Univention Bugzilla – Full Text Bug Listing |
Summary: | php5: Multiple issues (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Janek Walkenhorst <walkenhorst> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P4 | CC: | gohmann, jmm, requate |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 37666 | ||
Bug Blocks: |
Description
Janek Walkenhorst
2014-11-27 17:21:13 CET
Denial of service issues in the ELF parser of the filemagic extensions (CVE-2014-8116, CVE-2014-8117) Denial of service in the CGI module (CVE-2014-9427) (In reply to Moritz Muehlenhoff from comment #2) > Denial of service in the CGI module (CVE-2014-9427) The PHP version in UCS 3.2 is not affected. Memory corruption in processing EXIF tags (CVE-2015-0232) Denial of service via long pascal strings (CVE-2014-9652) Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) Denial of Service due to use after free in phar_object.c (CVE-2015-2301) Heap buffer overflow in enchant_broker_request_dict for PHP "enchant" extension (CVE-2014-9705) I guess this last issue affects php5-enchant which is in 3.2/maintained/component/php54 (only) Heap overflow vulnerability in regcomp.c (CVE-2015-2305) ZIP Integer Overflow leads to writing past heap boundary (CVE-2015-2331) New issues: * Buffer Over-read in unserialize when parsing Phar (CVE-2015-2783) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Remote code execution with apache 2.4 apache2handler (CVE-2015-3330) * Use-after-free vulnerability in the process_nested_data function allows execution of arbitrary code by remote attackers (CVE-2015-2787) * Buffer Overflow when parsing tar/zip/phar in phar_set_inode (CVE-2015-3329) New status summary: Fixed in upstream Debian package version 5.3.3.1-7+squeeze26: CVE-2014-8117 CVE-2015-0232 CVE-2014-9652 CVE-2015-2301 CVE-2014-9705 CVE-2015-2331 CVE-2015-2783 CVE-2015-3330 CVE-2015-2787 CVE-2015-3329 Not affected by: CVE-2014-8116 These issues have been classified as "Minor issue" in Debian: CVE-2014-5459 Currently still unfixed: CVE-2015-0273 CVE-2015-2305 CVE-2015-2348 CVE-2015-4025 / CVE-2015-4026 Multiple function didn't check for NULL bytes in path names. CVE-2015-4024 Denial of service when processing multipart/form-data requests. CVE-2015-4022 Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code. CVE-2015-4021 Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives. * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) New issues: * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644) These additional CVEs have been fixed courtesy of Janek Walkenhorst: * Denial of service in CDF property info parsing (CVE-2014-0237) * Infinite loop or out-of-bounds memory access in CDF property info parsing (CVE-2014-0238) * Denial of service via crafted offsets in the softmagic of a PE executable (CVE-2014-2270) Advisory: 2015-08-18-php5.yaml Tests: OK Advisory: OK |