openSUSE-SU-2016:1357

openSUSE-SU-2016:1524

http://php.net/ChangeLog-7.php

[oss-security] 20160428 [CVE Requests] PHP issues

https://bugs.php.net/bug.php?id=71637

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.4. It is, therefore, affected by multiple vulnerabilities :

 - A type confusion error exists in file ext/soap/php_http.c in the make_http_soap_request() function when handling cookie data. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-3185)

 - Multiple integer overflow conditions exist in file ext/xml/xml.c in the xml_utf8_encode functions due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2016-4344)

 - An integer overflow condition exists in the php_filter_encode_url() function due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or th execution of arbitrary code. (CVE-2016-4345)

 - An overflow condition exists in the xml_utf8_encode functions due to improper validation of user-supplied input. A remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-4346)

 - A flaw exists when handling the third call while running function.forward-static-call.php. An unauthenticated, remote attacker can exploit this to cause a denial of service by crashing the interpreter.

 - An integer overflow condition exists in file ext/standard/string.c in the php_implode() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service or the execution of arbitrary code.

 - An integer overflow condition exists in file ext/standard/string.c in the zend_string_alloc() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A stack corruption issue exists when handling certain Magento2 commands that allows an unauthenticated, remote attacker to cause a denial of service.

 - A flaw exists in file sapi/cli/php_cli_server.c due to the built-in HTTP server not properly restricting file requests. An unauthenticated, remote attacker can exploit this to access arbitrary files.

 - A use-after-free error exists in Zend Opcache when updating cached directory names that have been cached in the current working directory. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in file ext/zip/php_zip.c in the Zip::ExtractTo() method that allows an unauthenticated, remote attacker to cause a denial of service.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php5 fixes the following issues :

Security issues fixed :

  - CVE-2016-4346: heap overflow in ext/standard/string.c     (bsc#977994)

  - CVE-2016-4342: heap corruption in tar/zip/phar parser     (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepts negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The specific version of PHP that the system is running is reportedly affected by the following vulnerabilities:

- PHP contains an integer overflow condition in the php_filter_encode_url() function in ext/filter/sanitizing_filters.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)

- PHP contains an integer overflow condition in ext/standard/string.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)

Versions of PHP 5.5.x prior to 5.5.37, or 5.6.x prior to 5.6.23, or 7.0.x prior to 7.0.8 are vulnerable to the following issues :

 - PHP 'ext/mysqlnd/mysqlnd.c' contains a flaw that is due to the program failing to properly enforce the requirement of an SSL/TLS connection when the '--ssl client' option is used. This may allow a MitM (Man-in-the-Middle) attacker to downgrade the connection to plain HTTP when expected to be HTTPS. (CVE-2015-8838)
 - An integer overflow condition exists in the 'getFromIndex()'' and 'getFromName()' methods of 'ZipArchive'. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted ZIP file. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-3078)
 - An XXE (Xml eXternal Entity) injection and expansion flaw affects the 'libxml_disable_entity_loader()' function in the source file 'ext/libxml/libxml.c' in PHP-FPM that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to sensitive information or cause a denial of service. (CVE-2015-8866)
 - An integer overflow condition exists in the 'php_filter_encode_url()' function in 'ext/filter/sanitizing_filters.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)
 - The program contains an out-of-bounds read flaw in 'ext/intl/grapheme/grapheme_string.c' that is triggered when handling negative offsets in 'zif_grapheme_stripos'. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4540, CVE-2016-4541)
 - An out-of-bounds read flaw exists in the 'php_str2num()' function in 'ext/bcmath/bcmath.c' that is triggered when accepting negative scales. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4537, CVE-2016-4538)
 - An out-of-bounds read flaw exists in the 'exif_read_data()' function in 'ext/exif/exif.c' that is triggered when handling exif headers. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
 - A flaw in the 'xml_parse_into_struct()' function in 'ext/xml/xml.c' is triggered during the handling of a specially crafted XML content. This may allow a remote attacker to cause a denial of service. (CVE-2016-4539)
 - A double-free flaw exists in the 'php_formatted_print()' function in 'ext/standard/formatted_print.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-8880)
 - A flaw exists in 'main/php_open_temporary_file.c' that is triggered as thread safety is not ensured during the handling of temporary directories. This may allow a remote attacker to cause a denial of service. (CVE-2015-8878)
 - An integer overflow flaw exists in the 'php_html_entities()' and 'php_filter_full_special_chars()' functions in 'ext/standard/html.c' that is triggered as input is not properly validated. This may allow a remote attacker to have an unspecified impact. No further details have been provided. (CVE-2016-5094, CVE-2016-5095)
 - An integer underflow issue exists in 'ext/standard/file.c' that is triggered as input is not properly validated. This may allow a remote attacker to cause a NULL write and cause a process linked against PHP to crash. (CVE-2016-5096)
 - An out-of-bounds read flaw exists in the '_gdContributionsCalc()' function in 'ext/gd/libgd/gd_interpolation.c'. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2013-7456)
 - An out-of-bounds read flaw exists in the 'get_icu_value_internal()' function within 'ext/intl/locale/locale_methods.c' that is triggered when handling user-supplied input. This may allow a remote attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-5093)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'header()' function does not filter input passed via HTTP headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8935)
 - A use-after-free error exists in the garbage collection algorithm in 'ext/zip/php_zip.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5773)
 - An integer overflow condition exists in the 'json_decode()' and 'json_utf8_to_utf16()' functions in 'ext/standard/php_smart_str.h'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.
 - An out-of-bounds read flaw exists within the 'pass2_no_dither()' function inside 'ext/gd/libgd/gd_topal.c' that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw exists within the '_php_mb_regex_ereg_replace_exec()' function inside 'ext/mbstring/php_mbregex.c' that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)
 - An integer overflow condition exists in 'ext/spl/spl_directory.c'. The issue is triggered by an 'int/size_t' confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)
 - An integer overflow condition exists in 'ext/mcrypt/mcrypt.c'. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)
 - An integer overflow condition exists within the 'nl2br()' function inside 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.
 - An integer overflow condition exists within multiple functions in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw within the 'php_wddx_process_data()' function inside 'ext/wddx/wddx.c' that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)
 - An integer overflow condition exists witin the 'gdImagePaletteToTrueColor()' function inside 'ext/gd/libgd/gd.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)
 - An invalid free flaw exists within the 'phar_extract_file()' function inside 'ext/phar/phar_object.c'. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)
 - An integer overflow condition exists within the '_gd2GetHeader()' function inside 'ext/gd/libgd/gd_gd2.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)
 - A use-after-free error exists within the garbage collection algorithm inside 'ext/spl/spl_array.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5771)

This update for php53 fixes the following issues :

  - CVE-2016-5093: A get_icu_value_internal out-of-bounds     read could crash the php interpreter (bsc#982010)

  - CVE-2016-5094,CVE-2016-5095: Don't allow creating     strings with lengths outside int range, avoids overflows     (bsc#982011,bsc#982012)

  - CVE-2016-5096: A int/size_t confusion in fread could     corrupt memory (bsc#982013)

  - CVE-2016-5114: A fpm_log.c memory leak and buffer     overflow could leak information out of the php process     or overwrite a buffer by 1 byte (bsc#982162)

  - CVE-2016-4346: A heap overflow was fixed in     ext/standard/string.c (bsc#977994)

  - CVE-2016-4342: A heap corruption was fixed in     tar/zip/phar parser (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

  - CVE-2015-8879: odbc_bindcols function in     ext/odbc/php_odbc.c mishandles driver behavior for     SQL_WVARCHAR (bsc#981050)

Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS :

  - CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM     (bnc#973792).

  - CVE-2015-8835: SoapClient s_call method suffered from a     type confusion issue that could have lead to crashes     [bsc#973351]

  - CVE-2016-2554: A NULL pointer dereference in     phar_get_fp_offset could lead to crashes. [bsc#968284]

  - CVE-2015-7803: A Stack overflow vulnerability when     decompressing tar phar archives could potentially lead     to code execution. [bsc#949961]

  - CVE-2016-3141: A use-after-free / double-free in the     WDDX deserialization could lead to crashes or potential     code execution. [bsc#969821]

  - CVE-2016-3142: An Out-of-bounds read in     phar_parse_zipfile() could lead to crashes. [bsc#971912]

  - CVE-2014-9767: A directory traversal when extracting zip     files was fixed that could lead to overwritten files.
    [bsc#971612]

  - CVE-2016-3185: A type confusion vulnerability in     make_http_soap_request() could lead to crashes or     potentially code execution. [bsc#971611]

  - CVE-2016-4073: A remote attacker could have caused     denial of service, or possibly execute arbitrary code,     due to incorrect handling of string length calculations     in mb_strcut() (bsc#977003)

  - CVE-2015-8867: The PHP function     openssl_random_pseudo_bytes() did not return     cryptographically secure random bytes (bsc#977005)

  - CVE-2016-4070: The libxml_disable_entity_loader()     setting was shared between threads, which could have     resulted in XML external entity injection and entity     expansion issues (bsc#976997)

  - CVE-2015-8866: A remote attacker could have caused     denial of service due to incorrect handling of large     strings in php_raw_url_encode() (bsc#976996)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

Security issues fixed :

  - CVE-2016-4346: heap overflow in ext/standard/string.c     (bsc#977994)

  - CVE-2016-4342: heap corruption in tar/zip/phar parser     (bsc#977991)

  - CVE-2016-4537, CVE-2016-4538: bcpowmod accepts negative     scale causing heap buffer overflow corrupting _one_     definition (bsc#978827)

  - CVE-2016-4539: Malformed input causes segmentation fault     in xml_parse_into_struct() function (bsc#978828)

  - CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read     in zif_grapheme_stripos when given negative offset     (bsc#978829)

  - CVE-2016-4542, CVE-2016-4543, CVE-2016-4544:
    Out-of-bounds heap memory read in exif_read_data()     caused by malformed input (bsc#978830)

  - CVE-2015-4116: Use-after-free vulnerability in the     spl_ptr_heap_insert function (bsc#980366)

  - CVE-2015-8873: Stack consumption vulnerability in     Zend/zend_exceptions.c (bsc#980373)

  - CVE-2015-8874: Stack consumption vulnerability in GD     (bsc#980375)

This update was imported from the SUSE:SLE-12:Update update project.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.4. It is, therefore, affected by multiple vulnerabilities :

  - A type confusion error exists in file     ext/soap/php_http.c in the make_http_soap_request()     function when handling cookie data. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-3185)

  - Multiple integer overflow conditions exist in file     ext/xml/xml.c in the xml_utf8_encode functions due to     improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit these to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.
    (CVE-2016-4344)

  - An integer overflow condition exists in the     php_filter_encode_url() function due to improper     validation of user-supplied input. A remote attacker can     exploit this to cause a heap-based buffer overflow,     resulting in a denial of service or th execution of     arbitrary code. (CVE-2016-4345)

  - An overflow condition exists in the xml_utf8_encode     functions due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     heap-based buffer overflow, resulting in a denial of     service condition or the execution of arbitrary code.
    (CVE-2016-4346)

  - A flaw exists when handling the third call while running     function.forward-static-call.php. An unauthenticated,     remote attacker can exploit this to cause a denial of     service by crashing the interpreter.

  - An integer overflow condition exists in file     ext/standard/string.c in the php_implode() function due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in a     denial of service or the execution of arbitrary code.

  - An integer overflow condition exists in file     ext/standard/string.c in the zend_string_alloc()     function due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to execute arbitrary code.

  - A stack corruption issue exists when handling certain     Magento2 commands that allows an unauthenticated,     remote attacker to cause a denial of service.

  - A flaw exists in file sapi/cli/php_cli_server.c due to     the built-in HTTP server not properly restricting file     requests. An unauthenticated, remote attacker can     exploit this to access arbitrary files.

  - A use-after-free error exists in Zend Opcache when     updating cached directory names that have been cached in     the current working directory. An unauthenticated,     remote attacker can exploit this to deference already     freed memory, resulting in the execution of arbitrary     code.

  - A NULL pointer dereference flaw exists in file     ext/zip/php_zip.c in the Zip::ExtractTo() method that     allows an unauthenticated, remote attacker to cause     a denial of service.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for libqt5-qtbase fixes the following issues :

  - boo#865241: disable RC4 based ciphers which are now     considered insecure

The following non-security bugs were fixed :

  - boo#957006: dolphin freeze when opening a folder     containing symlinks to special files

ID	Name	Product	Family	Severity
98850	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119978	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:1504-1)	Nessus	SuSE Local Security Checks	high
802029	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	critical
93161	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)	Nessus	SuSE Local Security Checks	critical
9393	PHP 5.5.x < 5.5.37 / 5.6.x < 5.6.23 / 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
91665	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1)	Nessus	SuSE Local Security Checks	critical
91531	openSUSE Security Update : php5 (openSUSE-2016-696)	Nessus	SuSE Local Security Checks	high
90009	PHP 7.0.x < 7.0.4 Multiple Vulnerabilities	Nessus	CGI abuses	high
89093	openSUSE Security Update : libqt5-qtbase (openSUSE-2016-613)	Nessus	SuSE Local Security Checks	high

CVE-2016-4346

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins