Mandriva Linux Security Advisory : php (MDVSA-2015:080)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities has been discovered and corrected in php :

It was discovered that the file utility contains a flaw in the
handling of indirect magic rules in the libmagic library, which leads
to an infinite recursion when trying to determine the file type of
certain files (CVE-2014-1943).

A flaw was found in the way the file utility determined the type of
Portable Executable (PE) format files, the executable format used on
Windows. A malicious PE file could cause the file utility to crash or,
potentially, execute arbitrary code (CVE-2014-2270).

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to
cause a denial of service (CPU consumption) via a crafted ASCII file
that triggers a large amount of backtracking, as demonstrated via a
file with many newline characters (CVE-2013-7345).

PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
socket with world-writable permissions by default, which allows any
local user to connect to it and execute PHP scripts as the apache user
(CVE-2014-0185).

A flaw was found in the way file's Composite Document Files (CDF)
format parser handle CDF files with many summary info entries. The
cdf_unpack_summary_info() function unnecessarily repeatedly read the
info from the same offset. This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount
of CPU time when parsing a specially crafted CDF file (CVE-2014-0237).

A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files. A property entry with 0 elements
triggers an infinite loop (CVE-2014-0238).

The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage
Types (CVE-2014-3515).

It was discovered that PHP is vulnerable to a heap-based buffer
overflow in the DNS TXT record parsing. A malicious server or
man-in-the-middle attacker could possibly use this flaw to execute
arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query (CVE-2014-4049).

A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files, where the mconvert() function
did not correctly compute the truncated pascal string size
(CVE-2014-3478).

Multiple flaws were found in the way file parsed property information
from Composite Document Files (CDF) files, due to insufficient
boundary checks on buffers (CVE-2014-0207, CVE-2014-3479,
CVE-2014-3480, CVE-2014-3487).

The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue that can cause it to leak arbitrary process memory
(CVE-2014-4721).

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact
via crafted ArrayIterator usage within applications in certain
web-hosting environments (CVE-2014-4698).

Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact
via crafted iterator usage within applications in certain web-hosting
environments (CVE-2014-4670).

file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a denial
of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule, due to an incomplete
fix for CVE-2013-7345 (CVE-2014-3538).

Integer overflow in the cdf_read_property_info function in cdf.c in
file through 5.19, as used in the Fileinfo component in PHP before
5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a
denial of service (application crash) via a crafted CDF file. NOTE:
this vulnerability exists because of an incomplete fix for
CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to
the dns_get_record function and the dn_expand function. NOTE: this
issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).

An integer overflow flaw in PHP's unserialize() function was reported.
If unserialize() were used on untrusted data, this issue could lead to
a crash or potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail()
function. A specially crafted JPEG image could cause the PHP
interpreter to crash or, potentially, execute arbitrary code
(CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to
download, it could return local files from the server due to improper
handling of null bytes (PHP#68089).

An out-of-bounds read flaw was found in file's donote() function in
the way the file utility determined the note headers of a elf file.
This could possibly lead to file executable crash (CVE-2014-3710).

A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).

Double free vulnerability in the zend_ts_hash_graceful_destroy
function in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21
allows remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when
mmap is used to read a .php file, does not properly consider the
mapping's length during processing of an invalid file that begins with
a # character and lacks a newline character, which causes an
out-of-bounds read and might allow remote attackers to obtain
sensitive information from php-cgi process memory by leveraging the
ability to upload a .php file or trigger unexpected code execution if
a valid PHP script is present in memory locations adjacent to the
mapping (CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21
(CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before
5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of
file's libmagic, eliminating exposure to denial of service issues in
ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620
and CVE-2014-9621 in PHP's fileinfo module.

S. Paraschoudis discovered that PHP incorrectly handled memory in the
enchant binding. A remote attacker could use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2014-9705).

Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2015-0273).

It was discovered that PHP incorrectly handled memory in the phar
extension. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-2301).

Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).

The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image (CVE-2015-0232).

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way libzip, which is embedded in PHP, processed certain
ZIP archives. If an attacker were able to supply a specially crafted
ZIP archive to an application using libzip, it could cause the
application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).

It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause PHP
to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2015-1351).

It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of
service, or possibly execute arbitrary code (CVE-2015-1352).

PHP contains a bundled copy of the file utility's libmagic library, so
it was vulnerable to the libmagic issues.

The updated php packages have been patched and upgraded to the 5.5.23
version which is not vulnerable to these issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.

A bug in the php zip extension that could cause a crash has been fixed
(mga#13820)

Additionally the jsonc and timezonedb packages has been upgraded to
the latest versions and the PECL packages which requires so has been
rebuilt for php-5.5.23.

See also :

http://advisories.mageia.org/MGASA-2014-0163.html
http://advisories.mageia.org/MGASA-2014-0178.html
http://advisories.mageia.org/MGASA-2014-0215.html
http://advisories.mageia.org/MGASA-2014-0258.html
http://advisories.mageia.org/MGASA-2014-0284.html
http://advisories.mageia.org/MGASA-2014-0324.html
http://advisories.mageia.org/MGASA-2014-0367.html
http://advisories.mageia.org/MGASA-2014-0430.html
http://advisories.mageia.org/MGASA-2014-0441.html
http://advisories.mageia.org/MGASA-2014-0542.html
http://advisories.mageia.org/MGASA-2015-0040.html
http://php.net/ChangeLog-5.php#5.5.10
http://php.net/ChangeLog-5.php#5.5.11
http://php.net/ChangeLog-5.php#5.5.12
http://php.net/ChangeLog-5.php#5.5.13
http://php.net/ChangeLog-5.php#5.5.14
http://php.net/ChangeLog-5.php#5.5.15
http://php.net/ChangeLog-5.php#5.5.16
http://php.net/ChangeLog-5.php#5.5.17
http://php.net/ChangeLog-5.php#5.5.18
http://php.net/ChangeLog-5.php#5.5.19
http://php.net/ChangeLog-5.php#5.5.20
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.5.22
http://php.net/ChangeLog-5.php#5.5.23
http://php.net/ChangeLog-5.php#5.5.9
http://www.ubuntu.com/usn/usn-2501-1/
http://www.ubuntu.com/usn/usn-2535-1/
https://bugs.mageia.org/show_bug.cgi?id=13820
https://bugzilla.redhat.com/show_bug.cgi?id=1204676

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Public Exploit Available : true