http://git.php.net/?p=php-src.git;a=commit;h=629e4da7cc8b174acdeab84969cbfc606a019b31

APPLE-SA-2016-09-20

[oss-security] 20160724 Re: Fwd: CVE for PHP 5.5.38 issues

http://php.net/ChangeLog-5.php

RHSA-2016:2750

92111

1036430

https://bugs.php.net/70480

https://support.apple.com/HT207170

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is running a version of Mac OS X version 10.x prior to 10.12, and is affected by multiple vulnerabilities in the following components :

 - apache (CVE-2016-4694)
 - apache_mod_php (CVE-2016-5768, CVE-2016-5769, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6174, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297)
 - Apple HSSPI Support (CVE-2016-4697)
 - AppleEFIRuntime (CVE-2016-4696)
 - AppleMobileFileIntegrity (CVE-2016-4698)
 - AppleUUC (CVE-2016-4699, CVE-2016-4700)
 - Application Firewall (CVE-2016-4701)
 - ATS (CVE-2016-4779)
 - Audio (CVE-2016-4702)
 - Bluetooth (CVE-2016-4703)
 - cd9660 (CVE-2016-4706)
 - CFNetwork (CVE-2016-4707, CVE-2016-4708)
 - CommonCrypto (CVE-2016-4711)
 - CoreCrypto (CVE-2016-4712)
 - CoreDisplay (CVE-2016-4713)
 - curl (CVE-2016-0755, CVE-2016-4606)
 - Date & Time Pref Pane (CVE-2016-4715)
 - DiskArbitration (CVE-2016-4716)
 - File Bookmark (CVE-2016-4717)
 - FontParser (CVE-2016-4718)
 - IDS - Connectivity (CVE-2016-4722)
 - Intel Graphics Driver (CVE-2016-4723, CVE-2016-7582)
 - IOAcceleratorFamily (CVE-2016-4724, CVE-2016-4725, CVE-2016-4726)
 - IOThunderboltFamily (CVE-2016-4727)
 - Kerberos v5 PAM module (CVE-2016-4745)
 - Kernel (CVE-2016-4771, CVE-2016-4772, CVE-2016-4773, CVE-2016-4774, CVE-2016-4775, CVE-2016-4776, CVE-2016-4777, CVE-2016-4778)
 - lib archive (CVE-2016-4736)
 - libxml2 (CVE-2016-4658, CVE-2016-5131)
 - libxpc (CVE-2016-4617)
 - libxslt (CVE-2016-4738)
 - mDNSResponder (CVE-2016-4739)
 - NSSecureTextField (CVE-2016-4742)
 - Perl (CVE-2016-4748, CVE-2016-4750)
 - Security (CVE-2016-4752, CVE-2016-4753)
 - Terminal (CVE-2016-4755)
 - WindowServer (CVE-2016-4709, CVE-2016-4710)

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update was imported from the SUSE:SLE-12:Update update project.

The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, or is not macOS 10.12. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - apache_mod_php
  - Apple HSSPI Support
  - AppleEFIRuntime
  - AppleMobileFileIntegrity
  - AppleUCC
  - Application Firewall
  - ATS
  - Audio
  - Bluetooth
  - cd9660
  - CFNetwork
  - CommonCrypto
  - CoreCrypto
  - CoreDisplay
  - curl
  - Date & Time Pref Pane
  - DiskArbitration
  - File Bookmark
  - FontParser
  - IDS - Connectivity
  - ImageIO
  - Intel Graphics Driver
  - IOAcceleratorFamily
  - IOThunderboltFamily
  - Kerberos v5 PAM module
  - Kernel
  - libarchive
  - libxml2
  - libxpc
  - libxslt
  - mDNSResponder
  - NSSecureTextField
  - Perl
  - S2 Camera
  - Security
  - Terminal
  - WindowServer

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

This update for php53 fixes the following security issues :

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allows illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php53 fixes the following issues :

  - security update :

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

php5 was updated to fix the following security issues :

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener (bsc#991426).

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE (bsc#991427).

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex (bsc#991428).

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization (bsc#991429).

  - CVE-2016-5399: Improper error handling in bzread()     (bsc#991430).

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     (bsc#991433).

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c (bsc#991437).

  - CVE-2016-5769: Mcrypt: Heap Overflow due to integer     overflows (bsc#986388).

  - CVE-2015-8935: XSS in header() with Internet Explorer     (bsc#986004).

  - CVE-2016-5772: Double free corruption in     wddx_deserialize (bsc#986244).

  - CVE-2016-5766: Integer Overflow in _gd2GetHeader()     resulting in heap overflow (bsc#986386).

  - CVE-2016-5767: Integer Overflow in     gdImagePaletteToTrueColor() resulting in heap overflow     (bsc#986393).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following issues :

  - security update :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

Versions of PHP 5.5.x prior to 5.5.38, or 5.6.x prior to 5.6.24, or 7.0.x prior to 7.0.9 are vulnerable to the following issues :

 - A NULL pointer dereference flaw within the '_gdScaleVert()' function inside of 'ext/gd/libgd/gd_interpolation.c' is triggered during the handling of '_gdContributionsCalc' return values. This may allow a remote attacker to cause a denial of service in a process linked against PHP.
 - A flaw related to missing protection against 'RFC 3875 section 4.1.18' namespace conflicts is triggered when handling requests containing 'Proxy' HTTP headers. These may be stored in the 'HTTP_PROXY' environment variable also commonly used to configure an outbound HTTP proxy for applications. With a specially crafted request, a remote attacker can specify an arbitrary HTTP proxy server to be used by applications relying on the HTTP_PROXY environment variable. (CVE-2016-5385)
 - An out-of-bounds read flaw within the 'gdImageScaleBilinearPalette()' function inside of 'gd_interpolation.c' is triggered when handling transparent colors. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw within the 'gdImageScaleTwoPass()' function inside of 'gd_interpolation.c' is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library. (CVE-2016-6207)
 - A use-after-free error within 'ext/snmp/snmp.c' is triggered during the unserialization of user-supplied input when handling garbage collection. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6295)
 - An out-of-bounds read flaw within the 'uloc_acceptLanguageFromHTTP()' function inside of 'common/uloc.cpp' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6293, CVE-2016-6294)
 - A use-after-free error within 'ext/session/session.c' is triggered during the handling of 'var_hash destruction'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6290)
 - An out-of-bounds read flaw within the 'exif_process_IFD_in_MAKERNOTE()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6291)
 - An overflow condition within the 'php_bz2iop_read()' function inside of 'ext/bz2/bz2.c' is triggered as error conditions are not properly handled. With a specially crafted request, a remote attacker can cause a buffer overflow and potentially execute arbitrary code. (CVE-2016-5399)
 - An overflow condition within the 'mdecrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code.
 - A NULL pointer dereference flaw within the 'exif_process_user_comment()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language. (CVE-2016-6292)
 - A flaw within the 'curl_unescape()' function inside of 'ext/curl/interface.c' is triggered during the handling of string lengths. This may allow a remote attacker to trigger heap corruption and crash a program using the language.
 - An overflow condition within the 'mcrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An integer overflow condition within the 'php_stream_zip_opener()' function inside of 'ext/zip/zip_stream.c' is triggered as user-supplied input is not properly validated when handling zip streams. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6297)
 - An integer overflow condition within the 'virtual_file_ex()' function inside of 'Zend/zend_virtual_cwd.c' is triggered as user-supplied input is not properly validated when handling variables. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6289)
 - An overflow condition within the 'simplestring_addn()' function inside of 'simplestring.c.' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6296)
 - A NULL write flaw within the 'gdImageColorTransparent()' function inside of 'gd.c' is triggered during the handling of negative transparent colors. This may allow a context-dependent attacker to disclose memory.
 - An overflow condition within the 'php_url_prase_ex()' function inside of 'ext/standard/url.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a buffer overflow, potentially resulting in a denial of service in a process utilizing the language. (CVE-2016-6288)

It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116)

It was discovered that PHP incorrectly handled recursive method calls.
A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873)

It was discovered that PHP incorrectly validated certain Exception objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8876)

It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use this issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935)

It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093)

It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5094, CVE-2016-5095)

It was discovered that the PHP fread() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2016-5096)

It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114)

It was discovered that PHP would not protect applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests.
(CVE-2016-5385)

Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399)

It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-5768)

It was discovered that the PHP Mcrypt extension incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2016-5769)

It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773)

It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772)

It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-6288)

It was discovered that PHP incorrectly handled path lengths when extracting certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289)

It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290)

It was discovered that PHP incorrectly handled exif headers when processing certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292)

It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294)

It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6295)

It was discovered that the PHP xmlrpc_encode_request() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296)

It was discovered that the PHP php_stream_zip_opener() function incorrectly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PHP reports :

- Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)

- Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and unserialize()).

- Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read access).

- Fixed bug #72519 (imagegif/output out-of-bounds access).

- Fixed bug #72520 (Stack-based buffer overflow vulnerability in php_stream_zip_opener).

- Fixed bug #72533 (locale_accept_from_http out-of-bounds access).

- Fixed bug #72541 (size_t overflow lead to heap corruption).

- Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to heap overflow in mdecrypt_generic).

- Fixed bug #72558 (Integer overflow error within
_gdContributionsAlloc()).

- Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and applications).

- Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).

- Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).

- Fixed bug #72613 (Inadequate error handling in bzread()).

- Fixed bug #72618 (NULL pointer Dereference in exif_process_user_comment).

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities :

  - A Segfault condition occurs when accessing     nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the     php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

  - An overflow condition exists in the php_url_prase_ex()     function due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     buffer overflow, resulting in a denial of service     condition.

ID	Name	Product	Family	Severity
119979	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1)	Nessus	SuSE Local Security Checks	high
9620	Mac OS X 10.x < 10.12 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
93856	openSUSE Security Update : php5 (openSUSE-2016-1156)	Nessus	SuSE Local Security Checks	high
93685	macOS < 10.12 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
93589	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2328-1)	Nessus	SuSE Local Security Checks	high
93367	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2210-1)	Nessus	SuSE Local Security Checks	high
93293	SUSE SLES11 Security Update : php5 (SUSE-SU-2016:2080-1)	Nessus	SuSE Local Security Checks	high
92982	openSUSE Security Update : php5 (openSUSE-2016-985)	Nessus	SuSE Local Security Checks	high
9460	PHP 5.5.x < 5.5.38 / 5.6.x < 5.6.24 / 7.0.x < 7.0.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
92699	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3045-1) (httpoxy)	Nessus	Ubuntu Local Security Checks	high
92574	FreeBSD : php -- multiple vulnerabilities (b6402385-533b-11e6-a7bd-14dae9d210b8) (httpoxy)	Nessus	FreeBSD Local Security Checks	high
92554	PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high

CVE-2016-6288

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins