RHSA-2016:2750

http://www.php.net/ChangeLog-5.php

https://bugs.php.net/bug.php?id=69975

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ext/standard/var_unserializer.c in PHP before 5.6.25     and 7.x before 7.0.10 mishandles certain invalid     objects, which allows remote attackers to cause a     denial of service or possibly have unspecified other     impact via crafted serialized data that leads to a (1)
    __destruct call or (2) magic method     call.(CVE-2016-7124)

  - Stack-based buffer overflow in ext/phar/tar.c in PHP     before 5.5.32, 5.6.x before 5.6.18, and 7.x before     7.0.3 allows remote attackers to cause a denial of     service (application crash) or possibly have     unspecified other impact via a crafted TAR     archive.(CVE-2016-2554)

  - A flaw was discovered in the way PHP performed object     unserialization. Specially crafted input processed by     the unserialize() function could cause a PHP     application to crash or, possibly, execute arbitrary     code.(CVE-2015-6831)

  - The sapi_header_op function in main/SAPI.c in PHP     before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before     5.6.6 supports deprecated line folding without     considering browser compatibility, which allows remote     attackers to conduct cross-site scripting (XSS) attacks     against Internet Explorer by leveraging (1) %0A%20 or     (2) %0D%0A%20 mishandling in the header     function.(CVE-2015-8935)

  - The openssl_random_pseudo_bytes function in     ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x     before 5.5.28, and 5.6.x before 5.6.12 incorrectly     relies on the deprecated RAND_pseudo_bytes function,     which makes it easier for remote attackers to defeat     cryptographic protection mechanisms via unspecified     vectors.(CVE-2015-8867)

  - Use-after-free vulnerability in the SPL unserialize     implementation in ext/spl/spl_array.c in PHP before     5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12     allows remote attackers to execute arbitrary code via     crafted serialized data that triggers misuse of an     array field.(CVE-2015-6832)

  - Directory traversal vulnerability in the PharData class     in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x     before 5.6.12 allows remote attackers to write to     arbitrary files via a .. (dot dot) in a ZIP archive     entry that is mishandled during an extractTo     call.(CVE-2015-6833)

  - Directory traversal vulnerability in the     ZipArchive::extractTo function in ext/zip/php_zip.c in     PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x     before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before     3.12.1 allows remote attackers to create arbitrary     empty directories via a crafted ZIP     archive.(CVE-2014-9767)

  - The ZIP signature-verification feature in PHP before     5.6.26 and 7.x before 7.0.11 does not ensure that the     uncompressed_filesize field is large enough, which     allows remote attackers to cause a denial of service     (out-of-bounds memory access) or possibly have     unspecified other impact via a crafted PHAR archive,     related to ext/phar/util.c and     ext/phar/zip.c.(CVE-2016-7414)

  - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before     7.0.13 allows remote attackers to cause a denial of     service (NULL pointer dereference) via crafted     serialized data in a wddxPacket XML document, as     demonstrated by a PDORow string.(CVE-2016-9934)

  - The php_wddx_push_element function in ext/wddx/wddx.c     in PHP before 5.6.29 and 7.x before 7.0.14 allows     remote attackers to cause a denial of service     (out-of-bounds read and memory corruption) or possibly     have unspecified other impact via an empty boolean     element in a wddxPacket XML document.(CVE-2016-9935)

  - In PHP before 5.6.31, an invalid free in the WDDX     deserialization of boolean parameters could be used by     attackers able to inject XML for deserialization to     crash the PHP interpreter, related to an invalid free     for an empty boolean element in     ext/wddx/wddx.c.(CVE-2017-11143)

  - Integer overflow in the php_html_entities function in     ext/standard/html.c in PHP before 5.5.36 and 5.6.x     before 5.6.22 allows remote attackers to cause a denial     of service or possibly have unspecified other impact by     triggering a large output string from the     htmlspecialchars function.(CVE-2016-5094)

  - The get_icu_value_internal function in     ext/intl/locale/locale_methods.c in PHP before 5.5.36,     5.6.x before 5.6.22, and 7.x before 7.0.7 does not     ensure the presence of a '\0' character, which allows     remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a crafted locale_get_primary_language     call.(CVE-2016-5093)

  - The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in PHP before     5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6     allows remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a negative offset.(CVE-2016-4541)

  - The exif_process_IFD_TAG function in ext/exif/exif.c in     PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before     7.0.6 does not properly construct spprintf arguments,     which allows remote attackers to cause a denial of     service (out-of-bounds read) or possibly have     unspecified other impact via crafted header     data.(CVE-2016-4542)

  - The phar_parse_zipfile function in zip.c in the PHAR     extension in PHP before 5.5.33 and 5.6.x before 5.6.19     allows remote attackers to obtain sensitive information     from process memory or cause a denial of service     (out-of-bounds read and application crash) by placing a     PK\x05\x06 signature at an invalid     location.(CVE-2016-3142)

  - ** DISPUTED ** Integer overflow in the     php_raw_url_encode function in ext/standard/url.c in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5 allows remote attackers to cause a denial of     service (application crash) via a long string to the     rawurlencode function. NOTE: the vendor says 'Not sure     if this qualifies as security issue (probably     not).'(CVE-2016-4070)

  - The xml_parse_into_struct function in ext/xml/xml.c in     PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before     7.0.6 allows remote attackers to cause a denial of     service (buffer under-read and segmentation fault) or     possibly have unspecified other impact via crafted XML     data in the second argument, leading to a parser level     of zero.(CVE-2016-4539)

  - The grapheme_stripos function in     ext/intl/grapheme/grapheme_string.c in PHP before     5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6     allows remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a negative offset.(CVE-2016-4540)

  - Use-after-free vulnerability in wddx.c in the WDDX     extension in PHP before 5.5.33 and 5.6.x before 5.6.19     allows remote attackers to cause a denial of service     (memory corruption and application crash) or possibly     have unspecified other impact by triggering a     wddx_deserialize call on XML data containing a crafted     var element.(CVE-2016-3141)

  - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR     archive handler could be used by attackers supplying     malicious archive files to crash the PHP interpreter or     potentially disclose information due to a buffer     over-read in the phar_parse_pharfile function in     ext/phar/phar.c.(CVE-2017-11147)

  - The exif_process_IFD_in_JPEG function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header     data.(CVE-2016-4543)

  - The odbc_bindcols function in ext/odbc/php_odbc.c in     PHP before 5.6.12 mishandles driver behavior for     SQL_WVARCHAR columns, which allows remote attackers to     cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table.(CVE-2015-8879)

  - An issue was discovered in Oniguruma 6.2.0, as used in     Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP     through 7.1.5. A heap out-of-bounds write or read     occurs in next_state_val() during regular expression     compilation. Octal numbers larger than 0xff are not     handled correctly in fetch_token() and     fetch_token_in_cc(). A malformed regular expression     containing an octal number in the form of '\700' would     produce an invalid code point value larger than 0xff in     next_state_val(), resulting in an out-of-bounds write     memory corruption.(CVE-2017-9226)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x     before 7.1.7, the openssl extension PEM sealing code     did not check the return value of the OpenSSL sealing     function, which could lead to a crash of the PHP     interpreter, related to an interpretation conflict for     a negative number in ext/openssl/openssl.c, and an     OpenSSL documentation omission.(CVE-2017-11144)

  - The make_http_soap_request function in     ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before     5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4     allows remote attackers to obtain sensitive information     from process memory or cause a denial of service (type     confusion and application crash) via crafted serialized
    _cookies data, related to the SoapClient::__call method     in ext/soap/soap.c.(CVE-2016-3185)

  - The object_common1 function in     ext/standard/var_unserializer.c in PHP before 5.6.30,     7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows     remote attackers to cause a denial of service (buffer     over-read and application crash) via crafted serialized     data that is mishandled in a finish_nested_data     call.(CVE-2016-10161)

  - The finish_nested_data function in     ext/standard/var_unserializer.re in PHP before 5.6.31,     7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to     a buffer over-read while unserializing untrusted data.
    Exploitation of this issue can have an unspecified     impact on the integrity of PHP.(CVE-2017-12933)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.x prior to 7.0.0. It is, therefore, affected by the following vulnerabilities:

  - A directory traversal vulnerability in the     ZipArchive::extractTo function of ext/zip/php_zip.c     script. An unauthenticated, remote attacker can exploit     this, by sending a crafted ZIP archive with empty     directories, to disclose the contents of files located     outside of the server's restricted path. (CVE-2014-9767)

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out. (CVE-2015-8867)

  - A denial of service (DoS) vulnerability exists in the GD     graphics library in the gdImageFillToBorder() function     within file gd.c when handling crafted images that have     an overly large negative coordinate. An unauthenticated,     remote attacker can exploit this, via a crafted image,     to crash processes linked against the library.
    (CVE-2015-8874)

  - A denial of service (DoS) vulnerability exists in     odbc_bindcols function of the ext/odbc/php_odbc.c script     due to mishandling driver behavior for SQL_WVARCHAR     columns. An unauthenticated, remote attacker can exploit     this issue, via the use of odbc_fetch_array function, to     cause the application to stop responding. (CVE-2015-8879)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

 - A use-after-free error exists in file spl_dllist.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_observer.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplObjectStorage object, to deference freed memory and thus execute arbitrary code.

 - A use-after-free error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplArrayObject object, to deference freed memory and thus execute arbitrary code.

 - A flaw exists in file zend_exceptions.c due to the improper use of the function unserialize() during recursive method calls. A remote attacker can exploit this to crash an application using PHP.

 - A flaw exists in file zend_exceptions.c due to insufficient type checking by functions unserialize() and __toString(). A remote attacker can exploit this to cause a NULL pointer deference or unexpected method execution, thus causing an application using PHP to crash.

 - A path traversal flaw exists in file phar_object.c due to improper sanitization of user-supplied input. An attacker can exploit this to write arbitrary files.

 - Multiple type confusion flaws exist in the _call() method in file php_http.c when handling calls for zend_hash_get_current_key or 'Z*'. An attacker can exploit this to disclose memory contents or crash an application using PHP.

 - A dangling pointer error exists in file spl_array.c due to improper sanitization of input to the unserialize() function. An attacker can exploit this, by using a specially crafted SplDoublyLinkedList object, to gain control over a deallocated pointer and thus execute arbitrary code.

 - A flaw exists in the file gd.c due to the improper handling of images with large negative coordinates by the imagefilltoborder() function. An attacker can exploit this to cause a stack overflow, thus crashing an application using PHP.

 - A flaw exists in the file php_odbc.c when the odbc_fetch_array() function handles columns that are defined as NVARCHAR(MAX). An attacker can exploit this to crash an application using PHP.

 - The openssl_random_pseudo_bytes() function in file openssl.c does not generate sufficiently random numbers. This allows an attacker to more easily predict the results, thus allowing further attacks to be carried out.

 - A user-after-free error exists in the unserialize() function in spl_observer.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A type confusion flaw exists in the serialize_function_call() function in soap.c due to improper validation of input passed via the header field. A remote attacker can exploit this to execute arbitrary code.

 - A use-after-free error exists in the unserialize() function in spl_dllist.c that is triggered during the deserialization of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - A user-after-free error exists in the gmp_unserialize() function in gmp.c due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code.

 - An integer truncation flaw exists in the zend_hash_compare() function in zend_hash.c that is triggered when comparing arrays. A remote attacker can exploit this to cause arrays to be improperly matched during comparison.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     of valid range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     of valid range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd) as used in PHP used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandles driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table (bsc#981050).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PHP reports :

- Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)

- Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).

- Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).

- Fixed bug #72519 (imagegif/output out-of-bounds access).

- Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).

- Fixed bug #72533 (locale_accept_from_http out-of-bounds access).

- Fixed bug #72541 (size_t overflow lead to heap corruption).

- Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).

- Fixed bug #72558 (Integer overflow error within
_gdContributionsAlloc()).

- Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).

- Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).

- Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).

- Fixed bug #72613 (Inadequate error handling in bzread()).

- Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment).

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities :

  - A Segfault condition occurs when accessing     nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the     php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

  - An overflow condition exists in the php_url_prase_ex()     function due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     buffer overflow, resulting in a denial of service     condition.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     of valid range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     of valid range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd) as used in PHP used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandles driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table (bsc#981050).

This update was imported from the SUSE:SLE-12:Update update project.

This update for php53 fixes the following issues :

  - CVE-2016-5093: A get_icu_value_internal out-of-bounds     read could crash the php interpreter (bsc#982010)

  - CVE-2016-5094,CVE-2016-5095: Don't allow creating     strings with lengths outside int range, avoids overflows     (bsc#982011,bsc#982012)

  - CVE-2016-5096: A int/size_t confusion in fread could     corrupt memory (bsc#982013)

  - CVE-2016-5114: A fpm_log.c memory leak and buffer     overflow could leak information out of the php process     or overwrite a buffer by 1 byte (bsc#982162)

  - CVE-2016-4346: A heap overflow was fixed in     ext/standard/string.c (bsc#977994)

  - CVE-2016-4342: A heap corruption was fixed in     tar/zip/phar parser (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

  - CVE-2015-8879: odbc_bindcols function in     ext/odbc/php_odbc.c mishandles driver behavior for     SQL_WVARCHAR (bsc#981050)

Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS :

  - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM     (bnc#973792).

  - CVE-2015-8835: SoapClient s_call method suffered from a     type confusion issue that could have lead to crashes     [bsc#973351]

  - CVE-2016-2554: A NULL pointer dereference in     phar_get_fp_offset could lead to crashes. [bsc#968284]

  - CVE-2015-7803: A Stack overflow vulnerability when     decompressing tar phar archives could potentially lead     to code execution. [bsc#949961]

  - CVE-2016-3141: A use-after-free / double-free in the     WDDX deserialization could lead to crashes or potential     code execution. [bsc#969821]

  - CVE-2016-3142: An Out-of-bounds read in     phar_parse_zipfile() could lead to crashes. [bsc#971912]

  - CVE-2014-9767: A directory traversal when extracting zip     files was fixed that could lead to overwritten files.
    [bsc#971612]

  - CVE-2016-3185: A type confusion vulnerability in     make_http_soap_request() could lead to crashes or     potentially code execution. [bsc#971611]

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2013-7456: imagescale out-of-bounds read     (bnc#982009).

  - CVE-2016-5093: get_icu_value_internal out-of-bounds read     (bnc#982010).

  - CVE-2016-5094: Don't create strings with lengths outside     int range (bnc#982011).

  - CVE-2016-5095: Don't create strings with lengths outside     int range (bnc#982012).

  - CVE-2016-5096: int/size_t confusion in fread     (bsc#982013).

  - CVE-2016-5114: fpm_log.c memory leak and buffer overflow     (bnc#982162).

  - CVE-2015-8877: The gdImageScaleTwoPass function in     gd_interpolation.c in the GD Graphics Library (aka     libgd), as used in PHP, used inconsistent allocate and     free approaches, which allowed remote attackers to cause     a denial of service (memory consumption) via a crafted     call, as demonstrated by a call to the PHP imagescale     function (bsc#981061).

  - CVE-2015-8876: Zend/zend_exceptions.c in PHP did not     validate certain Exception objects, which allowed remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) or trigger unintended     method execution via crafted serialized data     (bsc#981049).

  - CVE-2015-8879: The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP mishandled driver behavior     for SQL_WVARCHAR columns, which allowed remote attackers     to cause a denial of service (application crash) in     opportunistic circumstances by leveraging use of the     odbc_fetch_array function to access a certain type of     Microsoft SQL Server table Aliased: (bsc#981050).

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function in ext/spl/spl_heap.c in     PHP allowed remote attackers to execute arbitrary code     by triggering a failed SplMinHeap::compare operation     (bsc#980366).

  - CVE-2015-8874: Stack consumption vulnerability in GD in     PHP allowed remote attackers to cause a denial of     service via a crafted imagefilltoborder call     (bsc#980375).

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c in PHP allowed remote attackers     to cause a denial of service (segmentation fault) via     recursive method calls (bsc#980373).

  - CVE-2016-3074: Integer signedness error in GD Graphics     Library (aka libgd or libgd2) allowed remote attackers     to cause a denial of service (crash) or potentially     execute arbitrary code via crafted compressed gd2 data,     which triggers a heap-based buffer overflow     (bsc#976775).

- CVE-2015-8865 The file_check_mem function in funcs.c in     file before 5.23, as used in the Fileinfo component in     PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before     7.0.5, mishandles continuation-level jumps, which allows     context-dependent attackers to cause a denial of service     (buffer overflow and application crash) or possibly     execute arbitrary code via a crafted magic file.

  - CVE-2015-8866 libxml_disable_entity_loader setting is     shared between threads ext/libxml/libxml.c in PHP before     5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used,     does not isolate each thread from     libxml_disable_entity_loader changes in other threads,     which allows remote attackers to conduct XML External     Entity (XXE) and XML Entity Expansion (XEE) attacks via     a crafted XML document, a related issue to     CVE-2015-5161.

  - CVE-2015-8878 main/php_open_temporary_file.c in PHP     before 5.5.28 and 5.6.x before 5.6.12 does not ensure     thread safety, which allows remote attackers to cause a     denial of service (race condition and heap memory     corruption) by leveraging an application that performs     many temporary-file accesses.

  - CVE-2015-8879 The odbc_bindcols function in     ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles     driver behavior for SQL_WVARCHAR columns, which allows     remote attackers to cause a denial of service     (application crash) in opportunistic circumstances by     leveraging use of the odbc_fetch_array function to     access a certain type of Microsoft SQL Server table.

  - CVE-2016-4070 Integer overflow in the php_raw_url_encode     function in ext/standard/url.c in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to cause a denial of service (application     crash) via a long string to the rawurlencode function.

  - CVE-2016-4071 Format string vulnerability in the     php_snmp_error function in ext/snmp/snmp.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows     remote attackers to execute arbitrary code via format     string specifiers in an SNMP::get call.

  - CVE-2016-4072 The Phar extension in PHP before 5.5.34,     5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote     attackers to execute arbitrary code via a crafted     filename, as demonstrated by mishandling of \0     characters by the phar_analyze_path function in     ext/phar/phar.c.

  - CVE-2016-4073 Multiple integer overflows in the     mbfl_strcut function in     ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before     5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow     remote attackers to cause a denial of service     (application crash) or possibly execute arbitrary code     via a crafted mb_strcut call.

  - CVE-2016-4343 The phar_make_dirstream function in     ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before     7.0.3 mishandles zero-size ././@LongLink files, which     allows remote attackers to cause a denial of service     (uninitialized pointer dereference) or possibly have     unspecified other impact via a crafted TAR archive.

  - CVE-2016-4537 The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call.

  - CVE-2016-4539 The xml_parse_into_struct function in     ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21,     and 7.x before 7.0.6 allows remote attackers to cause a     denial of service (buffer under-read and segmentation     fault) or possibly have unspecified other impact via     crafted XML data in the second argument, leading to a     parser level of zero.

  - CVE-2016-4540

  - CVE-2016-4541 The grapheme_strpos function in     ext/intl/grapheme/grapheme_string.c in before 5.5.35,     5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote     attackers to cause a denial of service (out-of-bounds     read) or possibly have unspecified other impact via a     negative offset.

  - CVE-2016-4542

  - CVE-2016-4543

  - CVE-2016-4544 The exif_process_* function in     ext/exif/exif.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 does not validate IFD     sizes, which allows remote attackers to cause a denial     of service (out-of-bounds read) or possibly have     unspecified other impact via crafted header data.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.6.x earlier than 5.6.12 are vulnerable to the following issues :

  - A flaw exists in the file 'gd.c' due to the improper handling of images with large negative coordinates by the imagefilltoborder() function. An attacker can exploit this to cause a stack overflow, thus crashing an application using PHP.
 - A flaw exists in the file 'php_odbc.c' when the odbc_fetch_array() function handles columns that are defined as NVARCHAR(MAX). An attacker can exploit this to crash an application using PHP.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.12. It is, therefore, affected by multiple vulnerabilities :

  - A use-after-free error exists in file spl_dllist.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to     deference freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_observer.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplObjectStorage object, to deference     freed memory and thus execute arbitrary code.

  - A use-after-free error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplArrayObject object, to deference     freed memory and thus execute arbitrary code.

  - A flaw exists in file zend_exceptions.c due to the     improper use of the function unserialize() during     recursive method calls. A remote attacker can exploit     this to crash an application using PHP.

  - A flaw exists in file zend_exceptions.c due to     insufficient type checking by functions unserialize()     and __toString(). A remote attacker can exploit this to     cause a NULL pointer deference or unexpected method     execution, thus causing an application using PHP to     crash.

  - A path traversal flaw exists in file phar_object.c due     to improper sanitization of user-supplied input. An     attacker can exploit this to write arbitrary files.

  - Multiple type confusion flaws exist in the _call()     method in file php_http.c when handling calls for     zend_hash_get_current_key or 'Z*'. An attacker can     exploit this to disclose memory contents or crash     an application using PHP.

  - A dangling pointer error exists in file spl_array.c due     to improper sanitization of input to the unserialize()     function. An attacker can exploit this, by using a     specially crafted SplDoublyLinkedList object, to gain     control over a deallocated pointer and thus execute     arbitrary code.

  - A flaw exists in the file gd.c due to the improper     handling of images with large negative coordinates by     the imagefilltoborder() function. An attacker can     exploit this to cause a stack overflow, thus crashing     an application using PHP.

  - A flaw exists in the file php_odbc.c when the     odbc_fetch_array() function handles columns that are     defined as NVARCHAR(MAX). An attacker can exploit this     to crash an application using PHP.

  - The openssl_random_pseudo_bytes() function in file     openssl.c does not generate sufficiently random numbers.
    This allows an attacker to more easily predict the     results, thus allowing further attacks to be carried     out.

  - A user-after-free error exists in the unserialize()     function in spl_observer.c due to improper validation     of user-supplied input. A remote attacker can exploit     this to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - A type confusion flaw exists in the     serialize_function_call() function in soap.c due to     improper validation of input passed via the header     field. A remote attacker can exploit this to execute     arbitrary code.

  - A use-after-free error exists in the unserialize()     function in spl_dllist.c that is triggered during the     deserialization of user-supplied input. A remote     attacker can exploit this to dereference already freed     memory, potentially resulting in the execution of     arbitrary code.

  - A user-after-free error exists in the gmp_unserialize()     function in gmp.c due to improper validation of     user-supplied input. A remote attacker can exploit this     to dereference already freed memory, potentially     resulting in the execution of arbitrary code.

  - An integer truncation flaw exists in the     zend_hash_compare() function in zend_hash.c that is     triggered when comparing arrays. A remote attacker can     exploit this to cause arrays to be improperly matched     during comparison.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
131592	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)	Nessus	Huawei Local Security Checks	critical
130683	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)	Nessus	Huawei Local Security Checks	critical
122536	PHP 7.0.x < 7.0.0 Multiple Vulnerabilities	Nessus	CGI abuses	medium
98804	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
93160	SUSE SLED12 / SLES12 Security Update : php5 (SUSE-SU-2016:1633-1)	Nessus	SuSE Local Security Checks	high
92574	FreeBSD : php -- multiple vulnerabilities (b6402385-533b-11e6-a7bd-14dae9d210b8) (httpoxy)	Nessus	FreeBSD Local Security Checks	high
92554	PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
91869	openSUSE Security Update : php5 (openSUSE-2016-776)	Nessus	SuSE Local Security Checks	high
91665	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)	Nessus	SuSE Local Security Checks	critical
91585	openSUSE Security Update : php5 (openSUSE-2016-703)	Nessus	SuSE Local Security Checks	high
91397	Debian DLA-499-1 : php5 security update	Nessus	Debian Local Security Checks	high
8960	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
85300	PHP 5.6.x < 5.6.12 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2015-8879

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins