists in     odbc_bindcols function of the ext/odbc/php_odbc.c script     due to mishandling driver behavior for SQL_WVARCHAR     columns. An unauthenticated, remote attacker can exploit     this issue, via the use of odbc_fetch_array function, to     cause the application to stop responding. (CVE-2015-8879)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

 - A use-after-free error exists in file spl_dllist.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_observer.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplObjectStorage object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplArrayObject object, to deference freed memory and thus execute arbitrary code.

 - A flaw exists in file zend_exceptions.c due to the improper use of the function unserialize() during recursive method calls. A remote attacker can exploit this to crash an application using PHP.

 - A flaw exists in file zend_exceptions.c due to insufficient type checking by functions unserialize() and __toString(). A remote attacker can exploit this to cause a NULL pointer deference or unexpected method execution, thus causing an application using PHP to crash.

 - A path traversal flaw exists in file phar_object.c due to improper sanitization of user-supplied input. An attacker can exploit this to write arbitrary files.

 - Multiple type confusion flaws exist in the _call() method in file php_http.c when handling calls for zend_hash_get_current_key or 'Z*'. An attacker can exploit this to disclose memory contents or crash an application using PHP.

 - A dangling pointer error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to gain control over a deallocated pointer and thus execute arbitrary code.

 - A flaw exists in the file gd.c due to the improper handling of images with large negative coordinates by the imagefilltoborder() function. An attacker can exploit this to cause a stack overflow, thus crashing an application using PHP.

 - A flaw exists in the file php_odbc.c when the odbc_fetch_array() function handles columns that are defined as NVARCHAR(MAX). An attacker can exploit this to crash an application using PHP.

 - The openssl_random_pseudo_bytes() function in file openssl.c does not generate sufficiently random numbers. This allows an attacker to more easily predict the results, thus allowing further attacks to be carried out.

 - A user-after-free error exists in the unserialize() function in spl_observer.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A type confusion flaw exists in the serialize_function_call() function in soap.c due to improper validation of input passed via the header field. A remote attacker can exploit this to execute arbitrary code.

 - A use-after-free error exists in the unserialize() function in spl_dllist.c that is triggered during the deserialization of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A user-after-free error exists in the gmp_unserialize() function in gmp.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - An integer truncation flaw exists in the zend_hash_compare() function in zend_hash.c that is triggered when comparing arrays. A remote attacker can exploit this to cause arrays to be improperly matched during comparison.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php5 fixes the following issues :

Security issues fixed :

  - CVE-2016-4346: heap overflow in ext/standard/string.c     (bsc#977994)

  - CVE-2016-4342: heap corruption in tar/zip/phar parser     (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepts negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
(CVE-2015-8874)

An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image.
(CVE-2016-5766)

An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer.
(CVE-2016-5767)

A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768)

The mcrypt_generic() and mdecrypt_generic() functions are prone to integer overflows, resulting in a heap-based overflow. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5769)

A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5770)

A use-after-free vulnerability that can occur when calling unserialize() on untrusted input was discovered. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application if the application unserializes untrusted input. (CVE-2016-5771 , CVE-2016-5773)

A double free can occur in wddx_deserialize() when trying to deserialize malicious XML input from user's request. This flaw could possibly cause a PHP application to crash. (CVE-2016-5772)

It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-5385)

(Updated on 2016-08-17: CVE-2016-5385 was fixed in this release but was not previously part of this errata)

- fix for stack overflow with gdImageFillToBorder     (CVE-2015-8874)

  - fix integer Overflow in _gd2GetHeader() (CVE-2016-5766)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**Version 2.2.2**

Security related fixes :

  - Integer Overflow in gdImagePaletteToTrueColor()     resulting in heap overflow (CVE-2016-5767)

  - Stack overflow with gdImageFillToBorder (CVE-2015-8874)

  - Integer Overflow in _gd2GetHeader() resulting in heap     overflow (CVE-2016-5766)

  - NULL pointer Dereference at _gdScaleVert

  - Integer Overflow in gdImagePaletteToTrueColor() in heap     overflow

Numerous other fixes have been applied. The scale and rotation functions have been greatly improved as well.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.37. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in the GD     graphics library in the gdImageFillToBorder() function     within file gd.c when handling crafted images that have     an overly large negative coordinate. An unauthenticated,     remote attacker can exploit this, via a crafted image,     to crash processes linked against the library.
    (CVE-2015-8874)

  - An integer overflow condition exists in the
    _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5766)

  - An integer overflow condition exists in the     gdImagePaletteToTrueColor() function within file     ext/gd/libgd/gd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-5767)

  - A double-free error exists in the
    _php_mb_regex_ereg_replace_exec() function within file     ext/mbstring/php_mbregex.c when handling a failed     callback execution. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5768)

  - An integer overflow condition exists within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input when handling data values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5769)

  - An integer overflow condition exists within file     ext/spl/spl_directory.c, triggered by an int/size_t     type confusion error, that allows an unauthenticated,     remote attacker to have an unspecified impact.
    (CVE-2016-5770)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/spl/spl_array.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5771)

  - A double-free error exists in the     php_wddx_process_data() function within file     ext/wddx/wddx.c when handling specially crafted XML     content. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5772)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/zip/php_zip.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5773)

  - An integer overflow condition exists in the     json_decode() and json_utf8_to_utf16() functions within     file ext/standard/php_smart_str.h due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.

  - An out-of-bounds read error exists in the     pass2_no_dither() function within file     ext/gd/libgd/gd_topal.c that allows an unauthenticated,     remote attacker to cause a denial of service condition     or disclose memory contents.

  - An integer overflow condition exists within file     ext/standard/string.c when handling string lengths due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A NULL pointer dereference flaw exists in the
    _gdScaleVert() function within file     ext/gd/libgd/gd_interpolation.c that is triggered when     handling _gdContributionsCalc return values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - An integer overflow condition exists in the nl2br()     function within file ext/standard/string.c when handling     new_length values due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

  - An integer overflow condition exists in multiple     functions within file ext/standard/string.c when     handling string values due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The PHP Group reports :

Please reference CVE/URL list for details

This update for php53 fixes the following issues :

  - CVE-2016-5093: A get_icu_value_internal out-of-bounds     read could crash the php interpreter (bsc#982010)

  - CVE-2016-5094,CVE-2016-5095: Don't allow creating     strings with lengths outside int range, avoids overflows     (bsc#982011,bsc#982012)

  - CVE-2016-5096: A int/size_t confusion in fread could     corrupt memory (bsc#982013)

  - CVE-2016-5114: A fpm_log.c memory leak and buffer     overflow could leak information out of the php process     or overwrite a buffer by 1 byte (bsc#982162)

  - CVE-2016-4346: A heap overflow was fixed in     ext/standard/string.c (bsc#977994)

  - CVE-2016-4342: A heap corruption was fixed in     tar/zip/phar parser (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

  - CVE-2015-8879: odbc_bindcols function in     ext/odbc/php_odbc.c mishandles driver behavior for     SQL_WVARCHAR (bsc#981050)

Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS :

  - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM     (bnc#973792).

  - CVE-2015-8835: SoapClient s_call method suffered from a     type confusion issue that could have lead to crashes     [bsc#973351]

  - CVE-2016-2554: A NULL pointer dereference in     phar_get_fp_offset could lead to crashes. [bsc#968284]

  - CVE-2015-7803: A Stack overflow vulnerability when     decompressing tar phar archives could potentially lead     to code execution. [bsc#949961]

  - CVE-2016-3141: A use-after-free / double-free in the     WDDX deserialization could lead to crashes or potential     code execution. [bsc#969821]

  - CVE-2016-3142: An Out-of-bounds read in     phar_parse_zipfile() could lead to crashes. [bsc#971912]

  - CVE-2014-9767: A directory traversal when extracting zip     files was fixed that could lead to overwritten files.
    [bsc#971612]

  - CVE-2016-3185: A type confusion vulnerability in     make_http_soap_request() could lead to crashes or     potentially code execution. [bsc#971611]

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     int range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     int range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2016-5114: fpm_log.c memory leak and buffer overflow     (bnc#982162).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd), as used in PHP, used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandled driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table Aliased: (bsc#981050).

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function in ext/spl/spl_heap.c in     PHP allowed remote attackers to execute arbitrary code     by triggering a failed SplMinHeap::compare operation     (bsc#980366).

  - CVE-2015-8874: Stack consumption vulnerability in GD in     PHP allowed remote attackers to cause a denial of     service via a crafted imagefilltoborder call     (bsc#980375).

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c in PHP allowed remote attackers     to cause a denial of service (segmentation fault) via     recursive method calls (bsc#980373).

  - CVE-2016-3074: Integer signedness error in GD Graphics     Library (aka libgd or libgd2) allowed remote attackers     to cause a denial of service (crash) or potentially     execute arbitrary code via crafted compressed gd2 data,     which triggers a heap-based buffer overflow     (bsc#976775).

This update for php5 fixes the following issues :

Security issues fixed :

  - CVE-2016-4346: heap overflow in ext/standard/string.c     (bsc#977994)

  - CVE-2016-4342: heap corruption in tar/zip/phar parser     (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepts negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

This update was imported from the SUSE:SLE-12:Update update project.

It was discovered that the GD library incorrectly handled certain color tables in XPM images. If a user or automated system were tricked into processing a specially crafted XPM image, an attacker could cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-2497)

It was discovered that the GD library incorrectly handled certain malformed GIF images. If a user or automated system were tricked into processing a specially crafted GIF image, an attacker could cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9709)

It was discovered that the GD library incorrectly handled memory when using gdImageFillToBorder(). A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-8874)

It was discovered that the GD library incorrectly handled memory when using gdImageScaleTwoPass(). A remote attacker could possibly use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)

Hans Jerry Illikainen discovered that the GD library incorrectly handled certain malformed GD images. If a user or automated system were tricked into processing a specially crafted GD image, an attacker could cause a denial of service or possibly execute arbitrary code.
(CVE-2016-3074).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in libgd2, a library for programmatic graphics creation and manipulation. A remote attacker can take advantage of these flaws to cause a denial-of-service against an application using the libgd2 library.

It was discovered that there was a stack consumption vulnerability in the libgd2 graphics library which allowed remote attackers to cause a denial of service via a crafted imagefilltoborder call.

For Debian 7 'Wheezy', this issue has been fixed in libgd2 version 2.0.36~rc1~dfsg-6.1+deb7u3.

We recommend that you upgrade your libgd2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.6.x earlier than 5.6.12 are vulnerable to the following issues :

  - A flaw exists in the file 'gd.c' due to the improper handling of images with large negative coordinates by the imagefilltoborder() function. An attacker can exploit this to cause a stack overflow, thus crashing an application using PHP.
 - A flaw exists in the file 'php_odbc.c' when the odbc_fetch_array() function handles columns that are defined as NVARCHAR(MAX). An attacker can exploit this to crash an application using PHP.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

  - A use-after-free error exists in file spl_dllist.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to     deference freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_observer.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplObjectStorage object, to deference     freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplArrayObject object, to deference     freed memory and thus execute arbitrary code.

  - A flaw exists in file zend_exceptions.c due to the     improper use of the function unserialize() during     recursive method calls. A remote attacker can exploit     this to crash an application using PHP.

  - A flaw exists in file zend_exceptions.c due to     insufficient type checking by functions unserialize()     and __toString(). A remote attacker can exploit this to     cause a NULL pointer deference or unexpected method     execution, thus causing an application using PHP to     crash.

  - A path traversal flaw exists in file phar_object.c due     to improper sanitization of user-supplied input. An     attacker can exploit this to write arbitrary files.

  - Multiple type confusion flaws exist in the _call()     method in file php_http.c when handling calls for     zend_hash_get_current_key or 'Z*'. An attacker can     exploit this to disclose memory contents or crash     an application using PHP.

  - A dangling pointer error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to gain     control over a deallocated pointer and thus execute     arbitrary code.

  - A flaw exists in the file gd.c due to the improper     handling of images with large negative coordinates by     the imagefilltoborder() function. An attacker can     exploit this to cause a stack overflow, thus crashing     an application using PHP.

  - A flaw exists in the file php_odbc.c when the     odbc_fetch_array() function handles columns that are     defined as NVARCHAR(MAX). An attacker can exploit this     to crash an application using PHP.

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out.

  - A user-after-free error exists in the unserialize()     function in spl_observer.c due to improper validation     of user-supplied input. A remote attacker can exploit     this to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - A type confusion flaw exists in the     serialize_function_call() function in soap.c due to     improper validation of input passed via the header     field. A remote attacker can exploit this to execute     arbitrary code.

  - A use-after-free error exists in the unserialize()     function in spl_dllist.c that is triggered during the     deserialization of user-supplied input. A remote     attacker can exploit this to dereference already freed     memory, potentially resulting in the execution of     arbitrary code.

  - A user-after-free error exists in the gmp_unserialize()     function in gmp.c due to improper validation of     user-supplied input. A remote attacker can exploit this     to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - An integer truncation flaw exists in the     zend_hash_compare() function in zend_hash.c that is     triggered when comparing arrays. A remote attacker can     exploit this to cause arrays to be improperly matched     during comparison.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
137966	EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)	Nessus	Huawei Local Security Checks	critical
132184	EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)	Nessus	Huawei Local Security Checks	critical
131592	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)	Nessus	Huawei Local Security Checks	critical
129178	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984)	Nessus	Huawei Local Security Checks	high
128894	EulerOS 2.0 SP2 : gd (EulerOS-SA-2019-1842)	Nessus	Huawei Local Security Checks	medium
122536	PHP 7.0.x < 7.0.0 Multiple Vulnerabilities	Nessus	CGI abuses	medium
98804	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119978	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1504-1)	Nessus	SuSE Local Security Checks	high
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
92663	Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)	Nessus	Amazon Linux Local Security Checks	high
92392	Fedora 23 : gd (2016-d126bb1b74)	Nessus	Fedora Local Security Checks	medium
92275	Fedora 24 : gd (2016-a4d48d6fd6)	Nessus	Fedora Local Security Checks	medium
91897	PHP 5.5.x < 5.5.37 Multiple Vulnerabilities	Nessus	CGI abuses	high
91839	FreeBSD : php -- multiple vulnerabilities (66d77c58-3b1d-11e6-8e82-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
91665	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)	Nessus	SuSE Local Security Checks	critical
91585	openSUSE Security Update : php5 (openSUSE-2016-703)	Nessus	SuSE Local Security Checks	high
91531	openSUSE Security Update : php5 (openSUSE-2016-696)	Nessus	SuSE Local Security Checks	high
91423	Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : libgd2 vulnerabilities (USN-2987-1)	Nessus	Ubuntu Local Security Checks	high
91364	Debian DSA-3587-1 : libgd2 - security update	Nessus	Debian Local Security Checks	medium
91264	Debian DLA-482-1 : libgd2 security update	Nessus	Debian Local Security Checks	medium
8960	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
85300	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2015-8874

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins