Bug 37093 – php5: Multiple issues (3.2)

Bug 37093 - php5: Multiple issues (3.2)


Summary:	php5: Multiple issues (3.2)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 3.2-6-errata
Assigned To:	Arvid Requate
QA Contact:	Janek Walkenhorst

URL:
Keywords:

Depends on:	37666
Blocks:
	Show dependency tree / graph

Reported:	2014-11-27 17:21 CET by Janek Walkenhorst
Modified:	2015-08-21 15:56 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janek Walkenhorst

2014-11-27 17:21:13 CET

Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459)

Comment 1 Moritz Muehlenhoff

2014-12-15 10:22:56 CET

Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117)

Comment 2 Moritz Muehlenhoff

2015-01-05 09:38:02 CET

Denial of service in the CGI module (CVE-2014-9427)

Comment 3 Moritz Muehlenhoff

2015-01-12 07:18:24 CET

(In reply to Moritz Muehlenhoff from comment #2)
> Denial of service in the CGI module (CVE-2014-9427)

The PHP version in UCS 3.2 is not affected.

Comment 4 Moritz Muehlenhoff

2015-02-02 09:41:18 CET

Memory corruption in processing EXIF tags (CVE-2015-0232)

Comment 5 Arvid Requate

2015-02-19 18:12:13 CET

Denial of service via long pascal strings (CVE-2014-9652)

Comment 6 Arvid Requate

2015-03-19 00:01:03 CET

Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)

Denial of Service due to use after free in phar_object.c (CVE-2015-2301)




Heap buffer overflow in enchant_broker_request_dict for PHP "enchant" extension (CVE-2014-9705)

I guess this last issue affects php5-enchant which is in 3.2/maintained/component/php54 (only)

Comment 7 Arvid Requate

2015-03-24 19:53:36 CET

Heap overflow vulnerability in regcomp.c (CVE-2015-2305)

ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331)

Comment 8 Arvid Requate

2015-04-24 12:03:41 CEST

New issues:

* Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783)
* Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)
* Remote code execution with apache 2.4 apache2handler (CVE-2015-3330)
* Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787)
* Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329)

Comment 9 Arvid Requate

2015-05-07 16:32:13 CEST

New status summary:

Fixed in upstream Debian package version 5.3.3.1-7+squeeze26:
CVE-2014-8117 CVE-2015-0232 CVE-2014-9652 CVE-2015-2301 CVE-2014-9705 CVE-2015-2331 CVE-2015-2783 CVE-2015-3330 CVE-2015-2787 CVE-2015-3329

Not affected by:
CVE-2014-8116

These issues have been classified as "Minor issue" in Debian:
CVE-2014-5459 

Currently still unfixed:
CVE-2015-0273 CVE-2015-2305 CVE-2015-2348

Comment 10 Arvid Requate

2015-06-08 19:40:00 CEST

CVE-2015-4025 / CVE-2015-4026

    Multiple function didn't check for NULL bytes in path names.

CVE-2015-4024

    Denial of service when processing multipart/form-data requests.

CVE-2015-4022

    Integer overflow in the ftp_genlist() function may result in
    denial of service or potentially the execution of arbitrary code.

CVE-2015-4021

    Multiple vulnerabilities in the phar extension may result in
    denial of service or potentially the execution of arbitrary code
    when processing malformed archives.

Comment 11 Arvid Requate

2015-07-13 13:01:10 CEST

* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412)

* Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147)

* Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148)

* Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601)

* Incomplete Class unserialization type confusion (CVE-2015-4602)

* exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

* denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605)
New issues:

* missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598)

* integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643)

* NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)

Comment 12 Arvid Requate

2015-08-18 13:16:10 CEST

These additional CVEs have been fixed courtesy of Janek Walkenhorst:

* Denial of service in CDF property info parsing (CVE-2014-0237)               
* Infinite loop or out-of-bounds memory access in CDF property info parsing (CVE-2014-0238)
* Denial of service via crafted offsets in the softmagic of a PE executable (CVE-2014-2270)

Advisory: 2015-08-18-php5.yaml

Comment 13 Janek Walkenhorst

2015-08-19 19:29:51 CEST

Tests: OK
Advisory: OK

Comment 14 Janek Walkenhorst

2015-08-21 15:56:54 CEST

<http://errata.univention.de/ucs/3.2/363.html>