openSUSE-SU-2017:0061

[oss-security] 20161212 CVE assignment for PHP 5.6.28, 5.6.29, 7.0.13, 7.0.14 and 7.1.0

http://www.php.net/ChangeLog-7.php

94849

RHSA-2018:1296

https://bugs.php.net/bug.php?id=72978

https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.0. It is, therefore, affected by the following vulnerabilities:

  - A stack consumption condition exists in the     gdImageFillToBorder function of the gd.c script within     the GD Graphics Library (libgd). An unauthenticated,     remote attacker can exploit this issue, via a crafted     call to imagefilltoborder using a negative color value,     to cause the application to stop responding.
    (CVE-2016-9933)

  - A denial of service (DoS) vulnerability exists in the     ext/wddx/wddx.c script. An unauthenticated, remote     attacker can exploit this issue, via crafted serialized     data in a wddxPacket XML document, to cause the     application to stop responding. (CVE-2016-9934)

  - A deserialization vulnerability exists in the     ext/standard/var.c script. An unauthenticated, remote     attacker can exploit this, via crafted serialized data,     to the application to stop responding or execute     arbitrary code on the target host. (CVE-2016-9936)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.14. It is, therefore, affected by a remote code execution vulnerability due to a memory corruption issue in the php_wddx_push_element() function in ext/wddx/wddx.c that occurs when decoding empty boolean elements. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following issues :

  - CVE-2016-9933 Possible stack overflow on truecolor     images handling [bsc#1015187]

  - CVE-2016-9934 Dereference from NULL pointer could lead     to crash [bsc#1015188]

  - CVE-2016-9935 Invalid read could lead to crash     [bsc#1015189]

  - CVE-2016-9936 Use After free in the function serialize()     could lead to crash [bsc#1015191]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3211-1 fixed vulnerabilities in PHP by updating to the new 7.0.15 upstream release. PHP 7.0.15 introduced a regression when using MySQL with large blobs. This update fixes the problem with a backported fix.

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9935)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-9936)

It was discovered that PHP incorrectly handled certain EXIF data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or consume resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10161)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10162)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2017-5340).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9936)

It was discovered that PHP incorrectly handled certain EXIF data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives.
A remote attacker could use this issue to cause PHP to crash or consume resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives.
A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10161)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10162)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-5340).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. (CVE-2016-7480)

Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. (CVE-2016-9137)

Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. (CVE-2016-9933)

ext/wddx/wddx.c in PHP 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. (CVE-2016-9934)

The php_wddx_push_element function in ext/wddx/wddx.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. (CVE-2016-9935)

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. This vulnerability exists because of an incomplete fix for CVE-2015-6834 . (CVE-2016-9936)

This update for php7 fixes the following issues :

  - CVE-2016-9933 Possible stack overflow on truecolor     images handling [bsc#1015187]

  - CVE-2016-9934 Dereference from NULL pointer could lead     to crash [bsc#1015188]

  - CVE-2016-9935 Invalid read could lead to crash     [bsc#1015189]

  - CVE-2016-9936 Use After free in the function serialize()     could lead to crash [bsc#1015191]

This update was imported from the SUSE:SLE-12:Update update project.

The PHP project reports :

- Use After Free Vulnerability in unserialize() (CVE-2016-9936)

- Invalid read when wddx decodes empty boolean element (CVE-2016-9935)

Versions of PHP 7.0.x prior to 7.0.14 are vulnerable to a use-after-free error in the 'unserialize()' function in 'ext/standard/var.c'. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.14. It is, therefore, affected by the following vulnerabilities:

  -  A remote code execution vulnerability due to a memory      corruption issue in the php_wddx_push_element()      function in ext/wddx/wddx.c that occurs when decoding      empty boolean elements. An unauthenticated, remote      attacker can exploit this to cause a denial of service      condition or the execution of arbitrary code.
     (CVE-2016-9935)

  - A deserialization vulnerability exists in the     ext/standard/var.c script. An unauthenticated, remote     attacker can exploit this, via crafted serialized data,     to the application to stop responding or execute     arbitrary code on the target host. (CVE-2016-9936)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
122540	PHP 7.1.x < 7.1.0 Multiple Vulnerabilities.	Nessus	CGI abuses	critical
98838	PHP 7.0.x < 7.0.14 php_wddx_push_element() Function Empty Boolean Element Decoding RCE	Web Application Scanning	Component Vulnerability	critical
119989	SUSE SLES12 Security Update : php7 (SUSE-SU-2017:0017-1)	Nessus	SuSE Local Security Checks	critical
97521	Ubuntu 16.04 LTS / 16.10 : php7.0 regression (USN-3211-2)	Nessus	Ubuntu Local Security Checks	critical
97384	Ubuntu 16.04 LTS / 16.10 : php7.0 vulnerabilities (USN-3211-1)	Nessus	Ubuntu Local Security Checks	critical
96806	Amazon Linux AMI : php70 (ALAS-2017-788)	Nessus	Amazon Linux Local Security Checks	critical
96380	openSUSE Security Update : php7 (openSUSE-2017-61)	Nessus	SuSE Local Security Checks	critical
96221	FreeBSD : PHP -- multiple vulnerabilities (6972668d-cdb7-11e6-a9a5-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	critical
9842	PHP 7.0.x < 7.0.14 RCE	Nessus Network Monitor	Web Servers	high
95875	PHP 7.0.x < 7.0.14 Multiple Vulnerabilities	Nessus	CGI abuses	critical

CVE-2016-9936

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

high

critical