Univention Bugzilla – Bug 37093
php5: Multiple issues (3.2)
Last modified: 2015-08-21 15:56:54 CEST
Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459)
Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117)
Denial of service in the CGI module (CVE-2014-9427)
(In reply to Moritz Muehlenhoff from comment #2) > Denial of service in the CGI module (CVE-2014-9427) The PHP version in UCS 3.2 is not affected.
Memory corruption in processing EXIF tags (CVE-2015-0232)
Denial of service via long pascal strings (CVE-2014-9652)
Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) Denial of Service due to use after free in phar_object.c (CVE-2015-2301) Heap buffer overflow in enchant_broker_request_dict for PHP "enchant" extension (CVE-2014-9705) I guess this last issue affects php5-enchant which is in 3.2/maintained/component/php54 (only)
Heap overflow vulnerability in regcomp.c (CVE-2015-2305) ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331)
New issues: * Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Remote code execution with apache 2.4 apache2handler (CVE-2015-3330) * Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787) * Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329)
New status summary: Fixed in upstream Debian package version 5.3.3.1-7+squeeze26: CVE-2014-8117 CVE-2015-0232 CVE-2014-9652 CVE-2015-2301 CVE-2014-9705 CVE-2015-2331 CVE-2015-2783 CVE-2015-3330 CVE-2015-2787 CVE-2015-3329 Not affected by: CVE-2014-8116 These issues have been classified as "Minor issue" in Debian: CVE-2014-5459 Currently still unfixed: CVE-2015-0273 CVE-2015-2305 CVE-2015-2348
CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives.
* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) New issues: * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)
These additional CVEs have been fixed courtesy of Janek Walkenhorst: * Denial of service in CDF property info parsing (CVE-2014-0237) * Infinite loop or out-of-bounds memory access in CDF property info parsing (CVE-2014-0238) * Denial of service via crafted offsets in the softmagic of a PE executable (CVE-2014-2270) Advisory: 2015-08-18-php5.yaml
Tests: OK Advisory: OK
<http://errata.univention.de/ucs/3.2/363.html>