http://php.net/ChangeLog-5.php

http://php.net/ChangeLog-7.php

102742

104020

1040363

RHSA-2018:1296

https://bugs.php.net/bug.php?id=74782

[debian-lts-announce] 20180120 [SECURITY] [DLA 1251-1] php5 security update

USN-3566-1

USN-3600-1

USN-3600-2

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.1. It is, therefore, affected by multiple vulnerabilities.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.13. It is, therefore, affected by the multiple vulnerabilities.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.27. It is, therefore, affected by multiple vulnerabilities.

 Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities.

 Note that the scanner has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.

**PHP version 7.2.5** (26 Apr 2018)

**Core:**

  - Fixed bug php#75722 (Convert valgrind detection to     configure option). (Michael Heimpold)

**Date:**

  - Fixed bug php#76131 (mismatch arginfo for date_create).
    (carusogabriel)

**Exif:**

  - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786)     in exif_iif_add_value). (Stas)

**FPM:**

  - Fixed bug php#68440 (ERROR: failed to reload: execvp()     failed: Argument list too long). (Jacob Hipps)

  - Fixed incorrect write to getenv result in FPM reload.
    (Jakub Zelenka)

**GD:**

  - Fixed bug php#52070 (imagedashedline() - dashed line     sometimes is not visible). (cmb)

**intl:**

  - Fixed bug php#76153 (Intl compilation fails with icu4c     61.1). (Anatol)

**iconv:**

  - Fixed bug php#76249 (stream filter convert.iconv leads     to infinite loop on invalid sequence). (Stas)

**ldap:**

  - Fixed bug php#76248 (Malicious LDAP-Server Response     causes Crash). (Stas)

**mbstring:**

  - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001)

  - Fixed bug php#76113 (mbstring does not build with     Oniguruma 6.8.1). (chrullrich, cmb)

**ODBC:**

  - Fixed bug php#76088 (ODBC functions are not available by     default on Windows). (cmb)

**Opcache:**

  - Fixed bug php#76094 (Access violation when using     opcache). (Laruence)

**Phar:**

  - Fixed bug php#76129 (fix for CVE-2018-5712 may not be     complete). (Stas)

**phpdbg:**

  - Fixed bug php#76143 (Memory corruption: arbitrary NUL     overwrite). (Laruence)

**SPL:**

  - Fixed bug php#76131 (mismatch arginfo for splarray     constructor). (carusogabriel)

**standard:**

  - Fixed bug php#74139 (mail.add_x_header default     inconsistent with docs). (cmb)

  - Fixed bug php#75996 (incorrect url in header for     mt_rand). (tatarbj)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes several issues. These security issues were fixed :

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220).

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php5 fixes several issues. These security issues were fixed :

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220)

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**PHP version 7.1.17** (26 Apr 2018)

**Date:**

  - Fixed bug php#76131 (mismatch arginfo for date_create).
    (carusogabriel)

**Exif:**

  - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786)     in exif_iif_add_value). (Stas)

**FPM:**

  - Fixed bug php#68440 (ERROR: failed to reload: execvp()     failed: Argument list too long). (Jacob Hipps)

  - Fixed incorrect write to getenv result in FPM reload.
    (Jakub Zelenka)

**GD:**

  - Fixed bug php#52070 (imagedashedline() - dashed line     sometimes is not visible). (cmb)

**iconv:**

  - Fixed bug php#76249 (stream filter convert.iconv leads     to infinite loop on invalid sequence). (Stas)

**intl:**

  - Fixed bug php#76153 (Intl compilation fails with icu4c     61.1). (Anatol)

**ldap:**

  - Fixed bug php#76248 (Malicious LDAP-Server Response     causes Crash). (Stas)

**mbstring:**

  - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001)

  - Fixed bug php#76113 (mbstring does not build with     Oniguruma 6.8.1). (chrullrich, cmb)

**Phar:**

  - Fixed bug php#76129 (fix for CVE-2018-5712 may not be     complete). (Stas)

**phpdbg:**

  - Fixed bug php#76143 (Memory corruption: arbitrary NUL     overwrite). (Laruence)

**SPL:**

  - Fixed bug php#76131 (mismatch arginfo for splarray     constructor). (carusogabriel)

**standard:**

  - Fixed bug php#75996 (incorrect url in header for     mt_rand). (tatarbj)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php53 fixes several issues. These security issues were fixed :

  - CVE-2016-10712: In PHP all of the return values of     stream_get_meta_data could be controlled if the input     can be controlled (e.g., during file uploads).
    (bsc#1080234)

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220)

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

  - CVE-2016-5773: php_zip.c in the zip extension in PHP     improperly interacted with the unserialize     implementation and garbage collection, which allowed     remote attackers to execute arbitrary code or cause a     denial of service (use-after-free and application crash)     via crafted serialized data containing a ZipArchive     object. (bsc#986247)

  - CVE-2016-5771: spl_array.c in the SPL extension in PHP     improperly interacted with the unserialize     implementation and garbage collection, which allowed     remote attackers to execute arbitrary code or cause a     denial of service (use-after-free and application crash)     via crafted serialized data. (bsc#986391)

  - CVE-2018-7584: Fixed stack-based buffer under-read while     parsing an HTTPresponse in the     php_stream_url_wrap_http_ex. (bsc#1083639)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled certain stream metadata. A remote attacker could possibly use this issue to set arbitrary metadata. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-10712)

It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-5712)

It was discovered that PHP incorrectly handled parsing certain HTTP responses. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-7584).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled the PHAR 404 error page. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2018-5712)

It was discovered that PHP incorrectly handled memory when unserializing certain data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-12933)

It was discovered that PHP incorrectly handled 'front of' and 'back of' date directives. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2017-16642).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Reflected XSS in .phar 404 page

An issue was discovered in PHP; there is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file. (CVE-2018-5712)

Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c

The gd_gif_in.c file in the GD Graphics Library (aka libgd), as used in PHP has an integer signedness error that leads to an infinite loop via a crafted GIF file, as demonstrated by a call to the imagecreatefromgif or imagecreatefromstring PHP function. This is related to GetCode_ and gdImageCreateFromGifCtx. (CVE-2018-5711)

New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

This update for php7 fixes several issues.

These security issues were fixed :

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220).

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

This update was imported from the SUSE:SLE-12:Update update project.

This update for php5 fixes several issues.

These security issues were fixed :

  - CVE-2018-5712: Prevent reflected XSS on the PHAR 404     error page via the URI of a request for a .phar file     that allowed for information disclosure (bsc#1076220)

  - CVE-2018-5711: Prevent integer signedness error that     could have lead to an infinite loop via a crafted GIF     file allowing for DoS (bsc#1076391)

This update was imported from the SUSE:SLE-12:Update update project.

It was discovered that PHP5 was vulnerable to a reflected cross-site scripting (XSS) attack on the PHAR 404 error page by manipulating the URI of a request for a .phar file. This issue is only exploitable if the web server is configured to handle phar files using PHP5.

For Debian 7 'Wheezy', these problems have been fixed in version 5.4.45-0+deb7u12.

We recommend that you upgrade your php5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.1. It is, therefore, affected by the following vulnerabilities :

  - A denial of service (DoS) vulnerability exists in the     imagecreatefromgif and imagecreatefromstring functions     of the gd_gif_in.c script within GD Graphics Library     (libgd) due to an integer signedness error. An     unauthenticated, remote attacker can exploit this issue,     via a crafted GIF file, to cause the applicaiton to stop     responding. (CVE-2018-5711)

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of .phar file before returning it to     users. An unauthenticated, remote attacker can exploit     this, by convincing a user to click a specially crafted     URL, to execute arbitrary script code in a user's browser     session. (CVE-2018-5712)

  - A denial of service (DoS) vulnerability exists in the     ext/standard/http_fopen_wrapper.c script due to     http_header_value possibly being a NULL value in an atoi     call. An unauthenticated, remote attacker can exploit     this issue, via a specifically crafted HTTP response, to     cause the application to stop responding. (CVE-2018-14884)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.13. It is, therefore, affected by the following vulnerabilities :

  - A denial of service (DoS) vulnerability exists in the     imagecreatefromgif and imagecreatefromstring functions     of the gd_gif_in.c script within GD Graphics Library     (libgd) due to an integer signedness error. An     unauthenticated, remote attacker can exploit this issue,     via a crafted GIF file, to cause the applicaiton to stop     responding. (CVE-2018-5711)

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of .phar file before returning it to     users. An unauthenticated, remote attacker can exploit     this, by convincing a user to click a specially crafted     URL, to execute arbitrary script code in a user's browser     session. (CVE-2018-5712)

  - A denial of service (DoS) vulnerability exists in the     ext/standard/http_fopen_wrapper.c script due to     http_header_value possibly being a NULL value in an atoi     call. An unauthenticated, remote attacker can exploit     this issue, via a specifically crafted HTTP response, to     cause the application to stop responding. (CVE-2018-14884)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.27. It is, therefore, affected by the following vulnerabilities :

  - A denial of service (DoS) vulnerability exists in the     imagecreatefromgif and imagecreatefromstring functions     of the gd_gif_in.c script within GD Graphics Library     (libgd) due to an integer signedness error. An     unauthenticated, remote attacker can exploit this issue,     via a crafted GIF file, to cause the applicaiton to stop     responding. (CVE-2018-5711)

  - A cross-site scripting (XSS) vulnerability exists due to     improper validation of .phar file before returning it to     users. An unauthenticated, remote attacker can exploit     this, by convincing a user to click a specially crafted     URL, to execute arbitrary script code in a user's browser     session. (CVE-2018-5712)

  - A denial of service (DoS) vulnerability exists in the     ext/standard/http_fopen_wrapper.c script due to     http_header_value possibly being a NULL value in an atoi     call. An unauthenticated, remote attacker can exploit     this issue, via a specifically crafted HTTP response, to     cause the application to stop responding. (CVE-2018-14884)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.33. It is, therefore, affected by multiple vulnerabilities : 

  - A potential infinite loop in gdImageCreateFromGifCtx.
    (CVE-2018-5711)

  - A reflected XSS in .phar 404 page exists due to     improper validation of user-supplied input before     returning it to users. An unauthenticated, remote     attacker can exploit this, by convincing a user to     click a specially crafted URL, to execute arbitrary     script code in a user's browser session. (CVE-2018-5712)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98865	PHP 7.2.x < 7.2.1 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98858	PHP 7.1.x < 7.1.13 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98846	PHP 7.0.x < 7.0.27 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
98824	PHP 5.6.x < 5.6.33 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
120886	Fedora 28 : php (2018-ee6707d519)	Nessus	Fedora Local Security Checks	medium
120015	SUSE SLES12 Security Update : php7 (SUSE-SU-2018:0308-1)	Nessus	SuSE Local Security Checks	medium
120013	SUSE SLES12 Security Update : php5 (SUSE-SU-2018:0216-1)	Nessus	SuSE Local Security Checks	medium
109560	Fedora 26 : php (2018-6071a600e8)	Nessus	Fedora Local Security Checks	medium
109559	Fedora 27 : php (2018-04f6056c42)	Nessus	Fedora Local Security Checks	medium
108650	SUSE SLES11 Security Update : php53 (SUSE-SU-2018:0806-1)	Nessus	SuSE Local Security Checks	high
108483	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : php5, php7.0, php7.1 vulnerabilities (USN-3600-1)	Nessus	Ubuntu Local Security Checks	high
106792	Ubuntu 14.04 LTS : php5 vulnerabilities (USN-3566-1)	Nessus	Ubuntu Local Security Checks	high
106691	Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-946)	Nessus	Amazon Linux Local Security Checks	medium
106586	Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2018-034-01)	Nessus	Slackware Local Security Checks	medium
106550	openSUSE Security Update : php7 (openSUSE-2018-119)	Nessus	SuSE Local Security Checks	medium
106434	openSUSE Security Update : php5 (openSUSE-2018-99)	Nessus	SuSE Local Security Checks	medium
106207	Debian DLA-1251-1 : php5 security update	Nessus	Debian Local Security Checks	medium
105774	PHP 7.2.x < 7.2.1 Multiple Vulnerabilities	Nessus	CGI abuses	medium
105773	PHP 7.1.x < 7.1.13 Multiple Vulnerabilities	Nessus	CGI abuses	medium
105772	PHP 7.0.x < 7.0.27 Multiple Vulnerabilities	Nessus	CGI abuses	medium
105771	PHP 5.6.x < 5.6.33 Multiple Vulnerabilities	Nessus	CGI abuses	medium

CVE-2018-5712

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins