[oss-security] 20160902 Re: CVE assignment for PHP 5.6.25 and 7.0.10 - and libcurl

http://www.php.net/ChangeLog-7.php

92765

https://bugs.php.net/bug.php?id=72742

https://github.com/php/php-src/commit/c2a13ced4272f2e65d2773e2ea6ca11c1ce4a911?w=1

GLSA-201611-22

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

 - An overflow condition exists in the curl_escape() function in interface.c due to improper handling of overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

 - An integer overflow condition exists in the zend_mm_realloc_heap() function in zend_alloc.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition or the execution of arbitrary
code.

 Note that this software is reportedly affected by other vulnerabilities as well that have not been fixed yet in version 7.0.13.

This update for php7 fixes the following security issues :

  - CVE-2016-6128: Invalid color index not properly handled     [bsc#987580]

  - CVE-2016-6161: global out of bounds read when encoding     gif from malformed input withgd2togif [bsc#988032]

  - CVE-2016-6292: NULL pointer dereference in     exif_process_user_comment [bsc#991422]

  - CVE-2016-6295: Use after free in SNMP with GC and     unserialize() [bsc#991424]

  - CVE-2016-6297: Stack-based buffer overflow vulnerability     in php_stream_zip_opener [bsc#991426]

  - CVE-2016-6291: Out-of-bounds access in     exif_process_IFD_in_MAKERNOTE [bsc#991427]

  - CVE-2016-6289: Integer overflow leads to buffer overflow     in virtual_file_ex [bsc#991428]

  - CVE-2016-6290: Use after free in unserialize() with     Unexpected Session Deserialization [bsc#991429]

  - CVE-2016-5399: Improper error handling in bzread()     [bsc#991430]

  - CVE-2016-6296: Heap buffer overflow vulnerability in     simplestring_addn in simplestring.c [bsc#991437]

  - CVE-2016-6207: Integer overflow error within
    _gdContributionsAlloc() [bsc#991434]

  - CVE-2016-4473: Invalid free() instead of efree() in     phar_extract_file()

  - CVE-2016-7124: Create an Unexpected Object and Don't     Invoke __wakeup() in Deserialization

  - CVE-2016-7125: PHP Session Data Injection Vulnerability

  - CVE-2016-7126: select_colors write out-of-bounds

  - CVE-2016-7127: imagegammacorrect allowed arbitrary write     access

  - CVE-2016-7128: Memory Leakage In     exif_process_IFD_in_TIFF

  - CVE-2016-7129: wddx_deserialize allowed illegal memory     access

  - CVE-2016-7131: wddx_deserialize null dereference with     invalid xml

  - CVE-2016-7132: wddx_deserialize null dereference in     php_wddx_pop_element

  - CVE-2016-7133: memory allocator fails to realloc small     block to large one

  - CVE-2016-7134: Heap overflow in the function curl_escape

  - CVE-2016-7130: wddx_deserialize null dereference

  - CVE-2016-7413: Use after free in wddx_deserialize

  - CVE-2016-7412: Heap overflow in mysqlnd when not     receiving UNSIGNED_FLAG in BIT field

  - CVE-2016-7417: Missing type check when unserializing     SplArray

  - CVE-2016-7416: Stack based buffer overflow in     msgfmt_format_message

  - CVE-2016-7418: NULL pointer dereference in     php_wddx_push_element

  - CVE-2016-7414: Out of bounds heap read when verifying     signature of zip phar in phar_parse_zipfile

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201611-22 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker can possibly execute arbitrary code or create a Denial of       Service condition.
  Workaround :

    There is no known workaround at this time.

Taoguang Chen discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7124)

Taoguang Chen discovered that PHP incorrectly handled invalid session names. A remote attacker could use this issue to inject arbitrary session data. (CVE-2016-7125)

It was discovered that PHP incorrectly handled certain gamma values in the imagegammacorrect function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7127)

It was discovered that PHP incorrectly handled certain crafted TIFF image thumbnails. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. (CVE-2016-7128)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132, CVE-2016-7413)

It was discovered that PHP incorrectly handled certain memory operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-7133)

It was discovered that PHP incorrectly handled long strings in curl_escape calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-7134)

Taoguang Chen discovered that PHP incorrectly handled certain failures when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-7411)

It was discovered that PHP incorrectly handled certain flags in the MySQL driver. Malicious remote MySQL servers could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7412)

It was discovered that PHP incorrectly handled ZIP file signature verification when processing a PHAR archive. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7414)

It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7416)

It was discovered that PHP incorrectly handled SplArray unserializing.
A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-7417)

Ke Liu discovered that PHP incorrectly handled unserializing wddxPacket XML documents with incorrect boolean elements. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7418).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of PHP 5.6.x prior to 5.6.25 and 7.0.x prior to 7.0.10 are vulnerable to the following issues :

 - An uninitialized memory use flaw exists in the 'openssl_seal()' method. This may allow a remote attacker to potentially execute arbitrary code.
 - A use-after-free error exists in 'SPL_METHOD(SplObjectStorage)' in 'ext/spl/spl_observer.c'. The issue is triggered when handling unserialize calls. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists related to certificate validation in the 'ftp_ssl_connect()' function. The issue is due to the server hostname not being verified to match a domain name in the 'Subject's Common Name' (CN) or 'SubjectAltName' field of the X.509 certificate. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
 - An overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a crash or potentially allowing the execution of arbitrary code.
 - A flaw exists in the 'object_common2()' function in 'ext/standard/var_unserializer.c' that is triggered when handling objects during unserialization. This may allow a remote attacker to potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_snmp_parse_oid()' function in 'ext/snmp/snmp.c'. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer truncation flaw exists in the 'select_colors()' function in 'ext/gd/libgd/gd_topal.c' that is triggered when handling the number of colors. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'sql_regcase()' function in 'ext/ereg/ereg.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered during the handling of Base64 binary values. This may allow a remote attacker to cause a denial of service.
 - A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c'. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_base64_encode()' function in 'ext/standard/base64.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A NULL pointer dereference flaw exists in the 'php_wddx_deserialize_ex()' function in 'ext/wddx/wddx.c' that is triggered during the handling of invalid XML content. This may allow a remote attacker to cause a denial of service.
 - An integer overflow condition exists in the 'php_quot_print_encode()' function in 'ext/standard/quot_print.c' that is triggered when handling overly long strings. This may allow a remote attacker to cause a heap-based buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'php_ftp_fopen_connect()' function in 'ext/standard/ftp_fopen_wrapper.c' as it may silently downgrade to regular FTP even if a secure method has been requested. This may allow a Man-in-the-Middle (MitM) attacker to downgrade the FTP communication.
 - A flaw exists in the 'php_wddx_process_data()' function in 'ext/wddx/wddx.c' that is triggered when deserializing invalid dateTime values. This may allow a remote attacker to cause a crash.
 - A flaw exists in the 'exif_process_IFD_in_TIFF()' function in 'ext/exif/exif.c' that is triggered when handling TIFF image content. This may allow a remote attacker to disclose memory contents.
 - An integer overflow condition exists in the 'php_url_encode()' function in 'ext/standard/url.c' that is triggered when handling overly long strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'php_uuencode()' function in 'ext/standard/uuencode.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'bzdecompress()' function in 'ext/bz2/bz2.c'. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - An integer overflow condition exists in the 'zend_mm_realloc_heap()' function in 'Zend/zend_alloc.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
 - An array indexing flaw exists in the 'imagegammacorrect()' function in 'ext/gd/gd.c' that is triggered when handling negative gamma values. This may allow a remote attacker to write a NULL to an arbitrary memory location, causing a crash or potentially allowing the execution of arbitrary code.
 - An integer overflow condition exists in the 'curl_escape()' function in 'ext/curl/interface.c' that is triggered when handling overly long escaped strings. This may allow a remote attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'ext/session/session.c' that is triggered when handling session names. This may allow a remote attacker to inject arbitrary data into sessions.

New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.10. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified flaw exists in the object_common2()     function in var_unserializer.c that occurs when handling     objects during deserialization. An unauthenticated,     remote attacker can exploit this to execute arbitrary     code. (CVE-2016-7124)

  - An unspecified flaw exists in session.c that occurs     when handling session names. An unauthenticated, remote     attacker can exploit this to inject arbitrary data into     sessions. (CVE-2016-7125)

  - An integer truncation flaw exists in the select_colors()     function in gd_topal.c that is triggered when handling     the number of colors. An unauthenticated, remote     attacker can exploit to cause a heap-based buffer     overflow, resulting in the execution of arbitrary code.
    (CVE-2016-7126)

  - An indexing flaw exists in the imagegammacorrect()     function in gd.c that occurs when handling negative     gamma values. An unauthenticated, remote attacker can     exploit this to write a NULL to an arbitrary memory     location, resulting in a denial of service condition or     the execution of arbitrary code. (CVE-2016-7127)

  - A flaw exists in the exif_process_IFD_in_TIFF() function     in exif.c that occurs when handling TIFF image content.
    An unauthenticated, remote attacker can exploit this to     disclose memory contents. (CVE-2016-7128)

  - A flaw exists in the php_wddx_process_data() function in     wddx.c that occurs when deserializing invalid dateTime     values. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition.
    (CVE-2016-7129)

  - A NULL pointer dereference flaw exists in the     php_wddx_pop_element() function in wddx.c that is     triggered during the handling of Base64 binary values.
    An unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7130)

  - A NULL pointer dereference flaw exists in the     php_wddx_deserialize_ex() function in wddx.c that occurs     during the handling of invalid XML content. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7131)

  - An unspecified NULL pointer dereference flaw exists in     the php_wddx_pop_element() function in wddx.c. An     unauthenticated, remote attacker can exploit this to     cause a denial of service condition. (CVE-2016-7132)

   - An integer overflow condition exists in the      zend_mm_realloc_heap() function in zend_alloc.c due to      improper validation of user-supplied input. An      unauthenticated, remote attacker can exploit this to      cause a buffer overflow, resulting in a denial of      service condition or the execution of arbitrary code.
     (CVE-2016-7133)

  - An overflow condition exists in the curl_escape()     function in interface.c due to improper handling of     overly long strings. An unauthenticated, remote attacker     can exploit this to cause a heap-based buffer overflow,     resulting in a denial of service condition or the     execution of arbitrary code. (CVE-2016-7134)

ID	Name	Product	Family	Severity
98834	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
119981	SUSE SLES12 Security Update : php7 (SUSE-SU-2016:2460-1)	Nessus	SuSE Local Security Checks	high
95421	GLSA-201611-22 : PHP: Multiple vulnerabilities (httpoxy)	Nessus	Gentoo Local Security Checks	high
93864	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3095-1)	Nessus	Ubuntu Local Security Checks	high
9551	PHP 5.6.x < 5.6.25 / 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
93384	Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2016-252-01)	Nessus	Slackware Local Security Checks	high
93078	PHP 7.0.x < 7.0.10 Multiple Vulnerabilities	Nessus	CGI abuses	high

CVE-2016-7133

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins