[oss-security] 20160902 Re: CVE assignment for PHP 5.6.25 and 7.0.10 - and libcurl

RHSA-2016:2750

http://www.php.net/ChangeLog-5.php

http://www.php.net/ChangeLog-7.php

92564

1036680

https://bugs.php.net/bug.php?id=72627

https://github.com/php/php-src/commit/6dbb1ee46b5f4725cc6519abf91e512a2a10dfed?w=1

GLSA-201611-22

https://www.tenable.com/security/tns-2016-19

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The get_icu_disp_value_src_php function in     ext/intl/locale/locale_methods.c in PHP before 5.3.29,     5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not     properly restrict calls to the ICU uresbund.cpp     component, which allows remote attackers to cause a     denial of service (buffer overflow) or possibly have     unspecified other impact via a locale_get_display_name     call with a long first argument.(CVE-2014-9912)

  - Use-after-free vulnerability in the spl_ptr_heap_insert     function in ext/spl/spl_heap.c in PHP before 5.5.27 and     5.6.x before 5.6.11 allows remote attackers to execute     arbitrary code by triggering a failed     SplMinHeap::compare operation.(CVE-2015-4116)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7803)

  - A flaw was found in the way the way PHP's Phar     extension parsed Phar archives. A specially crafted     archive could cause PHP to crash or, possibly, execute     arbitrary code when opened.(CVE-2015-7804)

  - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x     before 5.6.6, when PHP-FPM is used, does not isolate     each thread from libxml_disable_entity_loader changes     in other threads, which allows remote attackers to     conduct XML External Entity (XXE) and XML Entity     Expansion (XEE) attacks via a crafted XML document, a     related issue to CVE-2015-5161.(CVE-2015-8866)

  - Stack consumption vulnerability in GD in PHP before     5.6.12 allows remote attackers to cause a denial of     service via a crafted imagefilltoborder     call.(CVE-2015-8874)

  - It was found that the exif_convert_any_to_int()     function in PHP was vulnerable to floating point     exceptions when parsing tags in image files. A remote     attacker with the ability to upload a malicious image     could crash PHP, causing a Denial of     Service.(CVE-2016-10158)

  - Integer overflow in the phar_parse_pharfile function in     ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before     7.0.15 allows remote attackers to cause a denial of     service (memory consumption or application crash) via a     truncated manifest entry in a PHAR     archive.(CVE-2016-10159)

  - The php_url_parse_ex function in ext/standard/url.c in     PHP before 5.5.38 allows remote attackers to cause a     denial of service (buffer over-read) or possibly have     unspecified other impact via vectors involving the     smart_str data type.(CVE-2016-6288)

  - The exif_process_IFD_in_MAKERNOTE function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (out-of-bounds array access     and memory corruption), obtain sensitive information     from process memory, or possibly have unspecified other     impact via a crafted JPEG image.(CVE-2016-6291)

  - The exif_process_user_comment function in     ext/exif/exif.c in PHP before 5.5.38, 5.6.x before     5.6.24, and 7.x before 7.0.9 allows remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via a crafted JPEG     image.(CVE-2016-6292)

  - The locale_accept_from_http function in     ext/intl/locale/locale_methods.c in PHP before 5.5.38,     5.6.x before 5.6.24, and 7.x before 7.0.9 does not     properly restrict calls to the ICU     uloc_acceptLanguageFromHTTP function, which allows     remote attackers to cause a denial of service     (out-of-bounds read) or possibly have unspecified other     impact via a call with a long argument.(CVE-2016-6294)

  - ext/session/session.c in PHP before 5.6.25 and 7.x     before 7.0.10 skips invalid session names in a way that     triggers incorrect parsing, which allows remote     attackers to inject arbitrary-type session data by     leveraging control of a session name, as demonstrated     by object injection.(CVE-2016-7125)

  - The exif_process_IFD_in_TIFF function in     ext/exif/exif.c in PHP before 5.6.25 and 7.x before     7.0.10 mishandles the case of a thumbnail offset that     exceeds the file size, which allows remote attackers to     obtain sensitive information from process memory via a     crafted TIFF image.(CVE-2016-7128)

  - The php_wddx_push_element function in ext/wddx/wddx.c     in PHP before 5.6.26 and 7.x before 7.0.11 allows     remote attackers to cause a denial of service (invalid     pointer access and out-of-bounds read) or possibly have     unspecified other impact via an incorrect boolean     element in a wddxPacket XML document, leading to     mishandling in a wddx_deserialize call.(CVE-2016-7418)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x     before 7.1.7, a stack-based buffer overflow in the     zend_ini_do_op() function in Zend/zend_ini_parser.c     could cause a denial of service or potentially allow     executing code. NOTE: this is only relevant for PHP     applications that accept untrusted input (instead of     the system's php.ini file) for the parse_ini_string or     parse_ini_file function, e.g., a web application for     syntax validation of php.ini     directives.(CVE-2017-11628)

  - An issue was discovered in PHP before 5.6.35, 7.0.x     before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before     7.2.4. Dumpable FPM child processes allow bypassing     opcache access controls because fpm_unix.c makes a     PR_SET_DUMPABLE prctl call, allowing one user (in a     multiuser environment) to obtain sensitive information     from the process memory of a second user's PHP     applications by running gcore on the PID of the PHP-FPM     worker process.(CVE-2018-10545)

  - An issue was discovered in ext/phar/phar_object.c in     PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before     7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS     on the PHAR 403 and 404 error pages via request data of     a request for a .phar file.(CVE-2018-10547)

  - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP     before 5.6.37, 7.0.x before 7.0.31, 7.1.x before     7.1.20, and 7.2.x before 7.2.8 allows remote attackers     to cause a denial of service (out-of-bounds read and     application crash) via a crafted JPEG     file.(CVE-2018-14851)

  - A cross-site scripting (XSS) vulnerability in Apache2     component of PHP was found. When using     'Transfer-Encoding: chunked', the request allows remote     attackers to potentially run a malicious script in a     victim's browser. This vulnerability can be exploited     only by producing malformed requests and it's believed     it's unlikely to be used in practical cross-site     scripting attack.(CVE-2018-17082)

  - gd_gif_in.c in the GD Graphics Library (aka libgd), as     used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x     before 7.1.13, and 7.2.x before 7.2.1, has an integer     signedness error that leads to an infinite loop via a     crafted GIF file, as demonstrated by a call to the     imagecreatefromgif or imagecreatefromstring PHP     function. This is related to GetCode_ and     gdImageCreateFromGifCtx.(CVE-2018-5711)

  - An issue was discovered in PHP before 5.6.33, 7.0.x     before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before     7.2.1. There is Reflected XSS on the PHAR 404 error     page via the URI of a request for a .phar     file.(CVE-2018-5712)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

 - An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

 - An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary
code.

 Note that this software is reportedly affected by other vulnerabilities as well that have not been fixed yet in version 7.0.13.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities :

 - An unspecified flaw exists in the object_common2() function in var_unserializer.c that occurs when handling objects during deserializaiton. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - An integer overflow condition exists in the php_snmp_parse_oid() function in snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.

 - An integer truncation flaw exists in the select_colors() function in gd_topal.c that is triggered when handling the number of colors. An unauthenticated, remote attacker can exploit to cause a heap-based buffer overflow, resulting in the execution of arbitrary code.

 - An overflow condition exists in the sql_regcase() function in ereg.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - A NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c that is triggered during the handling of Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An unspecified NULL pointer dereference flaw exists in the php_wddx_pop_element() function in wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An integer overflow condition exists in the php_base64_encode() function in base64.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to execute arbitrary code.

 - A NULL pointer dereference flaw exists in the php_wddx_deserialize_ex() function in wddx.c that occurs during the handling of invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - An integer overflow condition exists in the php_quot_print_encode() function in quot_print.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow condition, resulting in the execution of arbitrary code.

 - A use-after-free error exists in the unserialize() function in var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code.

 - A flaw exists in the php_ftp_fopen_connect() function in ftp_fopen_wrapper.c that allows a man-in-the-middle attacker to silently downgrade to regular FTP even if a secure method has been requested.

 - A flaw exists in the php_wddx_process_data() function in wddx.c that occurs when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.

 - A flaw exists in the exif_process_IFD_in_TIFF() function in exif.c that occurs when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents.

 - An integer overflow condition exists in the php_url_encode() function in url.c that occurs when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An integer overflow condition exists in the php_uuencode() function in uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An integer overflow condition exists in the bzdecompress() function in bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An indexing flaw exists in the imagegammacorrect() function in gd.c that occurs when handling negative gamma values. An unauthenticated, remote attacker can exploit this to write a NULL to an arbitrary memory location, resulting in a denial of service condition or the execution of arbitrary code.

 - An integer overflow condition exists in the curl_escape() function in interface.c that occurs when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code.

 - An unspecified flaw exists in session.c that occurs when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions.

 Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-4473: Invalid free() instead of efree() in     phar_extract_file()

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7133: memory allocator fails to realloc small     block to large one

  - CVE-2016-7134: Heap overflow in the function curl_escape

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. CVE-2016-7132)

  - An integer overflow condition exists in the     php_snmp_parse_oid() function in snmp.c. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An overflow condition exists in the sql_regcase()     function in ereg.c due to improper handling of overly     long strings. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in the     php_base64_encode() function in base64.c that occurs     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

  - An integer overflow condition exists in the     php_quot_print_encode() function in quot_print.c that     occurs when handling overly long strings. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow condition, resulting     in the execution of arbitrary code.

  - A use-after-free error exists in the unserialize()     function in var.c. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.

  - A flaw exists in the php_ftp_fopen_connect() function in     ftp_fopen_wrapper.c that allows a man-in-the-middle     attacker to silently downgrade to regular FTP even if a     secure method has been requested.

  - An integer overflow condition exists in the     php_url_encode() function in url.c that occurs when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in the     php_uuencode() function in uuencode.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in the     bzdecompress() function in bz2.c. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in the     curl_escape() function in interface.c that occurs when     handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.1. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists in x509_vfy.c     due to improper handling of certificate revocation lists     (CRLs). An unauthenticated, remote attacker can exploit     this, via a specially crafted CRL, to cause a NULL     pointer dereference, resulting in a crash of the     service. (CVE-2016-7052)

  - A cross-site scripting (XSS) vulnerability exists within     the JQuery UI dialog() function due to improper     validation of input to the 'closeText' parameter before     returning it to users. An unauthenticated, remote     attacker can exploit this, via a specially crafted     request, to execute arbitrary script code in a user's     browser session. (CVE-2016-7103)

  - A denial of service vulnerability exists in PHP within     file ext/standard/var_unserializer.c due to improper     handling of certain invalid objects. An unauthenticated,     remote attacker can exploit this, via specially crafted     serialized data that leads to a __destruct() or magic()     function call, to cause a denial of service condition or     potentially execute arbitrary code. (CVE-2016-7124)

  - A flaw exists in PHP in file ext/session/session.c when     handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation error exists in PHP in the     select_colors() function in file ext/gd/libgd/gd_topal.c     when handling the number of colors. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in the execution of arbitrary     code. (CVE-2016-7126)

  - An array-indexing error exists in PHP in the     imagegammacorrect() function within file ext/gd/gd.c     when handling negative gamma values. An unauthenticated,     remote attacker can exploit this, by writing a NULL to     an arbitrary memory location, to cause a crash or the     execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in PHP in the exif_process_IFD_in_TIFF()     function within file ext/exif/exif.c when handling TIFF     image content. An unauthenticated, remote attacker can     exploit this to disclose memory contents.
    (CVE-2016-7128)

  - A denial of service vulnerability exists in PHP in the     php_wddx_process_data() function within file     ext/wddx/wddx.c when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a crash. (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_pop_element() function within file     ext/wddx/wddx.c when handling Base64 binary values. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_deserialize_ex() function within file     ext/wddx/wddx.c when handling invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - A NULL pointer dereference flaw exists in PHP in the     php_wddx_pop_element() function within file     ext/wddx/wddx.c. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-7132)

  - A buffer overflow condition exists in PHP in file     ext/mysqlnd/mysqlnd_wireprotocol.c within the     php_mysqlnd_rowp_read_text_protocol_aux() function when     handling the BIT field. An unauthenticated, remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a crash or the execution of     arbitrary code. (CVE-2016-7412)

  - A use-after-free error exists in PHP in the     wddx_stack_destroy() function within file     ext/wddx/wddx.c when deserializing recordset elements.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code. (CVE-2016-7413)

  - An out-of-bounds access error exists in PHP in the     phar_parse_zipfile() function within file ext/phar/zip.c     when handling the uncompressed file size. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact. (CVE-2016-7414)

  - Multiple stack-based buffer overflow conditions exist in     the International Components for Unicode for C/C++     (ICU4C) component in the msgfmt_format_message()     function within file common/locid.cpp when handling     locale strings. An unauthenticated, remote attacker can     exploit these, via a long locale string, to cause a     denial of service condition or the execution of     arbitrary code. (CVE-2016-7415, CVE-2016-7416)

  - A flaw exists in PHP within file ext/spl/spl_array.c,     specifically in the spl_array_get_dimension_ptr_ptr()     function during the deserialization of SplArray, due to     improper validation of types. An unauthenticated, remote     attacker can exploit this to cause a crash or other     unspecified impact. (CVE-2016-7417)

  - An out-of-bounds read error exists in PHP in the     php_wddx_push_element() function within file     ext/wddx/wddx.c. An unauthenticated, remote attacker     can exploit this to cause a crash or the disclosure     of memory contents. (CVE-2016-7418)

  - A use-after-free error exists in PHP within the     unserialize() function in file ext/curl/curl_file.c. An     unauthenticated, remote attacker can exploit this to     execute arbitrary code. (CVE-2016-9137)

  - An integer overflow condition exists in PHP in the     php_snmp_parse_oid() function in file ext/snmp/snmp.c.
    An unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     sql_regcase() function within file ext/ereg/ereg.c when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     php_base64_encode() function within file     ext/standard/base64.c when handling overly long     strings. An unauthenticated, remote attacker can exploit     this to corrupt memory, resulting in the execution of     arbitrary code.

  - An integer overflow condition exists in PHP in the     php_quot_print_encode() function within file     ext/standard/quot_print.c when handling overly long     strings. An unauthenticated, remote attacker can     exploit this to cause a heap-based buffer overflow,     resulting in the execution of arbitrary code.

  - A use-after-free error exists in PHP in the     unserialize() function within file ext/standard/var.c.
    An unauthenticated, remote attacker can exploit this to     dereference already freed memory, resulting in the     execution of arbitrary code.

  - A flaw exists in PHP in the php_ftp_fopen_connect()     function within file ext/standard/ftp_fopen_wrapper.c     due to silently downgrading to regular FTP even if a     secure method has been requested. A man-in-the-middle     (MitM) attacker can exploit this to downgrade the FTP     communication.

  - An integer overflow condition exists in PHP in the     php_url_encode() function within file ext/standard/url.c     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     php_uuencode() function in file ext/standard/uuencode.c.
    An unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in PHP in the     bzdecompress() function within file ext/bz2/bz2.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in PHP in the     curl_escape() function within file ext/curl/interface.c     when handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An out-of-bounds access error exists in PHP in file     ext/phar/tar.c, specifically in the phar_parse_tarfile()     function during the verification of signatures. An     unauthenticated, remote attacker can exploit this to     have an unspecified impact.

  - A flaw exists in PHP when destroying deserialized     objects due to improper validation of certain     unspecified input. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in a     denial of service condition or the execution of     arbitrary code.

  - An integer overflow condition exists in PHP within the     fgetcsv() function due to improper validation of CSV     field lengths. An unauthenticated, remote attacker can     exploit this to corrupt memory, resulting in a denial of     service condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     wordwrap() function within file ext/standard/string.c     due to improper validation of certain unspecified input.
    An unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     fgets() function within file ext/standard/file.c due to     improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the     xml_utf8_encode() function within file ext/xml/xml.c due     to improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     cause an unspecified impact.

  - A flaw exists in PHP in the exif_process_IFD_in_TIFF()     function within file ext/exif/exif.c when handling     uninitialized thumbnail data. An unauthenticated, remote     attacker can exploit this to disclose memory contents.

  - A flaw exists in PHP due to the parse_url() function     returning the incorrect host. An unauthenticated, remote     attacker can exploit this to bypass authentication or to     conduct open redirection and server-side request forgery     attacks, depending on how the function is implemented.

  - A NULL pointer dereference flaw exists in PHP in the     SimpleXMLElement::asXML() function within file     ext/simplexml/simplexml.c. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition.

  - An heap buffer overflow condition exists in PHP in the     php_ereg_replace() function within file ext/ereg/ereg.c     due to improper validation of certain unspecified input.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code.

  - A flaw exists in PHP in file ext/openssl/openssl.c     within the openssl_random_pseudo_bytes() function when     handling strings larger than 2GB. An unauthenticated,     remote attacker can exploit this to cause a denial of     service condition.

  - A flaw exists in PHP in the openssl_encrypt() function     within file ext/openssl/openssl.c when handling strings     larger than 2GB. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     imap_8bit() function within file ext/imap/php_imap.c due     to improper validation of certain unspecified input. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - A flaw exists in PHP in the _bc_new_num_ex() function     within file ext/bcmath/libbcmath/src/init.c when     handling values passed via the 'scale' parameter. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - A flaw exists in PHP in the php_resolve_path() function     within file main/fopen_wrappers.c when handling negative     size values passed via the 'filename' parameter. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - A flaw exists in PHP in the dom_document_save_html()     function within file ext/dom/document.c due to missing     NULL checks. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     mb_encode_*() function in file ext/mbstring/mbstring.c     due to improper validation of the length of encoded     data. An unauthenticated, remote attacker can exploit     this to corrupt memory, resulting in a denial of service     condition or the execution of arbitrary code.

  - A NULL pointer dereference flaw exists in PHP in the     CachingIterator() function within file     ext/spl/spl_iterators.c when handling string conversion.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition.

  - An integer overflow condition exists in PHP in the     number_format() function within file ext/standard/math.c     when handling 'decimals' and 'dec_point' parameters with     values equal or close to 0x7FFFFFFF. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.

  - A overflow condition exists in PHP within file     ext/intl/resourcebundle/resourcebundle_class.c,     specifically in functions ResourceBundle::create() and     ResourceBundle::getLocales(), due to improper validation     of input passed via the 'bundlename' parameter. An     unauthenticated, remote attacker can exploit this to     cause a stack-based buffer overflow, resulting in a     denial of service condition or the execution of     arbitrary code.

  - An integer overflow condition exists in PHP in the     php_pcre_replace_impl() function within file     ext/pcre/php_pcre.c due to improper validation of     certain unspecified input. An unauthenticated, remote     attacker can exploit this to cause a heap-based buffer     overflow, resulting in a denial of service condition or     the execution of arbitrary code.

  - An integer overflow condition exists in PHP in the
    _php_imap_mail() function in file ext/imap/php_imap.c     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to cause a heap-based     buffer overflow, resulting in a denial of service     condition or the execution of arbitrary code.

  - A flaw exists in PHP in the bzcompress() function when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition.

  - An integer overflow condition exists in PHP in the     gdImageAALine() function within file ext/gd/libgd/gd.c     due to improper validation of line limit values.
    An unauthenticated, remote attacker can exploit this to     cause an out-of-bounds write or read, resulting in a     denial of service condition, the disclosure of memory     contents, or the execution of arbitrary code.

  - Multiple stored cross-site scripting (XSS)     vulnerabilities exist in unspecified scripts due to     improper validation of input before returning it to     users. An unauthenticated, remote attacker can exploit     these, via a specially crafted request, to execute     arbitrary script code in a user's browser session.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

CVE-2016-5385 PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an 'httpoxy' issue.

CVE-2016-7124 ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.

CVE-2016-7128 The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.

CVE-2016-7129 The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a dateTime element in a wddxPacket XML document.

CVE-2016-7130 The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize call that mishandles a binary element in a wddxPacket XML document.

CVE-2016-7131 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag that lacks a < (less than) character.

CVE-2016-7132 ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.

CVE-2016-7411 ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.

CVE-2016-7412 ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.

CVE-2016-7413 Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call.

CVE-2016-7414 The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.

CVE-2016-7416 ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument.

CVE-2016-7417 ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data.

CVE-2016-7418 The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call.

For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u6.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.26, which includes additional bug fixes. Please refer to the upstream changelog for more information :

  - https://php.net/ChangeLog-5.php#5.6.25
  - https://php.net/ChangeLog-5.php#5.6.26

This update for php53 fixes the following security issues :

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allows illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7411: php5: Memory corruption when destructing     deserialized object

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7124)

Taoguang Chen discovered that PHP incorrectly handled invalid session names. A remote attacker could use this issue to inject arbitrary session data. (CVE-2016-7125)

It was discovered that PHP incorrectly handled certain gamma values in the imagegammacorrect function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7127)

It was discovered that PHP incorrectly handled certain crafted TIFF image thumbnails. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. (CVE-2016-7128)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7413)

It was discovered that PHP incorrectly handled certain memory operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7133)

It was discovered that PHP incorrectly handled long strings in curl_escape calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7134)

Taoguang Chen discovered that PHP incorrectly handled certain failures when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7411)

It was discovered that PHP incorrectly handled certain flags in the MySQL driver. Malicious remote MySQL servers could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7412)

It was discovered that PHP incorrectly handled ZIP file signature verification when processing a PHAR archive. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7414)

It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7416)

It was discovered that PHP incorrectly handled SplArray unserializing.
A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-7417)

Ke Liu discovered that PHP incorrectly handled unserializing wddxPacket XML documents with incorrect boolean elements. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7418).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update was imported from the SUSE:SLE-12:Update update project.

Versions of PHP 5.6.x prior to 5.6.25 and 7.0.x prior to 7.0.10 are vulnerable to the following issues :

 - An uninitialized memory use flaw exists in the 'openssl_seal()' method. This may allow a remote attacker to potentially execute arbitrary code.
 - A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists related to certificate validation in the 'ftp_ssl_connect()' function. The issue is due to the server hostname not being verified to match a domain name in the 'Subject's Common Name' (CN) or 'SubjectAltName' field of the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
 - An overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'object_common2()' function in 'ext/standard/var_unserializer.c' that is triggered when handling objects during unserialization. This may allow a remote attacker to potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_snmp_parse_oid()' function in 'ext/snmp/snmp.c'. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer truncation flaw exists in the 'select_colors()' function in 'ext/gd/libgd/gd_topal.c' that is triggered when handling the number of colors. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'sql_regcase()' function in 'ext/ereg/ereg.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered during the handling of Base64 binary values. This may allow a remote attacker to cause a denial of service.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c'. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_base64_encode()' function in 'ext/standard/base64.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_deserialize_ex()' function in 'ext/wddx/wddx.c' that is triggered during the handling of invalid XML content. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_quot_print_encode()' function in 'ext/standard/quot_print.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'php_ftp_fopen_connect()' function in 'ext/standard/ftp_fopen_wrapper.c' as it may silently downgrade to regular FTP even if a secure method has been requested. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the FTP communication.
 - A flaw exists in the 'php_wddx_process_data()' function in 'ext/wddx/wddx.c' that is triggered when deserializing invalid dateTime values. This may allow a remote attacker to cause a crash.
 - A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered when handling TIFF image content. This may allow a remote attacker to disclose memory contents.
 - An integer overflow condition exists in the 'php_url_encode()' function in 'ext/standard/url.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_uuencode()' function in 'ext/standard/uuencode.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'bzdecompress()' function in 'ext/bz2/bz2.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'zend_mm_realloc_heap()' function in 'Zend/zend_alloc.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An array indexing flaw exists in the 'imagegammacorrect()' function in 'ext/gd/gd.c' that is triggered when handling negative gamma values. This may allow a remote attacker to write a NULL to an arbitrary memory location, causing a crash or potentially allowing the execution of arbitrary code.
 - An integer overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long escaped strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'ext/session/session.c' that is triggered when handling session names. This may allow a remote attacker to inject arbitrary data into sessions.

This update for php5 fixes the following security issues :

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7134: Heap overflow in the function curl_escape

This update for php53 fixes the following security issues :

  - CVE-2014-3587: Integer overflow in the     cdf_read_property_info affecting SLES11 SP3 [bsc#987530]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6288: Buffer over-read in php_url_parse_ex     [bsc#991433]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allows illegal memory     access

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7132)

   - An integer overflow condition exists in the      zend_mm_realloc_heap() function in zend_alloc.c due to      improper validation of user-supplied input. An      unauthenticated, remote attacker can exploit this to      cause a buffer overflow, resulting in a denial of      service condition or the execution of arbitrary code.
     (CVE-2016-7133)

  - An overflow condition exists in the curl_escape()     function in interface.c due to improper handling of     overly long strings. An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-7134)

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.25. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. CVE-2016-7132)

  - An integer overflow condition exists in the     php_snmp_parse_oid() function in snmp.c. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow, resulting in the     execution of arbitrary code.

  - An overflow condition exists in the sql_regcase()     function in ereg.c due to improper handling of overly     long strings. An unauthenticated, remote attacker     can exploit this to corrupt memory, resulting in the     execution of arbitrary code.

  - An integer overflow condition exists in the     php_base64_encode() function in base64.c that occurs     when handling overly long strings. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code.

  - An integer overflow condition exists in the     php_quot_print_encode() function in quot_print.c that     occurs when handling overly long strings. An     unauthenticated, remote attacker can exploit this to     cause a heap-based buffer overflow condition, resulting     in the execution of arbitrary code.

  - A use-after-free error exists in the unserialize()     function in var.c. An unauthenticated, remote attacker     can exploit this to dereference already freed memory,     resulting in the execution of arbitrary code.

  - A flaw exists in the php_ftp_fopen_connect() function in     ftp_fopen_wrapper.c that allows a man-in-the-middle     attacker to silently downgrade to regular FTP even if a     secure method has been requested.

  - An integer overflow condition exists in the     php_url_encode() function in url.c that occurs when     handling overly long strings. An unauthenticated, remote     attacker can exploit this to corrupt memory, resulting     in the execution of arbitrary code.

  - An integer overflow condition exists in the     php_uuencode() function in uuencode.c. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

  - An integer overflow condition exists in the     bzdecompress() function in bz2.c. An unauthenticated,     remote attacker can exploit this to corrupt memory,     resulting in the execution of arbitrary code.

  - An integer overflow condition exists in the     curl_escape() function in interface.c that occurs when     handling overly long escaped strings. An     unauthenticated, remote attacker can exploit this to     corrupt memory, resulting in the execution of arbitrary     code.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
129178	EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984)	Nessus	Huawei Local Security Checks	high
98834	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98815	PHP 5.6.x < 5.6.25 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119981	SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)	Nessus	SuSE Local Security Checks	high
119979	SUSE SLES12 Security Update : php5 (SUSE-SU-2016:2408-1)	Nessus	SuSE Local Security Checks	high
101047	Tenable SecurityCenter PHP < 5.6.25 Multiple Vulnerabilities (TNS-2016-09)	Nessus	Misc.	high
96832	Tenable SecurityCenter < 5.4.1 Multiple Vulnerabilities (TNS-2016-19)	Nessus	Misc.	high
96010	Debian DLA-749-1 : php5 security update (httpoxy)	Nessus	Debian Local Security Checks	high
95421	GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)	Nessus	Gentoo Local Security Checks	high
93914	Debian DSA-3689-1 : php5 - security update	Nessus	Debian Local Security Checks	high
93894	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2459-1)	Nessus	SuSE Local Security Checks	high
93864	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3095-1)	Nessus	Ubuntu Local Security Checks	high
93856	openSUSE Security Update : php5 (openSUSE-2016-1156)	Nessus	SuSE Local Security Checks	high
9551	PHP 5.6.x < 5.6.25 / 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
93597	openSUSE Security Update : php5 (openSUSE-2016-1095)	Nessus	SuSE Local Security Checks	high
93589	SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2328-1)	Nessus	SuSE Local Security Checks	high
93384	Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-252-01)	Nessus	Slackware Local Security Checks	high
93078	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus	CGI abuses	high
93077	PHP 5.6.x < 5.6.25 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2016-7128

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins