SUSE-SU-2016:2460

RHSA-2016:2750

98999

https://bugzilla.redhat.com/show_bug.cgi?id=1347772

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.23. It is, therefore, affected by multiple vulnerabilities :

 - An invalid free flaw exists in the phar_extract_file() function within file ext/phar/phar_object.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2016-4473)

 - An integer overflow condition exists in the _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5766)

 - An integer overflow condition exists in the gdImagePaletteToTrueColor() function within file ext/gd/libgd/gd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-
2016-5767)

 - A double-free error exists in the _php_mb_regex_ereg_replace_exec() function within file ext/mbstring/php_mbregex.c when handling a failed callback execution. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5768)

 - An integer overflow condition exists within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input when handling data values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5769)

 - An integer overflow condition exists within file ext/spl/spl_directory.c, triggered by an int/size_t type confusion error, that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2016-5770)

 - A use-after-free error exists in the garbage collection algorithm within file ext/spl/spl_array.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5771)

 - A double-free error exists in the php_wddx_process_data() function within file ext/wddx/wddx.c when handling specially crafted XML content. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5772)

 - A use-after-free error exists in the garbage collection algorithm within file ext/zip/php_zip.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5773)

 - An integer overflow condition exists in the json_decode() and json_utf8_to_utf16() functions within file ext/standard/php_smart_str.h due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of
arbitrary code.

 - An out-of-bounds read error exists in the pass2_no_dither() function within file ext/gd/libgd/gd_topal.c that allows an unauthenticated, remote attacker to cause a denial of service condition or disclose memory contents.

 - An integer overflow condition exists within file ext/standard/string.c when handling string lengths due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

 - A NULL pointer dereference flaw exists in the _gdScaleVert() function within file ext/gd/libgd/gd_interpolation.c that is triggered when handling _gdContributionsCalc return values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An integer overflow condition exists in multiple functions within file ext/standard/string.c when handling string values due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-4473: Invalid free() instead of efree() in     phar_extract_file()

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7133: memory allocator fails to realloc small     block to large one

  - CVE-2016-7134: Heap overflow in the function curl_escape

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2016-4473.patch An invalid free may occur under     certain conditions when processing phar-compatible     archives.

  - CVE-2016-4538.patch The bcpowmod function in     ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before     5.6.21, and 7.x before 7.0.6 accepts a negative integer     for the scale argument, which allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via a crafted call. (already fixed with     patch for CVE-2016-4537)

  - CVE-2016-5114.patch sapi/fpm/fpm/fpm_log.c in PHP before     5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2     misinterprets the semantics of the snprintf return     value, which allows attackers to obtain sensitive     information from process memory or cause a denial of     service (out-of-bounds read and buffer overflow) via a     long string, as demonstrated by a long URI in a     configuration with custom REQUEST_URI logging.

  - CVE-2016-5399.patch Improper error handling in bzread()

  - CVE-2016-5768.patch Double free vulnerability in the
    _php_mb_regex_ereg_replace_exec function in     php_mbregex.c in the mbstring extension in PHP before     5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows     remote attackers to execute arbitrary code or cause a     denial of service (application crash) by leveraging a     callback exception.

  - CVE-2016-5769.patch Multiple integer overflows in     mcrypt.c in the mcrypt extension in PHP before 5.5.37,     5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote     attackers to cause a denial of service (heap-based     buffer overflow and application crash) or possibly have     unspecified other impact via a crafted length value,     related to the (1) mcrypt_generic and (2)     mdecrypt_generic functions.

  - CVE-2016-5770.patch Integer overflow in the     SplFileObject::fread function in spl_directory.c in the     SPL extension in PHP before 5.5.37 and 5.6.x before     5.6.23 allows remote attackers to cause a denial of     service or possibly have unspecified other impact via a     large integer argument, a related issue to     CVE-2016-5096.

  - CVE-2016-5771.patch spl_array.c in the SPL extension in     PHP before 5.5.37 and 5.6.x before 5.6.23 improperly     interacts with the unserialize implementation and     garbage collection, which allows remote attackers to     execute arbitrary code or cause a denial of service     (use-after-free and application crash) via crafted     serialized data.

  - CVE-2016-5772.patch Double free vulnerability in the     php_wddx_process_data function in wddx.c in the WDDX     extension in PHP before 5.5.37, 5.6.x before 5.6.23, and     7.x before 7.0.8 allows remote attackers to cause a     denial of service (application crash) or possibly     execute arbitrary code via crafted XML data that is     mishandled in a wddx_deserialize call.

  - CVE-2016-5773.patch php_zip.c in the zip extension in     PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before     7.0.8 improperly interacts with the unserialize     implementation and garbage collection, which allows     remote attackers to execute arbitrary code or cause a     denial of service (use-after-free and application crash)     via crafted serialized data containing a ZipArchive     object.

  - CVE-2016-6289.patch Integer overflow in the     virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in     PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before     7.0.9 allows remote attackers to cause a denial of     service (stack-based buffer overflow) or possibly have     unspecified other impact via a crafted extract operation     on a ZIP archive.

  - CVE-2016-6290.patch ext/session/session.c in PHP before     5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does     not properly maintain a certain hash data structure,     which allows remote attackers to cause a denial of     service (use-after-free) or possibly have unspecified     other impact via vectors related to session     deserialization.

  - CVE-2016-6291.patch The exif_process_IFD_in_MAKERNOTE     function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x     before 5.6.24, and 7.x before 7.0.9 allows remote     attackers to cause a denial of service (out-of-bounds     array access and memory corruption), obtain sensitive     information from process memory, or possibly have     unspecified other impact via a crafted JPEG image.

  - CVE-2016-6292.patch The exif_process_user_comment     function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x     before 5.6.24, and 7.x before 7.0.9 allows remote     attackers to cause a denial of service (NULL pointer     dereference and application crash) via a crafted JPEG     image.

  - CVE-2016-6294.patch The locale_accept_from_http function     in ext/intl/locale/locale_methods.c in PHP before     5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does     not properly restrict calls to the ICU     uloc_acceptLanguageFromHTTP function, which allows     remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a call with a long argument.

  - CVE-2016-6295.patch ext/snmp/snmp.c in PHP before     5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9     improperly interacts with the unserialize implementation     and garbage collection, which allows remote attackers to     cause a denial of service (use-after-free and     application crash) or possibly have unspecified other     impact via crafted serialized data, a related issue to     CVE-2016-5773.

  - CVE-2016-6296.patch Integer signedness error in the     simplestring_addn function in simplestring.c in     xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38,     5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote     attackers to cause a denial of service (heap-based     buffer overflow) or possibly have unspecified other     impact via a long first argument to the PHP     xmlrpc_encode_request function.

  - CVE-2016-6297.patch Integer overflow in the     php_stream_zip_opener function in ext/zip/zip_stream.c     in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x     before 7.0.9 allows remote attackers to cause a denial     of service (stack-based buffer overflow) or possibly     have unspecified other impact via a crafted zip:// URL.

  - BUG-70436.patch Use After Free Vulnerability in     unserialize()

  - BUG-72681.patch PHP Session Data Injection     Vulnerability, consume data even if we're not storing     them.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The specific version of PHP that the system is running is reportedly affected by the following vulnerabilities:

- PHP contains an integer overflow condition in the json_decode() and json_utf8_to_utf16() functions in ext/standard/php_smart_str.h. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.

- PHP contains an out-of-bounds read flaw in the pass2_no_dither() function in ext/gd/libgd/gd_topal.c that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.

- PHP contains an integer overflow condition in ext/standard/string.c. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.

- PHP contains a double-free flaw in the _php_mb_regex_ereg_replace_exec() function in ext/mbstring/php_mbregex.c that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)

- PHP contains a NULL pointer dereference flaw in the _gdScaleVert() function in ext/gd/libgd/gd_interpolation.c that is triggered during the handling of _gdContributionsCalc return values. This may allow a remote attacker to cause a denial of service in a process linked against PHP.

- PHP contains an integer overflow condition in ext/spl/spl_directory.c. The issue is triggered by an int/size_t confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)

- PHP contains an integer overflow condition in ext/mcrypt/mcrypt.c. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)

- PHP contains an integer overflow condition in the nl2br() function in ext/standard/string.c. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.

- PHP contains an integer overflow condition in multiple functions in ext/standard/string.c. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.

- PHP contains a double-free flaw in the php_wddx_process_data() function in ext/wddx/wddx.c that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)

- PHP contains an integer overflow condition in the gdImagePaletteToTrueColor() function in ext/gd/libgd/gd.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)

- PHP contains an invalid free flaw in the phar_extract_file() function in ext/phar/phar_object.c. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)

- PHP contains an integer overflow condition in the _gd2GetHeader() function in ext/gd/libgd/gd_gd2.c. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)

Versions of PHP 5.5.x prior to 5.5.37, or 5.6.x prior to 5.6.23, or 7.0.x prior to 7.0.8 are vulnerable to the following issues :

 - PHP 'ext/mysqlnd/mysqlnd.c' contains a flaw that is due to the program failing to properly enforce the requirement of an SSL/TLS connection when the '--ssl client' option is used. This may allow a MitM (Man-in-the-Middle) attacker to downgrade the connection to plain HTTP when expected to be HTTPS. (CVE-2015-8838)
 - An integer overflow condition exists in the 'getFromIndex()'' and 'getFromName()' methods of 'ZipArchive'. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted ZIP file. This may allow an attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-3078)
 - An XXE (Xml eXternal Entity) injection and expansion flaw affects the 'libxml_disable_entity_loader()' function in the source file 'ext/libxml/libxml.c' in PHP-FPM that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to sensitive information or cause a denial of service. (CVE-2015-8866)
 - An integer overflow condition exists in the 'php_filter_encode_url()' function in 'ext/filter/sanitizing_filters.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4345)
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4346)
 - The program contains an out-of-bounds read flaw in 'ext/intl/grapheme/grapheme_string.c' that is triggered when handling negative offsets in 'zif_grapheme_stripos'. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4540, CVE-2016-4541)
 - An out-of-bounds read flaw exists in the 'php_str2num()' function in 'ext/bcmath/bcmath.c' that is triggered when accepting negative scales. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4537, CVE-2016-4538)
 - An out-of-bounds read flaw exists in the 'exif_read_data()' function in 'ext/exif/exif.c' that is triggered when handling exif headers. This may allow a remote attacker to crash a process utilizing the language or potentially disclose memory contents. (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544)
 - A flaw in the 'xml_parse_into_struct()' function in 'ext/xml/xml.c' is triggered during the handling of a specially crafted XML content. This may allow a remote attacker to cause a denial of service. (CVE-2016-4539)
 - A double-free flaw exists in the 'php_formatted_print()' function in 'ext/standard/formatted_print.c'. This may allow an attacker to have an unspecified impact. (CVE-2015-8880)
 - A flaw exists in 'main/php_open_temporary_file.c' that is triggered as thread safety is not ensured during the handling of temporary directories. This may allow a remote attacker to cause a denial of service. (CVE-2015-8878)
 - An integer overflow flaw exists in the 'php_html_entities()' and 'php_filter_full_special_chars()' functions in 'ext/standard/html.c' that is triggered as input is not properly validated. This may allow a remote attacker to have an unspecified impact. No further details have been provided. (CVE-2016-5094, CVE-2016-5095)
 - An integer underflow issue exists in 'ext/standard/file.c' that is triggered as input is not properly validated. This may allow a remote attacker to cause a NULL write and cause a process linked against PHP to crash. (CVE-2016-5096)
 - An out-of-bounds read flaw exists in the '_gdContributionsCalc()' function in 'ext/gd/libgd/gd_interpolation.c'. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2013-7456)
 - An out-of-bounds read flaw exists in the 'get_icu_value_internal()' function within 'ext/intl/locale/locale_methods.c' that is triggered when handling user-supplied input. This may allow a remote attacker to crash a process linked against the library or potentially disclose memory contents. (CVE-2016-5093)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'header()' function does not filter input passed via HTTP headers before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2015-8935)
 - A use-after-free error exists in the garbage collection algorithm in 'ext/zip/php_zip.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5773)
 - An integer overflow condition exists in the 'json_decode()' and 'json_utf8_to_utf16()' functions in 'ext/standard/php_smart_str.h'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, causing a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code.
 - An out-of-bounds read flaw exists within the 'pass2_no_dither()' function inside 'ext/gd/libgd/gd_topal.c' that may allow a remote attacker to crash a process utilizing PHP or potentially disclose memory contents.
 - An integer overflow condition exists in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string lengths. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw exists within the '_php_mb_regex_ereg_replace_exec()' function inside 'ext/mbstring/php_mbregex.c' that is triggered when handling a failed callback execution. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5768)
 - An integer overflow condition exists in 'ext/spl/spl_directory.c'. The issue is triggered by an 'int/size_t' confusion issue. This may allow a remote attacker to have an unspecified impact. (CVE-2016-5770)
 - An integer overflow condition exists in 'ext/mcrypt/mcrypt.c'. The issue is triggered as user-supplied input is not properly validated when handling data values. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5769)
 - An integer overflow condition exists within the 'nl2br()' function inside 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling new_length values. This may allow a remote attacker to have an unspecified impact.
 - An integer overflow condition exists within multiple functions in 'ext/standard/string.c'. The issue is triggered as user-supplied input is not properly validated when handling string values. This may allow a remote attacker to have an unspecified impact.
 - A double-free flaw within the 'php_wddx_process_data()' function inside 'ext/wddx/wddx.c' that is triggered during the handling of specially crafted XML content. This may allow a remote attacker to potentially execute arbitrary code. (CVE-2016-5772)
 - An integer overflow condition exists witin the 'gdImagePaletteToTrueColor()' function inside 'ext/gd/libgd/gd.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5767)
 - An invalid free flaw exists within the 'phar_extract_file()' function inside 'ext/phar/phar_object.c'. This may allow a remote attacker to have an unspecified impact. (CVE-2016-4473)
 - An integer overflow condition exists within the '_gd2GetHeader()' function inside 'ext/gd/libgd/gd_gd2.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against PHP or potentially allowing the execution of arbitrary code. (CVE-2016-5766)
 - A use-after-free error exists within the garbage collection algorithm inside 'ext/spl/spl_array.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-5771)

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.8. It is, therefore, affected by multiple vulnerabilities :

  - An invalid free flaw exists in the phar_extract_file()     function within file ext/phar/phar_object.c that allows     an unauthenticated, remote attacker to have an     unspecified impact. (CVE-2016-4473)

  - An integer overflow condition exists in the
    _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5766)

  - An integer overflow condition exists in the     gdImagePaletteToTrueColor() function within file     ext/gd/libgd/gd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-5767)

  - A double-free error exists in the
    _php_mb_regex_ereg_replace_exec() function within file     ext/mbstring/php_mbregex.c when handling a failed     callback execution. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5768)

  - An integer overflow condition exists within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input when handling data values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5769)

  - An integer overflow condition exists within file     ext/spl/spl_directory.c, triggered by an int/size_t     type confusion error, that allows an unauthenticated,     remote attacker to have an unspecified impact.
    (CVE-2016-5770)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/spl/spl_array.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5771)

  - A double-free error exists in the     php_wddx_process_data() function within file     ext/wddx/wddx.c when handling specially crafted XML     content. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5772)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/zip/php_zip.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5773)

  - An integer overflow condition exists in the     json_decode() and json_utf8_to_utf16() functions within     file ext/standard/php_smart_str.h due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.

  - An out-of-bounds read error exists in the     pass2_no_dither() function within file     ext/gd/libgd/gd_topal.c that allows an unauthenticated,     remote attacker to cause a denial of service condition     or disclose memory contents.

  - An integer overflow condition exists within file     ext/standard/string.c when handling string lengths due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A NULL pointer dereference flaw exists in the
    _gdScaleVert() function within file     ext/gd/libgd/gd_interpolation.c that is triggered when     handling _gdContributionsCalc return values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - An integer overflow condition exists in the nl2br()     function within file ext/standard/string.c when handling     new_length values due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

  - An integer overflow condition exists in multiple     functions within file ext/standard/string.c when     handling string values due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.23. It is, therefore, affected by multiple vulnerabilities :

  - An invalid free flaw exists in the phar_extract_file()     function within file ext/phar/phar_object.c that allows     an unauthenticated, remote attacker to have an     unspecified impact. (CVE-2016-4473)

  - An integer overflow condition exists in the
    _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5766)

  - An integer overflow condition exists in the     gdImagePaletteToTrueColor() function within file     ext/gd/libgd/gd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-5767)

  - A double-free error exists in the
    _php_mb_regex_ereg_replace_exec() function within file     ext/mbstring/php_mbregex.c when handling a failed     callback execution. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5768)

  - An integer overflow condition exists within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input when handling data values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-5769)

  - An integer overflow condition exists within file     ext/spl/spl_directory.c, triggered by an int/size_t     type confusion error, that allows an unauthenticated,     remote attacker to have an unspecified impact.
    (CVE-2016-5770)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/spl/spl_array.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5771)

  - A double-free error exists in the     php_wddx_process_data() function within file     ext/wddx/wddx.c when handling specially crafted XML     content. An unauthenticated, remote attacker     can exploit this to execute arbitrary code.
    (CVE-2016-5772)

  - A use-after-free error exists in the garbage collection     algorithm within file ext/zip/php_zip.c. An     unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-5773)

  - An integer overflow condition exists in the     json_decode() and json_utf8_to_utf16() functions within     file ext/standard/php_smart_str.h due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition or the execution of arbitrary code.

  - An out-of-bounds read error exists in the     pass2_no_dither() function within file     ext/gd/libgd/gd_topal.c that allows an unauthenticated,     remote attacker to cause a denial of service condition     or disclose memory contents.

  - An integer overflow condition exists within file     ext/standard/string.c when handling string lengths due     to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A NULL pointer dereference flaw exists in the
    _gdScaleVert() function within file     ext/gd/libgd/gd_interpolation.c that is triggered when     handling _gdContributionsCalc return values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - An integer overflow condition exists in multiple     functions within file ext/standard/string.c when     handling string values due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to have an unspecified impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98813	PHP 5.6.x < 5.6.23 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119981	SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)	Nessus	SuSE Local Security Checks	high
93568	Debian DLA-628-1 : php5 security update	Nessus	Debian Local Security Checks	high
802010	PHP < 5.5.37, 5.6.23, 7.0.8 Multiple Vulnerabilties	Log Correlation Engine	Web Servers	critical
9393	PHP 5.5.x < 5.5.37 / 5.6.x < 5.6.23 / 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
91899	PHP 7.0.x < 7.0.8 Multiple Vulnerabilities	Nessus	CGI abuses	high
91898	PHP 5.6.x < 5.6.23 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2016-4473

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins