Comment 1 Arvid Requate 2016-05-03 16:01:34 CEST

Info: Debian Jessie updated to 5.6.20, which fixes these issues:

* Buffer over-write in finfo_open with malformed magic file (CVE-2015-8865)
* Integer Overflow in php_raw_url_encode (CVE-2016-4070)
* php_snmp_error() Format String Vulnerability (CVE-2016-4071)
* Invalid memory write in phar on filename with \0 in name (CVE-2016-4072)
* AddressSanitizer: negative-size-param (-1) in mbfl_strcut (CVE-2016-4073)

Comment 2 Arvid Requate 2016-05-17 20:50:39 CEST

Additional issues, individual patches available upstream: 

* The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function. (CVE-2016-1903)

* Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, ... (CVE-2016-2554)

* Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. (CVE-2016-3141)

* The phar_parse_zipfile function in zip.c in the PHAR extension allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. (CVE-2016-3142)

Comment 3 Arvid Requate 2016-06-06 18:56:38 CEST

Upstream Debian package version 5.4.45-0+deb7u3 fixes these issues:

* The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file (CVE-2015-8865)

* libxml_disable_entity_loader setting is shared between threads ext/libxml/libxml.c in PHP before 5.5.22, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (CVE-2015-8866).

* main/php_open_temporary_file.c in PHP before 5.5.28 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses (CVE-2015-8878).

* The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (CVE-2015-8879).

* Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (CVE-2016-4070).

* Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call (CVE-2016-4071).

* The Phar extension in PHP before 5.5.34 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c (CVE-2016-4072).

* Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (CVE-2016-4073).

* The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive (CVE-2016-4343).

* The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (CVE-2016-4537).

* The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (CVE-2016-4539).

* The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (CVE-2016-4540, CVE-2016-4541).

* The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544).

Comment 4 Janek Walkenhorst 2016-07-04 18:19:22 CEST

    * CVE-2016-5093.patch
      Absence of null character causes unexpected zend_string length and
      leaks heap memory. The test script uses locale_get_primary_language
      to reach get_icu_value_internal but there are some other functions
      that also trigger this issue:
        locale_canonicalize, locale_filter_matches,
        locale_lookup, locale_parse
    * CVE-2016-5094.patch
      don't create strings with lengths outside int range
    * CVE-2016-5095.patch
      similar to CVE-2016-5094
      don't create strings with lengths outside int range
    * CVE-2016-5096.patch
      int/size_t confusion in fread
    * CVE-TEMP-bug-70661.patch
      bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
    * CVE-TEMP-bug-70728.patch
      bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
    * CVE-TEMP-bug-70741.patch
      bug70741: Session WDDX Packet Deserialization Type Confusion
                Vulnerability
    * CVE-TEMP-bug-70480-raw.patch
      bug70480: php_url_parse_ex() buffer overflow read


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u4.

Comment 5 Arvid Requate 2016-07-18 15:35:50 CEST

The following issues have been reported as fixed in the Jessie version:

* _php_mb_regex_ereg_replace_exec - double free (CVE-2016-5768)
* Heap Overflow due to integer overflows (CVE-2016-5769)
* int/size_t confusion in SplFileObject::fread (CVE-2016-5770)
* Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016-5771)
* Double Free Courruption in wddx_deserialize (CVE-2016-5772)
* ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016-
5773)


Of all of the above CVE-2016-4071 and CVE-2016-5771 have the highest impact
  CVSS v2 Base score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Comment 6 Arvid Requate 2016-07-28 18:10:50 CEST

The following issues have been fixed in the Debian "Jessie" php5 package version 5.6.24+dfsg-0+deb8u1:

* PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. (CVE-2016-5385)
* Improper error handling in bzread() (CVE-2016-5399)
* Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. (CVE-2016-6289)
* ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. (CVE-2016-6290)
* The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. (CVE-2016-6291)
* The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image. (CVE-2016-6292)
* The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument. (CVE-2016-6294)
* ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773. (CVE-2016-6295)
* Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function. (CVE-2016-6296)
* Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. (CVE-2016-6297)

Comment 7 Arvid Requate 2016-08-09 19:47:06 CEST

That "bug70480" above is now known as CVE-2016-6288:

* The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288)

The following issues have been reported as fixed in Ubuntu (Jessie version is unaffected):

* Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation. (CVE-2015-4116)
* sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging. (CVE-2016-5114)

CVE-2015-4116: CVSS v2 base score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
CVE-2016-5114: CVSS v2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Comment 8 Arvid Requate 2016-10-04 16:41:21 CEST

Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues:

* An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473)

* Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538)

* sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114)

* Improper error handling in bzread (CVE-2016-5399)

* Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768)

* Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769)

* Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770)

* spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771)

* Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772)

* php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773)

* Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289)

* ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290)

* The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291)

* The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292)

* The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote ttackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294)

* ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295)

* Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296)

* Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297)

* Use After Free Vulnerability in unserialize() (Debianbug 70436)

* PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681)

Comment 9 Arvid Requate 2016-10-13 14:02:37 CEST

The following issue have been reported as fixed in the Debian jessie PHP version 5.6, they might affect 5.4 too:

CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127
CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131
CVE-2016-7132 CVE-2016-7411 CVE-2016-7412 CVE-2016-7413
CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418

Comment 10 Arvid Requate 2016-11-17 18:44:13 CET

I've imported and built 5.4.45-0+deb7u5.

That version is not affected by CVE-2016-1903 (code not present)
The other open issues have been transferred to Bug 42987

Advisory: php5.yaml

Comment 11 Felix Botner 2016-11-21 14:56:11 CET

OK - CVE
OK - univention patches
OK - horde docker installation with new php5, owncloud installation
OK - YAML

Comment 12 Philipp Hahn 2016-11-23 14:34:21 CET

<http://errata.software-univention.de/ucs/4.1/330.html>