[oss-security] 20160902 Re: CVE assignment for PHP 5.6.25 and 7.0.10 - and libcurl

RHSA-2016:2750

http://www.php.net/ChangeLog-5.php

http://www.php.net/ChangeLog-7.php

92564

1036680

https://bugs.php.net/bug.php?id=72627

https://github.com/php/php-src/commit/6dbb1ee46b5f4725cc6519abf91e512a2a10dfed?w=1

GLSA-201611-22

https://www.tenable.com/security/tns-2016-19

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

 - An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

 - An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary
code.

 Note that this software is reportedly affected by other vulnerabilities as well that have not been fixed yet in version 7.0.13.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities :

 - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserializaiton. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - An integer overflow condition exists in the php_snmp_parse_oid() function in snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.

 - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.

 - An overflow condition exists in the sql_regcase() function in ereg.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An integer overflow condition exists in the php_base64_encode() function in base64.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An integer overflow condition exists in the php_quot_print_encode() function in quot_print.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow condition, resulting in the execution of arbitrary code.

 - A use-after-free error exists in the unserialize() function in var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code.

 - A flaw exists in the php_ftp_fopen_connect() function in ftp_fopen_wrapper.c that allows a man-in-the-middle attacker to silently downgrade to regular FTP even if a secure method has been requested.

 - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents.

 - An integer overflow condition exists in the php_url_encode() function in url.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An integer overflow condition exists in the php_uuencode() function in uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An integer overflow condition exists in the bzdecompress() function in bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code.

 - An integer overflow condition exists in the curl_escape() function in interface.c that occurs when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions.

 Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-4473: Invalid free() instead of efree() in     phar_extract_file()

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7133: memory allocator fails to realloc small     block to large one

  - CVE-2016-7134: Heap overflow in the function curl_escape

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. CVE-2016-7132)

  - An integer overflow condition exists in the     php_snmp_parse_oid() function in snmp.c. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An overflow condition exists in the sql_regcase()     function in ereg.c due to improper handling of overly     long strings. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in the     php_base64_encode() function in base64.c that occurs     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

  - An integer overflow condition exists in the     php_quot_print_encode() function in quot_print.c that     occurs when handling overly long strings. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow condition, resulting     in the execution of arbitrary code.

  - A use-after-free error exists in the unserialize()     function in var.c. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.

  - A flaw exists in the php_ftp_fopen_connect() function in     ftp_fopen_wrapper.c that allows a man-in-the-middle     attacker to silently downgrade to regular FTP even if a     secure method has been requested.

  - An integer overflow condition exists in the     php_url_encode() function in url.c that occurs when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in the     php_uuencode() function in uuencode.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in the     bzdecompress() function in bz2.c. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in the     curl_escape() function in interface.c that occurs when     handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.1. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in x509_vfy.c     due to improper handling of certificate revocation lists     (CRLs). An unauthenticated, remote attacker can exploit     this, via a specially crafted CRL, to cause a NULL     pointer dereference, resulting in a crash of the     service. (CVE-2016-7052)

  - A cross-site scripting (XSS) vulnerability exists within     the JQuery UI dialog() function due to improper     validation of input to the 'closeText' parameter before     returning it to users. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to execute arbitrary script code in a user's     browser session. (CVE-2016-7103)

  - A denial of service vulnerability exists in PHP within     file ext/standard/var_unserializer.c due to improper     handling of certain invalid objects. An unauthenticated,     remote attacker can exploit this, via specially crafted     serialized data that leads to a __destruct() or magic()     function call, to cause a denial of service condition or     potentially execute arbitrary code. (CVE-2016-7124)

  - A flaw exists in PHP in file ext/session/session.c when     handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation error exists in PHP in the     select_colors() function in file ext/gd/libgd/gd_topal.c     when handling the number of colors. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-7126)

  - An array-indexing error exists in PHP in the     imagegammacorrect() function within file ext/gd/gd.c     when handling negative gamma values. An unauthenticated,     remote attacker can exploit this, by writing a NULL to     an arbitrary memory location, to cause a crash or the     execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in PHP in the exif_process_IFD_in_TIFF()     function within file ext/exif/exif.c when handling TIFF     image content. An unauthenticated, remote attacker can     exploit this to disclose memory contents.
    (CVE-2016-7128)

  - A denial of service vulnerability exists in PHP in the     php_wddx_process_data() function within file     ext/wddx/wddx.c when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a crash. (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_pop_element() function within file     ext/wddx/wddx.c when handling Base64 binary values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_deserialize_ex() function within file     ext/wddx/wddx.c when handling invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_pop_element() function within file     ext/wddx/wddx.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-7132)

  - A buffer overflow condition exists in PHP in file     ext/mysqlnd/mysqlnd_wireprotocol.c within the     php_mysqlnd_rowp_read_text_protocol_aux() function when     handling the BIT field. An unauthenticated, remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a crash or the execution of     arbitrary code. (CVE-2016-7412)

  - A use-after-free error exists in PHP in the     wddx_stack_destroy() function within file     ext/wddx/wddx.c when deserializing recordset elements.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-7413)

  - An out-of-bounds access error exists in PHP in the     phar_parse_zipfile() function within file ext/phar/zip.c     when handling the uncompressed file size. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2016-7414)

  - Multiple stack-based buffer overflow conditions exist in     the International Components for Unicode for C/C++     (ICU4C) component in the msgfmt_format_message()     function within file common/locid.cpp when handling     locale strings. An unauthenticated, remote attacker can     exploit these, via a long locale string, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-7415, CVE-2016-7416)

  - A flaw exists in PHP within file ext/spl/spl_array.c,     specifically in the spl_array_get_dimension_ptr_ptr()     function during the deserialization of SplArray, due to     improper validation of types. An unauthenticated, remote     attacker can exploit this to cause a crash or other     unspecified impact. (CVE-2016-7417)

  - An out-of-bounds read error exists in PHP in the     php_wddx_push_element() function within file     ext/wddx/wddx.c. An unauthenticated, remote attacker     can exploit this to cause a crash or the disclosure     of memory contents. (CVE-2016-7418)

  - A use-after-free error exists in PHP within the     unserialize() function in file ext/curl/curl_file.c. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2016-9137)

  - An integer overflow condition exists in PHP in the     php_snmp_parse_oid() function in file ext/snmp/snmp.c.
    An unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     sql_regcase() function within file ext/ereg/ereg.c when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     php_base64_encode() function within file     ext/standard/base64.c when handling overly long     strings. An unauthenticated, remote attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code.

  - An integer overflow condition exists in PHP in the     php_quot_print_encode() function within file     ext/standard/quot_print.c when handling overly long     strings. An unauthenticated, remote attacker can     exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.

  - A use-after-free error exists in PHP in the     unserialize() function within file ext/standard/var.c.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code.

  - A flaw exists in PHP in the php_ftp_fopen_connect()     function within file ext/standard/ftp_fopen_wrapper.c     due to silently downgrading to regular FTP even if a     secure method has been requested. A man-in-the-middle     (MitM) attacker can exploit this to downgrade the FTP     communication.

  - An integer overflow condition exists in PHP in the     php_url_encode() function within file ext/standard/url.c     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     php_uuencode() function in file ext/standard/uuencode.c.
    An unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in PHP in the     bzdecompress() function within file ext/bz2/bz2.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in PHP in the     curl_escape() function within file ext/curl/interface.c     when handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An out-of-bounds access error exists in PHP in file     ext/phar/tar.c, specifically in the phar_parse_tarfile()     function during the verification of signatures. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A flaw exists in PHP when destroying deserialized     objects due to improper validation of certain     unspecified input. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in a     denial of service condition or the execution of     arbitrary code.

  - An integer overflow condition exists in PHP within the     fgetcsv() function due to improper validation of CSV     field lengths. An unauthenticated, remote attacker can     exploit this to corrupt memory, resulting in a denial of     service condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     wordwrap() function within file ext/standard/string.c     due to improper validation of certain unspecified input.
    An unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     fgets() function within file ext/standard/file.c due to     improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     xml_utf8_encode() function within file ext/xml/xml.c due     to improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     cause an unspecified impact.

  - A flaw exists in PHP in the exif_process_IFD_in_TIFF()     function within file ext/exif/exif.c when handling     uninitialized thumbnail data. An unauthenticated, remote     attacker can exploit this to disclose memory contents.

  - A flaw exists in PHP due to the parse_url() function     returning the incorrect host. An unauthenticated, remote     attacker can exploit this to bypass authentication or to     conduct open redirection and server-side request forgery     attacks, depending on how the function is implemented.

  - A NULL pointer dereference flaw exists in PHP in the     SimpleXMLElement::asXML() function within file     ext/simplexml/simplexml.c. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition.

  - An heap buffer overflow condition exists in PHP in the     php_ereg_replace() function within file ext/ereg/ereg.c     due to improper validation of certain unspecified input.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code.

  - A flaw exists in PHP in file ext/openssl/openssl.c     within the openssl_random_pseudo_bytes() function when     handling strings larger than 2GB. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition.

  - A flaw exists in PHP in the openssl_encrypt() function     within file ext/openssl/openssl.c when handling strings     larger than 2GB. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     imap_8bit() function within file ext/imap/php_imap.c due     to improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - A flaw exists in PHP in the _bc_new_num_ex() function     within file ext/bcmath/libbcmath/src/init.c when     handling values passed via the 'scale' parameter. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - A flaw exists in PHP in the php_resolve_path() function     within file main/fopen_wrappers.c when handling negative     size values passed via the 'filename' parameter. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - A flaw exists in PHP in the dom_document_save_html()     function within file ext/dom/document.c due to missing     NULL checks. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     mb_encode_*() function in file ext/mbstring/mbstring.c     due to improper validation of the length of encoded     data. An unauthenticated, remote attacker can exploit     this to corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in PHP in the     CachingIterator() function within file     ext/spl/spl_iterators.c when handling string conversion.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     number_format() function within file ext/standard/math.c     when handling 'decimals' and 'dec_point' parameters with     values equal or close to 0x7FFFFFFF. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.

  - A overflow condition exists in PHP within file     ext/intl/resourcebundle/resourcebundle_class.c,     specifically in functions ResourceBundle::create() and     ResourceBundle::getLocales(), due to improper validation     of input passed via the 'bundlename' parameter. An     unauthenticated, remote attacker can exploit this to     cause a stack-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code.

  - An integer overflow condition exists in PHP in the     php_pcre_replace_impl() function within file     ext/pcre/php_pcre.c due to improper validation of     certain unspecified input. An unauthenticated, remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the
    _php_imap_mail() function in file ext/imap/php_imap.c     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.

  - A flaw exists in PHP in the bzcompress() function when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition.

  - An integer overflow condition exists in PHP in the     gdImageAALine() function within file ext/gd/libgd/gd.c     due to improper validation of line limit values.
    An unauthenticated, remote attacker can exploit this to     cause an out-of-bounds write or read, resulting in a     denial of service condition, the disclosure of memory     contents, or the execution of arbitrary code.

  - Multiple stored cross-site scripting (XSS)     vulnerabilities exist in unspecified scripts due to     improper validation of input before returning it to     users. An unauthenticated, remote attacker can exploit     these, via a specially crafted request, to execute     arbitrary script code in a user's browser session.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an 'httpoxy' issue.

CVE-2016-7124 ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.

CVE-2016-7128 The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.

CVE-2016-7129 The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.

CVE-2016-7130 The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document.

CVE-2016-7131 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.

CVE-2016-7132 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.

CVE-2016-7411 ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.

CVE-2016-7412 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.

CVE-2016-7413 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.

CVE-2016-7414 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.

CVE-2016-7416 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.

CVE-2016-7417 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.

CVE-2016-7418 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.

For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u6.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.26, which includes additional bug fixes. Please refer to the upstream changelog for more information :

  - https://php.net/ChangeLog-5.php#5.6.25
  - https://php.net/ChangeLog-5.php#5.6.26

This update for php53 fixes the following security issues :

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allows illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7411: php5: Memory corruption when destructing     deserialized object

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7124)

Taoguang Chen discovered that PHP incorrectly handled invalid session names. A remote attacker could use this issue to inject arbitrary session data. (CVE-2016-7125)

It was discovered that PHP incorrectly handled certain gamma values in the imagegammacorrect function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7127)

It was discovered that PHP incorrectly handled certain crafted TIFF image thumbnails. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. (CVE-2016-7128)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7413)

It was discovered that PHP incorrectly handled certain memory operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7133)

It was discovered that PHP incorrectly handled long strings in curl_escape calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7134)

Taoguang Chen discovered that PHP incorrectly handled certain failures when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7411)

It was discovered that PHP incorrectly handled certain flags in the MySQL driver. Malicious remote MySQL servers could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7412)

It was discovered that PHP incorrectly handled ZIP file signature verification when processing a PHAR archive. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7414)

It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7416)

It was discovered that PHP incorrectly handled SplArray unserializing.
A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-7417)

Ke Liu discovered that PHP incorrectly handled unserializing wddxPacket XML documents with incorrect boolean elements. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7418).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update was imported from the SUSE:SLE-12:Update update project.

Versions of PHP 5.6.x prior to 5.6.25 and 7.0.x prior to 7.0.10 are vulnerable to the following issues :

 - An uninitialized memory use flaw exists in the 'openssl_seal()' method. This may allow a remote attacker to potentially execute arbitrary code.
 - A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists related to certificate validation in the 'ftp_ssl_connect()' function. The issue is due to the server hostname not being verified to match a domain name in the 'Subject's Common Name' (CN) or 'SubjectAltName' field of the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
 - An overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'object_common2()' function in 'ext/standard/var_unserializer.c' that is triggered when handling objects during unserialization. This may allow a remote attacker to potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_snmp_parse_oid()' function in 'ext/snmp/snmp.c'. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer truncation flaw exists in the 'select_colors()' function in 'ext/gd/libgd/gd_topal.c' that is triggered when handling the number of colors. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'sql_regcase()' function in 'ext/ereg/ereg.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered during the handling of Base64 binary values. This may allow a remote attacker to cause a denial of service.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c'. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_base64_encode()' function in 'ext/standard/base64.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_deserialize_ex()' function in 'ext/wddx/wddx.c' that is triggered during the handling of invalid XML content. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_quot_print_encode()' function in 'ext/standard/quot_print.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'php_ftp_fopen_connect()' function in 'ext/standard/ftp_fopen_wrapper.c' as it may silently downgrade to regular FTP even if a secure method has been requested. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the FTP communication.
 - A flaw exists in the 'php_wddx_process_data()' function in 'ext/wddx/wddx.c' that is triggered when deserializing invalid dateTime values. This may allow a remote attacker to cause a crash.
 - A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered when handling TIFF image content. This may allow a remote attacker to disclose memory contents.
 - An integer overflow condition exists in the 'php_url_encode()' function in 'ext/standard/url.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_uuencode()' function in 'ext/standard/uuencode.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'bzdecompress()' function in 'ext/bz2/bz2.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'zend_mm_realloc_heap()' function in 'Zend/zend_alloc.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An array indexing flaw exists in the 'imagegammacorrect()' function in 'ext/gd/gd.c' that is triggered when handling negative gamma values. This may allow a remote attacker to write a NULL to an arbitrary memory location, causing a crash or potentially allowing the execution of arbitrary code.
 - An integer overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long escaped strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'ext/session/session.c' that is triggered when handling session names. This may allow a remote attacker to inject arbitrary data into sessions.

This update for php5 fixes the following security issues :

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update for php53 fixes the following security issues :

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allows illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7132)

   - An integer overflow condition exists in the      zend_mm_realloc_heap() function in zend_alloc.c due to      improper validation of user-supplied input. An      unauthenticated, remote attacker can exploit this to      cause a buffer overflow, resulting in a denial of      service condition or the execution of arbitrary code.
     (CVE-2016-7133)

  - An overflow condition exists in the curl_escape()     function in interface.c due to improper handling of     overly long strings. An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-7134)

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. CVE-2016-7132)

  - An integer overflow condition exists in the     php_snmp_parse_oid() function in snmp.c. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An overflow condition exists in the sql_regcase()     function in ereg.c due to improper handling of overly     long strings. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in the     php_base64_encode() function in base64.c that occurs     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

  - An integer overflow condition exists in the     php_quot_print_encode() function in quot_print.c that     occurs when handling overly long strings. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow condition, resulting     in the execution of arbitrary code.

  - A use-after-free error exists in the unserialize()     function in var.c. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.

  - A flaw exists in the php_ftp_fopen_connect() function in     ftp_fopen_wrapper.c that allows a man-in-the-middle     attacker to silently downgrade to regular FTP even if a     secure method has been requested.

  - An integer overflow condition exists in the     php_url_encode() function in url.c that occurs when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in the     php_uuencode() function in uuencode.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in the     bzdecompress() function in bz2.c. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in the     curl_escape() function in interface.c that occurs when     handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98834	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98815	PHP 5.6.x < 5.6.25 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119981	SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)	Nessus	SuSE Local Security Checks	high
119979	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1)	Nessus	SuSE Local Security Checks	high
101047	Tenable SecurityCenter PHP < 5.6.25 Multiple Vulnerabilities (TNS-2016-09)	Nessus	Misc.	high
96832	Tenable SecurityCenter < 5.4.1 Multiple Vulnerabilities (TNS-2016-19)	Nessus	Misc.	high
96010	Debian DLA-749-1 : php5 security update (httpoxy)	Nessus	Debian Local Security Checks	high
95421	GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)	Nessus	Gentoo Local Security Checks	high
93914	Debian DSA-3689-1 : php5 - security update	Nessus	Debian Local Security Checks	high
93894	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2459-1)	Nessus	SuSE Local Security Checks	high
93864	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3095-1)	Nessus	Ubuntu Local Security Checks	high
93856	openSUSE Security Update : php5 (openSUSE-2016-1156)	Nessus	SuSE Local Security Checks	high
9551	PHP 5.6.x < 5.6.25 / 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
93597	openSUSE Security Update : php5 (openSUSE-2016-1095)	Nessus	SuSE Local Security Checks	high
93589	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2328-1)	Nessus	SuSE Local Security Checks	high
93384	Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-252-01)	Nessus	Slackware Local Security Checks	high
93078	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus	CGI abuses	high
93077	PHP 5.6.x < 5.6.25 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2016-7128

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins