[oss-security] 20161101 Re: CVE assignment for PHP 5.6.27 and 7.0.12

95268

https://bugs.php.net/bug.php?id=73147

This update for php7 fixes the following security issues :

  - CVE-2016-7480: The SplObjectStorage unserialize     implementation in ext/spl/spl_observer.c in PHP did not     verify that a key is an object, which allowed remote     attackers to execute arbitrary code or cause a denial of     service (uninitialized memory access) via crafted     serialized data. (bsc#1019568)

  - CVE-2017-5340: Zend/zend_hash.c in PHP mishandled     certain cases that require large array allocations,     which allowed remote attackers to execute arbitrary code     or cause a denial of service (integer overflow,     uninitialized memory access, and use of arbitrary     destructor function pointers) via crafted serialized     data. (bsc#1019570)

  - CVE-2016-7479: In all versions of PHP 7, during the     unserialization process, resizing the 'properties' hash     table of a serialized object may have lead to     use-after-free. A remote attacker may exploit this bug     to gain arbitrary code execution. (bsc#1019547)

  - CVE-2016-7478: Zend/zend_exceptions.c in PHP allowed     remote attackers to cause a denial of service (infinite     loop) via a crafted Exception object in serialized data,     a related issue to CVE-2015-8876. (bsc#1019550)

  - CVE-2016-10159: Integer overflow in the     phar_parse_pharfile function in ext/phar/phar.c in PHP     allowed remote attackers to cause a denial of service     (memory consumption or application crash) via a     truncated manifest entry in a PHAR archive.
    (bsc#1022255)

  - CVE-2016-10160: Off-by-one error in the     phar_parse_pharfile function in ext/phar/phar.c in PHP     allowed remote attackers to cause a denial of service     (memory corruption) or possibly execute arbitrary code     via a crafted PHAR archive with an alias mismatch.
    (bsc#1022257)

  - CVE-2016-10161: The object_common1 function in     ext/standard/var_unserializer.c in PHP allowed remote     attackers to cause a denial of service (buffer over-read     and application crash) via crafted serialized data that     is mishandled in a finish_nested_data call.
    (bsc#1022260)

  - CVE-2016-10162: The php_wddx_pop_element function in     ext/wddx/wddx.c in PHP 7 allowed remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via an inapplicable class name in a     wddxPacket XML document, leading to mishandling in a     wddx_deserialize call. (bsc#1022262)

  - CVE-2016-10166: A potential unsigned underflow in gd     interpolation functions could lead to memory corruption     in the PHP gd module (bsc#1022263)

  - CVE-2016-10167: A denial of service problem in     gdImageCreateFromGd2Ctx() could lead to php out of     memory even on small files. (bsc#1022264)

  - CVE-2016-10168: A signed integer overflow in the gd     module could lead to memory corruption (bsc#1022265)

  - CVE-2016-9138: PHP mishandled property modification     during __wakeup processing, which allows remote     attackers to cause a denial of service or possibly have     unspecified other impact via crafted serialized data, as     demonstrated by Exception::__toString with     DateInterval::__wakeup. (bsc#1008026)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following security issues :

  - CVE-2016-7480: The SplObjectStorage unserialize     implementation in ext/spl/spl_observer.c in PHP did not     verify that a key is an object, which allowed remote     attackers to execute arbitrary code or cause a denial of     service (uninitialized memory access) via crafted     serialized data. (bsc#1019568)

  - CVE-2017-5340: Zend/zend_hash.c in PHP mishandled     certain cases that require large array allocations,     which allowed remote attackers to execute arbitrary code     or cause a denial of service (integer overflow,     uninitialized memory access, and use of arbitrary     destructor function pointers) via crafted serialized     data. (bsc#1019570)

  - CVE-2016-7479: In all versions of PHP 7, during the     unserialization process, resizing the 'properties' hash     table of a serialized object may have lead to     use-after-free. A remote attacker may exploit this bug     to gain arbitrary code execution. (bsc#1019547)

  - CVE-2016-7478: Zend/zend_exceptions.c in PHP allowed     remote attackers to cause a denial of service (infinite     loop) via a crafted Exception object in serialized data,     a related issue to CVE-2015-8876. (bsc#1019550)

  - CVE-2016-10159: Integer overflow in the     phar_parse_pharfile function in ext/phar/phar.c in PHP     allowed remote attackers to cause a denial of service     (memory consumption or application crash) via a     truncated manifest entry in a PHAR archive.
    (bsc#1022255)

  - CVE-2016-10160: Off-by-one error in the     phar_parse_pharfile function in ext/phar/phar.c in PHP     allowed remote attackers to cause a denial of service     (memory corruption) or possibly execute arbitrary code     via a crafted PHAR archive with an alias mismatch.
    (bsc#1022257)

  - CVE-2016-10161: The object_common1 function in     ext/standard/var_unserializer.c in PHP allowed remote     attackers to cause a denial of service (buffer over-read     and application crash) via crafted serialized data that     is mishandled in a finish_nested_data call.
    (bsc#1022260)

  - CVE-2016-10162: The php_wddx_pop_element function in     ext/wddx/wddx.c in PHP 7 allowed remote attackers to     cause a denial of service (NULL pointer dereference and     application crash) via an inapplicable class name in a     wddxPacket XML document, leading to mishandling in a     wddx_deserialize call. (bsc#1022262)

  - CVE-2016-10166: A potential unsigned underflow in gd     interpolation functions could lead to memory corruption     in the PHP gd module (bsc#1022263)

  - CVE-2016-10167: A denial of service problem in     gdImageCreateFromGd2Ctx() could lead to php out of     memory even on small files. (bsc#1022264)

  - CVE-2016-10168: A signed integer overflow in the gd     module could lead to memory corruption (bsc#1022265)

  - CVE-2016-9138: PHP mishandled property modification     during __wakeup processing, which allows remote     attackers to cause a denial of service or possibly have     unspecified other impact via crafted serialized data, as     demonstrated by Exception::__toString with     DateInterval::__wakeup. (bsc#1008026)

This update was imported from the SUSE:SLE-12:Update update project.

Versions of PHP prior to 7.1.0 are vulnerable to the following issues :

 - A flaw exists that is due to 'parse_url' returning the incorrect host. This may allow a remote attacker to have an impact that may include bypassing authentication, or conducting open redirection and server-side request forgery attacks, depending on how the function is implemented.
 - An overflow condition exists in the 'dynamicGetbuf()' function in 'gd_io_dp.c'. The issue is triggered as certain input is not properly validated. With a specially crafted string, a remote attacker can cause a stack-based buffer overflow, resulting in a denial of service in a process utilizing the language or potentially allowing the execution of arbitrary code.
 - A use-after-free error exists in the 'unserialize()' function related to uses of '__wakeup' which modify properties. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling unserialized object properties. With a specially crafted request, a remote attacker can dereference already freed memory and potentially execute arbitrary code. 

Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development.

The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.28, which includes additional bug fixes. Please refer to the upstream changelog for more information :

  https://secure.php.net/ChangeLog-5.php#5.6.28

ID	Name	Product	Family	Severity
119993	SUSE SLES12 Security Update : php7 (SUSE-SU-2017:0534-1)	Nessus	SuSE Local Security Checks	high
97563	openSUSE Security Update : php7 (openSUSE-2017-304)	Nessus	SuSE Local Security Checks	high
9843	PHP < 7.1.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	critical
95776	Debian DSA-3732-1 : php5 - security update	Nessus	Debian Local Security Checks	high

CVE-2016-9138

HIGH

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

high