http://www.php.net/ChangeLog-5.php

https://bugs.php.net/bug.php?id=70002

Versions of PHP 5.5.x prior to 5.5.37, or 5.6.x prior to 5.6.23, or 7.0.x prior to 7.0.8 are vulnerable to the following issues :

 - PHP 'ext/mysqlnd/mysqlnd.c' contains a flaw that is due to the program failing to properly enforce the requirement of an SSL/TLS connection when the '--ssl client' option is used. This may allow a MitM (Man-in-the-Middle) attacker to downgrade the connection to plain HTTP when expected to be HTTPS. (CVE-2015-8838)
 - An integer overflow condition exists in the 'getFromIndex()'' and 'getFromName()' methods of 'ZipArchive'. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted ZIP file. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-3078)
 - An XXE (Xml eXternal Entity) injection and expansion flaw affects the 'libxml_disable_entity_loader()' function in the source file 'ext/libxml/libxml.c' in PHP-FPM that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to sensitive information or cause a denial of service. (CVE-2015-8866)
 - An integer overflow condition exists in the 'php_filter_encode_url()' function in 'ext/filter/sanitizing_filters.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)
 - The program contains an out-of-bounds read flaw in 'ext/intl/grapheme/grapheme_string.c' that is triggered when handling negative offsets in 'zif_grapheme_stripos'. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4540, CVE-2016-4541)
 - An out-of-bounds read flaw exists in the 'php_str2num()' function in 'ext/bcmath/bcmath.c' that is triggered when accepting negative scales. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4537, CVE-2016-4538)
 - An out-of-bounds read flaw exists in the 'exif_read_data()' function in 'ext/exif/exif.c' that is triggered when handling exif headers. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
 - A flaw in the 'xml_parse_into_struct()' function in 'ext/xml/xml.c' is triggered during the handling of a specially crafted XML content. This may allow a remote attacker to cause a denial of service. (CVE-2016-4539)
 - A double-free flaw exists in the 'php_formatted_print()' function in 'ext/standard/formatted_print.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-8880)
 - A flaw exists in 'main/php_open_temporary_file.c' that is triggered as thread safety is not ensured during the handling of temporary directories. This may allow a remote attacker to cause a denial of service. (CVE-2015-8878)
 - An integer overflow flaw exists in the 'php_html_entities()' and 'php_filter_full_special_chars()' functions in 'ext/standard/html.c' that is triggered as input is not properly validated. This may allow a remote attacker to have an unspecified impact. No further details have been provided. (CVE-2016-5094, CVE-2016-5095)
 - An integer underflow issue exists in 'ext/standard/file.c' that is triggered as input is not properly validated. This may allow a remote attacker to cause a NULL write and cause a process linked against PHP to crash. (CVE-2016-5096)
 - An out-of-bounds read flaw exists in the '_gdContributionsCalc()' function in 'ext/gd/libgd/gd_interpolation.c'. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2013-7456)
 - An out-of-bounds read flaw exists in the 'get_icu_value_internal()' function within 'ext/intl/locale/locale_methods.c' that is triggered when handling user-supplied input. This may allow a remote attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-5093)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'header()' function does not filter input passed via HTTP headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8935)
 - A use-after-free error exists in the garbage collection algorithm in 'ext/zip/php_zip.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5773)
 - An integer overflow condition exists in the 'json_decode()' and 'json_utf8_to_utf16()' functions in 'ext/standard/php_smart_str.h'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.
 - An out-of-bounds read flaw exists within the 'pass2_no_dither()' function inside 'ext/gd/libgd/gd_topal.c' that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw exists within the '_php_mb_regex_ereg_replace_exec()' function inside 'ext/mbstring/php_mbregex.c' that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)
 - An integer overflow condition exists in 'ext/spl/spl_directory.c'. The issue is triggered by an 'int/size_t' confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)
 - An integer overflow condition exists in 'ext/mcrypt/mcrypt.c'. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)
 - An integer overflow condition exists within the 'nl2br()' function inside 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.
 - An integer overflow condition exists within multiple functions in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw within the 'php_wddx_process_data()' function inside 'ext/wddx/wddx.c' that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)
 - An integer overflow condition exists witin the 'gdImagePaletteToTrueColor()' function inside 'ext/gd/libgd/gd.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)
 - An invalid free flaw exists within the 'phar_extract_file()' function inside 'ext/phar/phar_object.c'. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)
 - An integer overflow condition exists within the '_gd2GetHeader()' function inside 'ext/gd/libgd/gd_gd2.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)
 - A use-after-free error exists within the garbage collection algorithm inside 'ext/spl/spl_array.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5771)

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
9393	PHP 5.5.x < 5.5.37 / 5.6.x < 5.6.23 / 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	high

CVE-2015-8878

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins