RHSA-2016:2750

http://www.php.net/ChangeLog-5.php

https://bugs.php.net/bug.php?id=69975

According to its banner, the version of PHP running on the remote web server is 7.x prior to 7.0.0. It is, therefore, affected by the following vulnerabilities:

  - A directory traversal vulnerability in the     ZipArchive::extractTo function of ext/zip/php_zip.c     script. An unauthenticated, remote attacker can exploit     this, by sending a crafted ZIP archive with empty     directories, to disclose the contents of files located     outside of the server's restricted path. (CVE-2014-9767)

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out. (CVE-2015-8867)

  - A denial of service (DoS) vulnerability exists in the GD     graphics library in the gdImageFillToBorder() function     within file gd.c when handling crafted images that have     an overly large negative coordinate. An unauthenticated,     remote attacker can exploit this, via a crafted image,     to crash processes linked against the library.
    (CVE-2015-8874)

  - A denial of service (DoS) vulnerability exists in     odbc_bindcols function of the ext/odbc/php_odbc.c script     due to mishandling driver behavior for SQL_WVARCHAR     columns. An unauthenticated, remote attacker can exploit     this issue, via the use of odbc_fetch_array function, to     cause the application to stop responding. (CVE-2015-8879)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

 - A use-after-free error exists in file spl_dllist.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_observer.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplObjectStorage object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplArrayObject object, to deference freed memory and thus execute arbitrary code.

 - A flaw exists in file zend_exceptions.c due to the improper use of the function unserialize() during recursive method calls. A remote attacker can exploit this to crash an application using PHP.

 - A flaw exists in file zend_exceptions.c due to insufficient type checking by functions unserialize() and __toString(). A remote attacker can exploit this to cause a NULL pointer deference or unexpected method execution, thus causing an application using PHP to crash.

 - A path traversal flaw exists in file phar_object.c due to improper sanitization of user-supplied input. An attacker can exploit this to write arbitrary files.

 - Multiple type confusion flaws exist in the _call() method in file php_http.c when handling calls for zend_hash_get_current_key or 'Z*'. An attacker can exploit this to disclose memory contents or crash an application using PHP.

 - A dangling pointer error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to gain control over a deallocated pointer and thus execute arbitrary code.

 - A flaw exists in the file gd.c due to the improper handling of images with large negative coordinates by the imagefilltoborder() function. An attacker can exploit this to cause a stack overflow, thus crashing an application using PHP.

 - A flaw exists in the file php_odbc.c when the odbc_fetch_array() function handles columns that are defined as NVARCHAR(MAX). An attacker can exploit this to crash an application using PHP.

 - The openssl_random_pseudo_bytes() function in file openssl.c does not generate sufficiently random numbers. This allows an attacker to more easily predict the results, thus allowing further attacks to be carried out.

 - A user-after-free error exists in the unserialize() function in spl_observer.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A type confusion flaw exists in the serialize_function_call() function in soap.c due to improper validation of input passed via the header field. A remote attacker can exploit this to execute arbitrary code.

 - A use-after-free error exists in the unserialize() function in spl_dllist.c that is triggered during the deserialization of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A user-after-free error exists in the gmp_unserialize() function in gmp.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - An integer truncation flaw exists in the zend_hash_compare() function in zend_hash.c that is triggered when comparing arrays. A remote attacker can exploit this to cause arrays to be improperly matched during comparison.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     of valid range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     of valid range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd) as used in PHP used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandles driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table (bsc#981050).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PHP reports :

- Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)

- Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).

- Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).

- Fixed bug #72519 (imagegif/output out-of-bounds access).

- Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).

- Fixed bug #72533 (locale_accept_from_http out-of-bounds access).

- Fixed bug #72541 (size_t overflow lead to heap corruption).

- Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).

- Fixed bug #72558 (Integer overflow error within
_gdContributionsAlloc()).

- Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).

- Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).

- Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).

- Fixed bug #72613 (Inadequate error handling in bzread()).

- Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment).

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities :

  - A Segfault condition occurs when accessing     nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the     php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

  - An overflow condition exists in the php_url_prase_ex()     function due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     buffer overflow, resulting in a denial of service     condition.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     of valid range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     of valid range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd) as used in PHP used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandles driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table (bsc#981050).

This update was imported from the SUSE:SLE-12:Update update project.

This update for php53 fixes the following issues :

  - CVE-2016-5093: A get_icu_value_internal out-of-bounds     read could crash the php interpreter (bsc#982010)

  - CVE-2016-5094,CVE-2016-5095: Don't allow creating     strings with lengths outside int range, avoids overflows     (bsc#982011,bsc#982012)

  - CVE-2016-5096: A int/size_t confusion in fread could     corrupt memory (bsc#982013)

  - CVE-2016-5114: A fpm_log.c memory leak and buffer     overflow could leak information out of the php process     or overwrite a buffer by 1 byte (bsc#982162)

  - CVE-2016-4346: A heap overflow was fixed in     ext/standard/string.c (bsc#977994)

  - CVE-2016-4342: A heap corruption was fixed in     tar/zip/phar parser (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

  - CVE-2015-8879: odbc_bindcols function in     ext/odbc/php_odbc.c mishandles driver behavior for     SQL_WVARCHAR (bsc#981050)

Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS :

  - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM     (bnc#973792).

  - CVE-2015-8835: SoapClient s_call method suffered from a     type confusion issue that could have lead to crashes     [bsc#973351]

  - CVE-2016-2554: A NULL pointer dereference in     phar_get_fp_offset could lead to crashes. [bsc#968284]

  - CVE-2015-7803: A Stack overflow vulnerability when     decompressing tar phar archives could potentially lead     to code execution. [bsc#949961]

  - CVE-2016-3141: A use-after-free / double-free in the     WDDX deserialization could lead to crashes or potential     code execution. [bsc#969821]

  - CVE-2016-3142: An Out-of-bounds read in     phar_parse_zipfile() could lead to crashes. [bsc#971912]

  - CVE-2014-9767: A directory traversal when extracting zip     files was fixed that could lead to overwritten files.
    [bsc#971612]

  - CVE-2016-3185: A type confusion vulnerability in     make_http_soap_request() could lead to crashes or     potentially code execution. [bsc#971611]

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     int range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     int range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2016-5114: fpm_log.c memory leak and buffer overflow     (bnc#982162).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd), as used in PHP, used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandled driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table Aliased: (bsc#981050).

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function in ext/spl/spl_heap.c in     PHP allowed remote attackers to execute arbitrary code     by triggering a failed SplMinHeap::compare operation     (bsc#980366).

  - CVE-2015-8874: Stack consumption vulnerability in GD in     PHP allowed remote attackers to cause a denial of     service via a crafted imagefilltoborder call     (bsc#980375).

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c in PHP allowed remote attackers     to cause a denial of service (segmentation fault) via     recursive method calls (bsc#980373).

  - CVE-2016-3074: Integer signedness error in GD Graphics     Library (aka libgd or libgd2) allowed remote attackers     to cause a denial of service (crash) or potentially     execute arbitrary code via crafted compressed gd2 data,     which triggers a heap-based buffer overflow     (bsc#976775).

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

  - A use-after-free error exists in file spl_dllist.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to     deference freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_observer.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplObjectStorage object, to deference     freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplArrayObject object, to deference     freed memory and thus execute arbitrary code.

  - A flaw exists in file zend_exceptions.c due to the     improper use of the function unserialize() during     recursive method calls. A remote attacker can exploit     this to crash an application using PHP.

  - A flaw exists in file zend_exceptions.c due to     insufficient type checking by functions unserialize()     and __toString(). A remote attacker can exploit this to     cause a NULL pointer deference or unexpected method     execution, thus causing an application using PHP to     crash.

  - A path traversal flaw exists in file phar_object.c due     to improper sanitization of user-supplied input. An     attacker can exploit this to write arbitrary files.

  - Multiple type confusion flaws exist in the _call()     method in file php_http.c when handling calls for     zend_hash_get_current_key or 'Z*'. An attacker can     exploit this to disclose memory contents or crash     an application using PHP.

  - A dangling pointer error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to gain     control over a deallocated pointer and thus execute     arbitrary code.

  - A flaw exists in the file gd.c due to the improper     handling of images with large negative coordinates by     the imagefilltoborder() function. An attacker can     exploit this to cause a stack overflow, thus crashing     an application using PHP.

  - A flaw exists in the file php_odbc.c when the     odbc_fetch_array() function handles columns that are     defined as NVARCHAR(MAX). An attacker can exploit this     to crash an application using PHP.

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out.

  - A user-after-free error exists in the unserialize()     function in spl_observer.c due to improper validation     of user-supplied input. A remote attacker can exploit     this to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - A type confusion flaw exists in the     serialize_function_call() function in soap.c due to     improper validation of input passed via the header     field. A remote attacker can exploit this to execute     arbitrary code.

  - A use-after-free error exists in the unserialize()     function in spl_dllist.c that is triggered during the     deserialization of user-supplied input. A remote     attacker can exploit this to dereference already freed     memory, potentially resulting in the execution of     arbitrary code.

  - A user-after-free error exists in the gmp_unserialize()     function in gmp.c due to improper validation of     user-supplied input. A remote attacker can exploit this     to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - An integer truncation flaw exists in the     zend_hash_compare() function in zend_hash.c that is     triggered when comparing arrays. A remote attacker can     exploit this to cause arrays to be improperly matched     during comparison.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
122536	PHP 7.0.x < 7.0.0 Multiple Vulnerabilities	Nessus	CGI abuses	medium
98804	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
93160	SUSE SLED12 / SLES12 Security Update : php5 (SUSE-SU-2016:1633-1)	Nessus	SuSE Local Security Checks	high
92574	FreeBSD : php -- multiple vulnerabilities (b6402385-533b-11e6-a7bd-14dae9d210b8) (httpoxy)	Nessus	FreeBSD Local Security Checks	high
92554	PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
91869	openSUSE Security Update : php5 (openSUSE-2016-776)	Nessus	SuSE Local Security Checks	high
91665	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)	Nessus	SuSE Local Security Checks	critical
91585	openSUSE Security Update : php5 (openSUSE-2016-703)	Nessus	SuSE Local Security Checks	high
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	high
85300	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2015-8879

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins