Univention Bugzilla – Bug 38590
php5: Multiple issues (ES 3.1)
Last modified: 2016-06-20 17:41:59 CEST
+++ This bug was initially created as a clone of Bug #37666 +++ Heap overflow vulnerability in regcomp.c (CVE-2015-2305) Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)
Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)
* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) New issues: * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)
Fixed in in 5.3.3.1-7+squeeze27: * Remote Denial of Service and possibly unspecified other impact via a crafted tar archive due to heap metadata corruption in the phar_parse_metadata function in ext/phar/phar.c (CVE-2015-3307) * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Remote Denial of Service via a crafted entry in a tar archive due to integer underflow and memory corruption in the phar_parse_tarfile function in ext/phar/tar.c (CVE-2015-4021) * Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022) * Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 CVE-2015-4026) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644) * Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589) * Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590)
Known but still unfixed issues: * CVE-2014-5459 (minor, will not get fixed in squeeze LTS) * Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Denial of service when processing multipart/form-data requests (CVE-2015-4024) * DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)
Still unfixed in 5.3.3.1-7+squeeze27: * vulnerabilities in unserialize (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)
The following issues have been fixed in 5.3.3.1-7+squeeze29: CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-2348 The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2016-tmp, Bug #71039 exec functions ignore length but look for NULL termination CVE-2016-tmp, Bug #71089 No check to duplicate zend_extension CVE-2016-tmp, Bug #71201 round() segfault on 64-bit builds CVE-2016-tmp, Bug #71459 Integer overflow in iptcembed() CVE-2016-tmp, Bug #71354 Heap corruption in tar/zip/phar parser CVE-2016-tmp, Bug #71391 NULL Pointer Dereference in phar_tar_setupmetadata() CVE-2016-tmp, Bug #70979 Crash on bad SOAP request
Additional issues, individual patches available upstream: * The make_http_soap_request function in ext/soap/php_http.c in PHP ... (CVE-2015-8835) * Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, ... (CVE-2016-2554) * Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. (CVE-2016-3141) * The phar_parse_zipfile function in zip.c in the PHAR extension allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. (CVE-2016-3142)
(In reply to Arvid Requate from comment #6) > The following issues have been fixed in 5.3.3.1-7+squeeze29: We should upgrade to the "latest" squeeze version.
imported (squeeze-lts) and built php 5.3.3.1-7+squeeze29 in 3.1 extsec3.1 added ucs-3.1/ucs-3.1-1/doc/errata/staging/php5.txt OK - horde installation on 3.1 with extsec php OK - owncloud installation on 3.1 with extsec php OK - php -r 'phpinfo();' OK - update to 3.2
The versioning is ok, given that the same glibc is used threw 3.1 and 3.2: ===================================================================== Version: 5.3.3-7.189.201312160807: ucs_3.1-0-errata3.1-1 Version: 5.3.3.1-7.231.201606020932: ucs_3.1-0-extsec3.1 Version: 5.3.3-7.181.201308291557: ucs_3.2-0 Version: 5.3.3-7.190.201312160852: ucs_3.2-0-errata3.2-0 Version: 5.3.3-7.207.201411271302: ucs_3.2-0-errata3.2-3 Version: 5.3.3.1-7.212.201508171807: ucs_3.2-0-errata3.2-6 Version: 5.3.3.1-7.218.201511161319: ucs_3.2-0-errata3.2-7 Version: 5.3.3.1-7.218.201511161319: ucs_3.2-0-ucs3.2-8 Version: 5.4.45-0~ucs3.3.230.201603072027: ucs_3.3-0 Version: 5.4.4-14.204.201411010701: ucs_4.0-0 ===================================================================== Package update (amd64) and basic functional test: Ok Advisory: Ok (reformatted the CVE list)
<http://errata.software-univention.de/ucs/3.1/283.html>