https://bugs.php.net/bug.php?id=71323

https://git.php.net/?p=php-src.git;a=commit;h=6297a117d77fa3a0df2e21ca926a92c231819cd5

USN-3566-2

USN-3600-1

USN-3566-1 fixed several vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information. (CVE-2018-20783)

It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to access sensitive information or possibly cause a crash, resulting in a denial of service.
(CVE-2019-11036)

It was discovered that PHP incorrectly handled memory when unserializing certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 ESM.
(CVE-2017-12933)

It was discovered that PHP incorrectly handled locale length. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 ESM. (CVE-2017-11362)

It was discovered that PHP incorrectly handled certain stream metadata. A remote attacker could possibly use this issue to set arbitrary metadata. This issue only affected Ubuntu 12.04 ESM.
(CVE-2016-10712).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2016-10712: In PHP all of the return values of     stream_get_meta_data could be controlled if the input     can be controlled (e.g., during file uploads).
    (bsc#1080234)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x     through 7.1.14, and 7.2.x through 7.2.2, there is a     stack-based buffer under-read while parsing an HTTP     response in the php_stream_url_wrap_http_ex function in     ext/standard/http_fopen_wrapper.c. This subsequently     results in copying a large string.(CVE-2018-7584)

  - In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x     before 7.0.3, all of the return values of     stream_get_meta_data can be controlled if the input can     be controlled (e.g., during file uploads). For example,     a '$uri = stream_get_meta_data(fopen($file,     'r'))['uri']' call mishandles the case where $file is     data:text/plainuri=eviluri, -- in other words, metadata     can be set by an attacker.(CVE-2016-10712)

  - The GIF decoding function gdImageCreateFromGifCtx in     gd_gif_in.c in the GD Graphics Library (aka libgd), as     used in PHP before 5.6.31 and 7.x before 7.1.7, does     not zero colorMap arrays before use. A specially     crafted GIF image could use the uninitialized tables to     read ~700 bytes from the top of the stack, potentially     disclosing sensitive information.(CVE-2017-7890)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php53 fixes several issues. These security issues were fixed :

  - CVE-2016-10712: In PHP all of the return values of     stream_get_meta_data could be controlled if the input     can be controlled (e.g., during file uploads).
    (bsc#1080234)

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220)

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

  - CVE-2016-5773: php_zip.c in the zip extension in PHP     improperly interacted with the unserialize     implementation and garbage collection, which allowed     remote attackers to execute arbitrary code or cause a     denial of service (use-after-free and application crash)     via crafted serialized data containing a ZipArchive     object. (bsc#986247)

  - CVE-2016-5771: spl_array.c in the SPL extension in PHP     improperly interacted with the unserialize     implementation and garbage collection, which allowed     remote attackers to execute arbitrary code or cause a     denial of service (use-after-free and application crash)     via crafted serialized data. (bsc#986391)

  - CVE-2018-7584: Fixed stack-based buffer under-read while     parsing an HTTPresponse in the     php_stream_url_wrap_http_ex. (bsc#1083639)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled certain stream metadata. A remote attacker could possibly use this issue to set arbitrary metadata. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-10712)

It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-5712)

It was discovered that PHP incorrectly handled parsing certain HTTP responses. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-7584).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - CVE-2016-10712: In PHP all of the return values of     stream_get_meta_data could be controlled if the input     can be controlled (e.g., during file uploads).
    (bsc#1080234)

This update was imported from the SUSE:SLE-12:Update update project.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.18. It is, therefore, affected by multiple vulnerabilities :

  - The Perl-Compatible Regular Expressions (PCRE) library     is affected by multiple vulnerabilities related to the     handling of regular expressions, subroutine calls, and     binary files. A remote attacker can exploit these to     cause a denial of service, obtain sensitive information,     or have other unspecified impact. (CVE-2015-8383,     CVE-2015-8386, CVE-2015-8387, CVE-2015-8389,     CVE-2015-8390, CVE-2015-8391, CVE-2015-8393,     CVE-2015-8394)

  - A flaw exists in file ext/standard/exec.c in the     escapeshellcmd() and escapeshellarg() functions due to     the program truncating NULL bytes in strings. A remote     attacker can exploit this to bypass restrictions.

  - A flaw exists in file ext/standard/streamsfuncs.c in the     stream_get_meta_data() function due to a failure to     restrict writing user-supplied data to fields not     already set. A remote attacker can exploit this to     falsify the output of the function, resulting in the     insertion of malicious metadata.

  - A type confusion error exists in file ext/wddx/wddx.c in     the php_wddx_pop_element() function when deserializing     WDDX packets. A remote attacker can exploit this to have     an unspecified impact.

  - A flaw exists in file ext/phar/phar_object.c in the     PharFileInfo::getContent() method due to the use of     uninitialized memory causing improper validation of     user-supplied input. A remote attacker can exploit this     to corrupt memory, resulting in a denial of service or     the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in file     ext/phar/tar.c in the phar_tar_setupmetadata() function     when parsing metadata from a crafted TAR file. A remote     attacker can exploit this to cause a denial of service.

  - An integer overflow condition exists in file     ext/standard/iptc.c in the iptcembed() function due to     improper validation of user-supplied input. A remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service or the     execution of arbitrary code.

  - An overflow condition exists in file ext/phar/tar.c in     the phar_parse_tarfile() function due to improper     validation of user-supplied input when decompressing     TAR files. A remote attacker can exploit this to cause     a stack-based buffer overflow, resulting in a denial of     service or the execution of arbitrary code.
    (CVE-2016-2554)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
125352	Ubuntu 14.04 LTS : PHP vulnerabilities (USN-3566-2)	Nessus	Ubuntu Local Security Checks	critical
120016	SUSE SLES12 Security Update : php5 (SUSE-SU-2018:0530-1)	Nessus	SuSE Local Security Checks	high
109495	EulerOS 2.0 SP2 : php (EulerOS-SA-2018-1097)	Nessus	Huawei Local Security Checks	critical
109494	EulerOS 2.0 SP1 : php (EulerOS-SA-2018-1096)	Nessus	Huawei Local Security Checks	critical
108650	SUSE SLES11 Security Update : php53 (SUSE-SU-2018:0806-1)	Nessus	SuSE Local Security Checks	critical
108483	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : PHP vulnerabilities (USN-3600-1)	Nessus	Ubuntu Local Security Checks	critical
107000	openSUSE Security Update : php5 (openSUSE-2018-209)	Nessus	SuSE Local Security Checks	high
88694	PHP 5.6.x < 5.6.18 Multiple Vulnerabilities	Nessus	CGI abuses	critical

CVE-2016-10712

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

high

critical

critical

critical

critical

high

critical