97178

1038158

https://bugs.php.net/bug.php?id=74216

https://bugs.php.net/bug.php?id=75505

https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a

https://security.netapp.com/advisory/ntap-20180112-0001/

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170403-0_PHP_Misbehavior_of_fsockopen_function_v10.txt

According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in HAProxy before 2.0.6. In legacy     mode, messages featuring a transfer-encoding header     missing the 'chunked' value were not being correctly     rejected. The impact was limited but if combined with     the 'http-reuse always' setting, it could be used to     help construct an HTTP request smuggling attack against     a vulnerable component employing a lenient parser that     would ignore the content-length header as soon as it     saw a transfer-encoding one (even if not entirely valid     according to the specification).(CVE-2017-16642)

  - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x     before 7.1.11, an error in the date extension's     timelib_meridian handling of 'front of' and 'back of'     directives could be used by attackers able to supply     date strings to leak information from the interpreter,     related to ext/date/lib/parse_date.c out-of-bounds     reads affecting the php_parse_date function. NOTE: this     is a different issue than     CVE-2017-11145.(CVE-2017-11145)

  - ext/standard/var_unserializer.re in PHP before 5.6.26     mishandles object-deserialization failures, which     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via an unserialize call that references a     partially constructed object.(CVE-2016-10397)

  - Double free vulnerability in the     zend_ts_hash_graceful_destroy function in     zend_ts_hash.c in the Zend Engine in PHP through 5.5.20     and 5.6.x through 5.6.4 allows remote attackers to     cause a denial of service or possibly have unspecified     other impact via unknown vectors.(CVE-2016-7412)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

  - main/php_open_temporary_file.c in PHP before 5.5.28 and     5.6.x before 5.6.12 does not ensure thread safety,     which allows remote attackers to cause a denial of     service (race condition and heap memory corruption) by     leveraging an application that performs many     temporary-file accesses.(CVE-2017-7272)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11050)

  - An issue was discovered in Oniguruma 6.x before     6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in     regparse.c, PFETCH is called without checking PEND.
    This leads to a heap-based buffer     over-read.(CVE-2019-19204)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11050)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP bcmath extension functions on some     systems, including Windows, can be tricked into reading     beyond the allocated space by supplying it with string     containing characters that are identified as numeric by     the OS but aren't ASCII numbers. This can read to     disclosure of the content of some memory     locations.(CVE-2019-11046)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as     terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths     that the code is allowed to access.(CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

  - PHP through 7.1.11 enables potential SSRF in     applications that accept an fsockopen or pfsockopen     hostname argument with an expectation that the port     number is constrained. Because a :port syntax is     recognized, fsockopen will use the port number that is     specified in the hostname argument, instead of the port     number in the second argument of the     function.(CVE-2017-7272)

  - Oniguruma before 6.9.3 allows Stack Exhaustion in     regcomp.c because of recursion in     regparse.c.(CVE-2019-16163)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

  - An issue was discovered in Oniguruma 6.x before     6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in     regparse.c, PFETCH is called without checking PEND.
    This leads to a heap-based buffer     over-read.(CVE-2019-19204)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An issue was discovered in Oniguruma 6.x before     6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in     regparse.c, PFETCH is called without checking PEND.
    This leads to a heap-based buffer     over-read.(CVE-2019-19204)

  - Oniguruma before 6.9.3 allows Stack Exhaustion in     regcomp.c because of recursion in     regparse.c.(CVE-2019-16163)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

  - PHP through 7.1.11 enables potential SSRF in     applications that accept an fsockopen or pfsockopen     hostname argument with an expectation that the port     number is constrained. Because a :port syntax is     recognized, fsockopen will use the port number that is     specified in the hostname argument, instead of the port     number in the second argument of the     function.(CVE-2017-7272)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as     terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths     that the code is allowed to access.(CVE-2019-11045)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP bcmath extension functions on some     systems, including Windows, can be tricked into reading     beyond the allocated space by supplying it with string     containing characters that are identified as numeric by     the OS but aren't ASCII numbers. This can read to     disclosure of the content of some memory     locations.(CVE-2019-11046)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11050)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26     and 7.x before 7.0.11 does not verify that a BIT field     has the UNSIGNED_FLAG flag, which allows remote MySQL     servers to cause a denial of service (heap-based buffer     overflow) or possibly have unspecified other impact via     crafted field metadata.(CVE-2016-7412)

  - ext/standard/var_unserializer.re in PHP before 5.6.26     mishandles object-deserialization failures, which     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via an unserialize call that references a     partially constructed object.(CVE-2016-7411)

  - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect     handling of various URI components in the URL parser     could be used by attackers to bypass hostname-specific     URL checks, as demonstrated by     evil.example.com:80#@good.example.com/ and     evil.example.com:80?@good.example.com/ inputs to the     parse_url function (implemented in the php_url_parse_ex     function in ext/standard/url.c).(CVE-2016-10397)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x     before 7.1.7, an error in the date extension's     timelib_meridian parsing code could be used by     attackers able to supply date strings to leak     information from the interpreter, related to     ext/date/lib/parse_date.c out-of-bounds reads affecting     the php_parse_date function. NOTE: the correct fix is     in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit,     not the bd77ac90d3bdf31ce2a5251ad92e9e75     gist.(CVE-2017-11145)

  - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x     before 7.1.11, an error in the date extension's     timelib_meridian handling of 'front of' and 'back of'     directives could be used by attackers able to supply     date strings to leak information from the interpreter,     related to ext/date/lib/parse_date.c out-of-bounds     reads affecting the php_parse_date function. NOTE: this     is a different issue than     CVE-2017-11145.(CVE-2017-16642)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13     and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as     terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths     that the code is allowed to access.(CVE-2019-11045)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other     products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c.(CVE-2019-19246)

  - PHP through 7.1.11 enables potential SSRF in     applications that accept an fsockopen or pfsockopen     hostname argument with an expectation that the port     number is constrained. Because a :port syntax is     recognized, fsockopen will use the port number that is     specified in the hostname argument, instead of the port     number in the second argument of the     function.(CVE-2017-7272)

  - When PHP EXIF extension is parsing EXIF information     from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and     7.4.0 it is possible to supply it with data what will     cause it to read past the allocated buffer. This may     lead to information disclosure or     crash.(CVE-2019-11047)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php53 fixes the following issues :

  - The fix for CVE-2017-7272 was reverted, as it caused     regressions in the mysql server connect module.
    [bsc#1044976] The security fix tried to avoid a server     side request forgery, and will be submitted when a     better fix becomes available.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php53 fixes the following issues: This security issue was fixed :

  - CVE-2017-7272: PHP enabled potential SSRF in     applications that accept an fsockopen hostname argument     with an expectation that the port number is constrained.
    Because a :port syntax was recognized, fsockopen used     the port number that is specified in the hostname     argument, instead of the port number in the second     argument of the function (bsc#1031246)

  - CVE-2016-6294: The locale_accept_from_http function in     ext/intl/locale/locale_methods.c did not properly     restrict calls to the ICU uloc_acceptLanguageFromHTTP     function, which allowed remote attackers to cause a     denial of service (out-of-bounds read) or possibly have     unspecified other impact via a call with a long argument     (bsc#1035111).

  - CVE-2017-9227: An issue was discovered in Oniguruma     6.2.0, as used in mbstring in PHP. A stack out-of-bounds     read occurs in mbc_enc_len() during regular expression     searching. Invalid handling of reg->dmin in     forward_search_range() could result in an invalid     pointer dereference, as an out-of-bounds read from a     stack buffer. (bsc#1040883)

  - CVE-2017-9226: An issue was discovered in Oniguruma     6.2.0, as used in Oniguruma-mod in mbstring in PHP. A     heap out-of-bounds write or read occurs in     next_state_val() during regular expression compilation.
    Octal numbers larger than 0xff are not handled correctly     in fetch_token() and fetch_token_in_cc(). A malformed     regular expression containing an octal number in the     form of '\700' would produce an invalid code point value     larger than 0xff in next_state_val(), resulting in an     out-of-bounds write memory corruption. (bsc#1040889)

  - CVE-2017-9224: An issue was discovered in Oniguruma     6.2.0, as used in Oniguruma-mod in mbstring in PHP. A     stack out-of-bounds read occurs in match_at() during     regular expression searching. A logical error involving     order of validation and access in match_at() could     result in an out-of-bounds read from a stack buffer.
    (bsc#1040891)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

CVE-2016-7478: Zend/zend_exceptions.c in PHP allows remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876.

CVE-2016-7479: During the unserialization process, resizing the 'properties' hash table of a serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain the ability of arbitrary code execution. Even though the property table issue only affects PHP 7 this change also prevents a wide range of other __wakeup() based attacks.

CVE-2017-7272: The fsockopen() function will use the port number which is defined in hostname instead of the port number passed to the second parameter of the function. This misbehavior may introduce another attack vector for an already known application vulnerability (e.g.
Server Side Request Forgery).

For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u8.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
137966	EulerOS Virtualization 3.0.6.0 : php (EulerOS-SA-2020-1747)	Nessus	Huawei Local Security Checks	critical
136245	EulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2020-1542)	Nessus	Huawei Local Security Checks	medium
135137	EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1350)	Nessus	Huawei Local Security Checks	medium
134006	EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1172)	Nessus	Huawei Local Security Checks	medium
133925	EulerOS 2.0 SP5 : php (EulerOS-SA-2020-1124)	Nessus	Huawei Local Security Checks	high
132184	EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)	Nessus	Huawei Local Security Checks	critical
131592	EulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)	Nessus	Huawei Local Security Checks	critical
101107	SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1709-1)	Nessus	SuSE Local Security Checks	medium
100866	SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1)	Nessus	SuSE Local Security Checks	high
99003	Debian DLA-875-1 : php5 security update	Nessus	Debian Local Security Checks	high

CVE-2017-7272

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins