http://git.php.net/?p=php-src.git;a=commit;h=aa82e99ed8003c01f1ef4f0940e56b85c5b032d4

[oss-security] 20160724 Re: Fwd: CVE for PHP 5.5.38 issues

92127

https://bugs.php.net/72533

GLSA-201701-58

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities :

 - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY
environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed
or manipulated. (CVE-2016-5385)

 - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399)

 - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207)

 - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-
6289)

 - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290)

 - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291)

 - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292)

 - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294)

 - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295)

 - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016
-6296)

 - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution
of arbitrary code. (CVE-2016-6297)

 - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or
disclose memory contents.

 - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A flaw exists in the curl_unescape() function within file ext/curl/interface.c when handling string lengths. An unauthenticated, remote attacker can exploit this to cause heap corruption, resulting in a denial of service condition.

 - A heap-based buffer overflow condition exists in the mcrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities :

 - A man-in-the-middle vulnerability exists, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY
environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed
or manipulated. (CVE-2016-5385)

 - An overflow condition exists in the php_bz2iop_read() function within file ext/bz2/bz2.c due to improper handling of error conditions. An unauthenticated, remote attacker can exploit this, via a crafted request, to execute arbitrary code. (CVE-2016-5399)

 - A flaw exists in the GD Graphics Library (libgd), specifically in the gdImageScaleTwoPass() function within file gd_interpolation.c, due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6207)

 - An integer overflow condition exists in the virtual_file_ex() function within file Zend/zend_virtual_cwd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-
6289)

 - A use-after-free error exists within the file ext/session/session.c when handling 'var_hash' destruction. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6290)

 - An out-of-bounds read error exists in the exif_process_IFD_in_MAKERNOTE() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or disclose memory contents. (CVE-2016-6291)

 - A NULL pointer dereference flaw exists in the exif_process_user_comment() function within file ext/exif/exif.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-6292)

 - Multiple out-of-bounds read errors exist in the locale_accept_from_http() function within file ext/intl/locale/locale_methods.c. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or disclose memory contents. (CVE-2016-6293, CVE-2016-6294)

 - A use-after-free error exists within file ext/snmp/snmp.c when handling garbage collection during deserialization of user-supplied input. An unauthenticated, remote attacker can exploit this to deference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-6295)

 - A heap-based buffer overflow condition exists in the simplestring_addn() function within file simplestring.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016
-6296)

 - An integer overflow condition exists in the php_stream_zip_opener() function within file ext/zip/zip_stream.c due to improper validation of user-supplied input when handling zip streams. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution
of arbitrary code. (CVE-2016-6297)

 - An out-of-bounds read error exists in the GD Graphics Library (libgd), specifically in the gdImageScaleBilinearPalette() function within file gd_interpolation.c, when handling transparent color. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or
disclose memory contents.

 - A heap-based buffer overflow condition exists in the mdecrypt_generic() function within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

 - A NULL write flaw exists in the GD Graphics Library (libgd) in the gdImageColorTransparent() function due to improper handling of negative transparent colors. A remote attacker can exploit this to disclose memory contents.

 Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

icu was updated to fix two security issues.

These security issues were fixed :

CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) used an integer data type that is inconsistent with a header file, which allowed remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text (bsc#929629).

CVE-2014-8146: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) did not properly track directionally isolated pieces of text, which allowed remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text (bsc#929629).

CVE-2016-6293: The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) for C/C++ did not ensure that there is a '\0' character at the end of a certain temporary array, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument (bsc#990636).

CVE-2017-7868: International Components for Unicode (ICU) for C/C++ 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function (bsc#1034674)

CVE-2017-7867: International Components for Unicode (ICU) for C/C++ 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function (bsc#1034678)

CVE-2017-14952: Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ allowed remote attackers to execute arbitrary code via a crafted string, aka a 'redundant UVector entry clean up function call' issue (bnc#1067203)

CVE-2017-17484: The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ mishandled ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allowed remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC (bnc#1072193)

CVE-2017-15422: An integer overflow in icu during persian calendar date processing could lead to incorrect years shown (bnc#1077999)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for icu fixes the following issues :

  - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function     in common/uloc.cpp did not ensure that there is a '\0'     character at the end of a certain temporary array, which     allows remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a call with a long httpAcceptLanguage     argument. (bsc#990636)

  - CVE-2017-7868: ICU had an out-of-bounds write caused by     a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_moveIndex32* function. (bsc#1034674)

  - CVE-2017-7867: ICU had an out-of-bounds write caused by     a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_setNativeIndex* function. (bsc#1034678)

  - CVE-2017-14952: Double free in i18n/zonemeta.cpp allowed     remote attackers to execute arbitrary code via a crafted     string, aka a 'redundant UVector entry clean up function     call' issue. (bsc#1067203)

  - CVE-2017-17484: The ucnv_UTF8FromUTF8 function in     ucnv_u8.cpp mishandled ucnv_convertEx calls for UTF-8 to     UTF-8 conversion, which allows remote attackers to cause     a denial of service (stack-based buffer overflow and     application crash) or possibly have unspecified other     impact via a crafted string, as demonstrated by ZNC.
    (bsc#1072193)

  - CVE-2017-15422: An integer overflow in persian calendar     calculation was fixed, which could show wrong years.
    (bsc#1077999)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

icu was updated to fix two security issues.

These security issues were fixed :

  - CVE-2014-8147: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) used an integer data type that is     inconsistent with a header file, which allowed remote     attackers to cause a denial of service (incorrect malloc     followed by invalid free) or possibly execute arbitrary     code via crafted text (bsc#929629).

  - CVE-2014-8146: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) did not properly track directionally     isolated pieces of text, which allowed remote attackers     to cause a denial of service (heap-based buffer     overflow) or possibly execute arbitrary code via crafted     text (bsc#929629).

  - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function     in common/uloc.cpp in International Components for     Unicode (ICU) for C/C++ did not ensure that there is a     '\0' character at the end of a certain temporary array,     which allowed remote attackers to cause a denial of     service (out-of-bounds read) or possibly have     unspecified other impact via a call with a long     httpAcceptLanguage argument (bsc#990636).

  - CVE-2017-7868: International Components for Unicode     (ICU) for C/C++ 2017-02-13 has an out-of-bounds write     caused by a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_moveIndex32* function (bsc#1034674)

  - CVE-2017-7867: International Components for Unicode     (ICU) for C/C++ 2017-02-13 has an out-of-bounds write     caused by a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_setNativeIndex* function (bsc#1034678)

  - CVE-2017-14952: Double free in i18n/zonemeta.cpp in     International Components for Unicode (ICU) for C/C++     allowed remote attackers to execute arbitrary code via a     crafted string, aka a 'redundant UVector entry clean up     function call' issue (bnc#1067203)

  - CVE-2017-17484: The ucnv_UTF8FromUTF8 function in     ucnv_u8.cpp in International Components for Unicode     (ICU) for C/C++ mishandled ucnv_convertEx calls for     UTF-8 to UTF-8 conversion, which allowed remote     attackers to cause a denial of service (stack-based     buffer overflow and application crash) or possibly have     unspecified other impact via a crafted string, as     demonstrated by ZNC (bnc#1072193)

  - CVE-2017-15422: An integer overflow in icu during     persian calendar date processing could lead to incorrect     years shown (bnc#1077999)

This update was imported from the SUSE:SLE-12:Update update project.

icu was updated to fix two security issues. These security issues were fixed :

  - CVE-2014-8147: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) used an integer data type that is     inconsistent with a header file, which allowed remote     attackers to cause a denial of service (incorrect malloc     followed by invalid free) or possibly execute arbitrary     code via crafted text (bsc#929629).

  - CVE-2014-8146: The resolveImplicitLevels function in     common/ubidi.c in the Unicode Bidirectional Algorithm     implementation in ICU4C in International Components for     Unicode (ICU) did not properly track directionally     isolated pieces of text, which allowed remote attackers     to cause a denial of service (heap-based buffer     overflow) or possibly execute arbitrary code via crafted     text (bsc#929629).

  - CVE-2016-6293: The uloc_acceptLanguageFromHTTP function     in common/uloc.cpp in International Components for     Unicode (ICU) for C/C++ did not ensure that there is a     '\0' character at the end of a certain temporary array,     which allowed remote attackers to cause a denial of     service (out-of-bounds read) or possibly have     unspecified other impact via a call with a long     httpAcceptLanguage argument (bsc#990636).

  - CVE-2017-7868: International Components for Unicode     (ICU) for C/C++ 2017-02-13 has an out-of-bounds write     caused by a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_moveIndex32* function (bsc#1034674)

  - CVE-2017-7867: International Components for Unicode     (ICU) for C/C++ 2017-02-13 has an out-of-bounds write     caused by a heap-based buffer overflow related to the     utf8TextAccess function in common/utext.cpp and the     utext_setNativeIndex* function (bsc#1034678)

  - CVE-2017-14952: Double free in i18n/zonemeta.cpp in     International Components for Unicode (ICU) for C/C++     allowed remote attackers to execute arbitrary code via a     crafted string, aka a 'redundant UVector entry clean up     function call' issue (bnc#1067203)

  - CVE-2017-17484: The ucnv_UTF8FromUTF8 function in     ucnv_u8.cpp in International Components for Unicode     (ICU) for C/C++ mishandled ucnv_convertEx calls for     UTF-8 to UTF-8 conversion, which allowed remote     attackers to cause a denial of service (stack-based     buffer overflow and application crash) or possibly have     unspecified other impact via a crafted string, as     demonstrated by ZNC (bnc#1072193)

  - CVE-2017-15422: An integer overflow in icu during     persian calendar date processing could lead to incorrect     years shown (bnc#1077999)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ICU incorrectly handled certain memory operations when processing data. If an application using ICU processed crafted data, a remote attacker could possibly cause it to crash or potentially execute arbitrary code with the privileges of the user invoking the program.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201701-58 (ICU: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ICU. Please review the       CVE identifiers referenced below for details.
  Impact :

    Remote attackers could cause a Denial of Service condition or possibly       have other unspecified impacts via a long locale string or       httpAcceptLanguage argument.  Additionally, A remote attacker, via a       specially crafted file, could cause an application using ICU to parse       untrusted font files resulting in a Denial of Service condition.
      Finally, remote attackers could affect confidentiality via unknown       vectors related to 2D.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were discovered in the International Components for Unicode (ICU) library.

  - CVE-2014-9911     Michele Spagnuolo discovered a buffer overflow     vulnerability which might allow remote attackers to     cause a denial of service or possibly execute arbitrary     code via crafted text.

  - CVE-2015-2632     An integer overflow vulnerability might lead into a     denial of service or disclosure of portion of     application memory if an attacker has control on the     input file.

  - CVE-2015-4844     Buffer overflow vulnerabilities might allow an attacker     with control on the font file to perform a denial of     service or, possibly, execute arbitrary code.

  - CVE-2016-0494     Integer signedness issues were introduced as part of the     CVE-2015-4844 fix.

  - CVE-2016-6293     A buffer overflow might allow an attacker to perform a     denial of service or disclosure of portion of     application memory.

  - CVE-2016-7415     A stack-based buffer overflow might allow an attacker     with control on the locale string to perform a denial of     service and, possibly, execute arbitrary code.

Security fix for CVE-2016-6293

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes a buffer overflow in the uloc_acceptLanguageFromHTTP function in ICU, the International Components for Unicode C and C++ library, in Debian Wheezy

For Debian 7 'Wheezy', these problems have been fixed in version 4.8.1.1-12+deb7u5.

We recommend that you upgrade your icu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.5.x prior to 5.5.38, or 5.6.x prior to 5.6.24, or 7.0.x prior to 7.0.9 are vulnerable to the following issues :

 - A NULL pointer dereference flaw within the '_gdScaleVert()' function inside of 'ext/gd/libgd/gd_interpolation.c' is triggered during the handling of '_gdContributionsCalc' return values. This may allow a remote attacker to cause a denial of service in a process linked against PHP.
 - A flaw related to missing protection against 'RFC 3875 section 4.1.18' namespace conflicts is triggered when handling requests containing 'Proxy' HTTP headers. These may be stored in the 'HTTP_PROXY' environment variable also commonly used to configure an outbound HTTP proxy for applications. With a specially crafted request, a remote attacker can specify an arbitrary HTTP proxy server to be used by applications relying on the HTTP_PROXY environment variable. (CVE-2016-5385)
 - An out-of-bounds read flaw within the 'gdImageScaleBilinearPalette()' function inside of 'gd_interpolation.c' is triggered when handling transparent colors. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
 - A flaw within the 'gdImageScaleTwoPass()' function inside of 'gd_interpolation.c' is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library. (CVE-2016-6207)
 - A use-after-free error within 'ext/snmp/snmp.c' is triggered during the unserialization of user-supplied input when handling garbage collection. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6295)
 - An out-of-bounds read flaw within the 'uloc_acceptLanguageFromHTTP()' function inside of 'common/uloc.cpp' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6293, CVE-2016-6294)
 - A use-after-free error within 'ext/session/session.c' is triggered during the handling of 'var_hash destruction'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6290)
 - An out-of-bounds read flaw within the 'exif_process_IFD_in_MAKERNOTE()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6291)
 - An overflow condition within the 'php_bz2iop_read()' function inside of 'ext/bz2/bz2.c' is triggered as error conditions are not properly handled. With a specially crafted request, a remote attacker can cause a buffer overflow and potentially execute arbitrary code. (CVE-2016-5399)
 - An overflow condition within the 'mdecrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code.
 - A NULL pointer dereference flaw within the 'exif_process_user_comment()' function inside of 'ext/exif/exif.c' may allow a remote attacker to crash a program using the language. (CVE-2016-6292)
 - A flaw within the 'curl_unescape()' function inside of 'ext/curl/interface.c' is triggered during the handling of string lengths. This may allow a remote attacker to trigger heap corruption and crash a program using the language.
 - An overflow condition within the 'mcrypt_generic()' function inside of 'ext/mcrypt/mcrypt.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An integer overflow condition within the 'php_stream_zip_opener()' function inside of 'ext/zip/zip_stream.c' is triggered as user-supplied input is not properly validated when handling zip streams. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6297)
 - An integer overflow condition within the 'virtual_file_ex()' function inside of 'Zend/zend_virtual_cwd.c' is triggered as user-supplied input is not properly validated when handling variables. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6289)
 - An overflow condition within the 'simplestring_addn()' function inside of 'simplestring.c.' is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6296)
 - A NULL write flaw within the 'gdImageColorTransparent()' function inside of 'gd.c' is triggered during the handling of negative transparent colors. This may allow a context-dependent attacker to disclose memory.
 - An overflow condition within the 'php_url_prase_ex()' function inside of 'ext/standard/url.c' is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a buffer overflow, potentially resulting in a denial of service in a process utilizing the language. (CVE-2016-6288)

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.9. It is, therefore, affected by multiple vulnerabilities :

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A flaw exists in the curl_unescape() function within     file ext/curl/interface.c when handling string lengths.
    An unauthenticated, remote attacker can exploit this to     cause heap corruption, resulting in a denial of service     condition.

  - A heap-based buffer overflow condition exists in the     mcrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.24. It is, therefore, affected by multiple vulnerabilities :

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.38. It is, therefore, affected by multiple vulnerabilities :

  - A Segfault condition occurs when accessing     nvarchar(max) defined columns. (CVE-2015-8879)

  - A man-in-the-middle vulnerability exists, known as     'httpoxy', due to a failure to properly resolve     namespace conflicts in accordance with RFC 3875 section     4.1.18. The HTTP_PROXY environment variable is set based     on untrusted user data in the 'Proxy' header of HTTP     requests. The HTTP_PROXY environment variable is used by     some web client libraries to specify a remote proxy     server. An unauthenticated, remote attacker can exploit     this, via a crafted 'Proxy' header in an HTTP request,     to redirect an application's internal HTTP traffic to an     arbitrary proxy server where it may be observed or     manipulated. (CVE-2016-5385)

  - An overflow condition exists in the php_bz2iop_read()     function within file ext/bz2/bz2.c due to improper     handling of error conditions. An unauthenticated, remote     attacker can exploit this, via a crafted request, to     execute arbitrary code. (CVE-2016-5399)

  - A flaw exists in the GD Graphics Library (libgd),     specifically in the gdImageScaleTwoPass() function     within file gd_interpolation.c, due to improper     validation of user-supplied input. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition. (CVE-2016-6207)

  - A buffer overflow condition exists in the     php_url_parse_ex() function. (CVE-2016-6288)

  - An integer overflow condition exists in the     virtual_file_ex() function within file     Zend/zend_virtual_cwd.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code. (CVE-2016-6289)

  - A use-after-free error exists within the file     ext/session/session.c when handling 'var_hash'     destruction. An unauthenticated, remote attacker can     exploit this to deference already freed memory,     resulting in the execution of arbitrary code.
    (CVE-2016-6290)

  - An out-of-bounds read error exists in the     exif_process_IFD_in_MAKERNOTE() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition or     disclose memory contents. (CVE-2016-6291)

  - A NULL pointer dereference flaw exists in the     exif_process_user_comment() function within file     ext/exif/exif.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-6292)

  - Multiple out-of-bounds read errors exist in the     locale_accept_from_http() function within file     ext/intl/locale/locale_methods.c. An unauthenticated,     remote attacker can exploit these to cause a denial of     service condition or disclose memory contents.
    (CVE-2016-6293, CVE-2016-6294)

  - A use-after-free error exists within file     ext/snmp/snmp.c when handling garbage collection during     deserialization of user-supplied input. An     unauthenticated, remote attacker can exploit this to     deference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-6295)

  - A heap-based buffer overflow condition exists in the     simplestring_addn() function within file simplestring.c     due to improper validation of user-supplied input. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6296)

  - An integer overflow condition exists in the     php_stream_zip_opener() function within file     ext/zip/zip_stream.c due to improper validation of     user-supplied input when handling zip streams. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2016-6297)

  - An out-of-bounds read error exists in the GD Graphics     Library (libgd), specifically in the     gdImageScaleBilinearPalette() function within file     gd_interpolation.c, when handling transparent color. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition or disclose     memory contents.

  - A heap-based buffer overflow condition exists in the     mdecrypt_generic() function within file     ext/mcrypt/mcrypt.c due to improper validation of     user-supplied input. An unauthenticated, remote attacker     can exploit this to cause a denial of service condition     or the execution of arbitrary code.

  - A NULL write flaw exists in the GD Graphics Library     (libgd) in the gdImageColorTransparent() function due to     improper handling of negative transparent colors. A     remote attacker can exploit this to disclose memory     contents.

  - An overflow condition exists in the php_url_prase_ex()     function due to improper validation of user-supplied     input. A remote attacker can exploit this to cause a     buffer overflow, resulting in a denial of service     condition.

ID	Name	Product	Family	Severity
98855	PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)	Web Application Scanning	Component Vulnerability	critical
98814	PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy)	Web Application Scanning	Component Vulnerability	high
118258	SUSE SLES12 Security Update : icu (SUSE-SU-2018:1401-2)	Nessus	SuSE Local Security Checks	high
110443	SUSE SLES11 Security Update : icu (SUSE-SU-2018:1602-1)	Nessus	SuSE Local Security Checks	high
110107	openSUSE Security Update : icu (openSUSE-2018-517)	Nessus	SuSE Local Security Checks	high
110093	SUSE SLED12 / SLES12 Security Update : icu (SUSE-SU-2018:1401-1)	Nessus	SuSE Local Security Checks	high
97720	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : icu vulnerabilities (USN-3227-1)	Nessus	Ubuntu Local Security Checks	critical
96744	GLSA-201701-58 : ICU: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
95361	Debian DSA-3725-1 : icu - security update	Nessus	Debian Local Security Checks	critical
95007	Fedora 25 : icu (2016-81613d042d)	Nessus	Fedora Local Security Checks	high
94618	Fedora 24 : icu (2016-a2b9adcd5c)	Nessus	Fedora Local Security Checks	high
93386	Debian DLA-615-1 : icu security update	Nessus	Debian Local Security Checks	high
9460	PHP 5.5.x < 5.5.38 / 5.6.x < 5.6.24 / 7.0.x < 7.0.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
92556	PHP 7.0.x < 7.0.9 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	critical
92555	PHP 5.6.x < 5.6.24 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high
92554	PHP 5.5.x < 5.5.38 Multiple Vulnerabilities (httpoxy)	Nessus	CGI abuses	high

CVE-2016-6293

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins