Univention Bugzilla – Full Text Bug Listing |
Summary: | php5: Multiple issues (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Daniel Tröder <troeder> |
Severity: | normal | ||
Priority: | P2 | CC: | gohmann, hahn, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 3.2-7-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 39608 |
Description
Arvid Requate
2015-08-18 13:16:17 CEST
Fixed in in 5.3.3.1-7+squeeze27: * Remote Denial of Service and possibly unspecified other impact via a crafted tar archive due to heap metadata corruption in the phar_parse_metadata function in ext/phar/phar.c (CVE-2015-3307) * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Remote Denial of Service via a crafted entry in a tar archive due to integer underflow and memory corruption in the phar_parse_tarfile function in ext/phar/tar.c (CVE-2015-4021) * Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022) * Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 CVE-2015-4026) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644) * Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589) * Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590) Known but still unfixed issues: * CVE-2014-5459 (minor, will not get fixed in squeeze LTS) * Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Denial of service when processing multipart/form-data requests (CVE-2015-4024) * DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838) Still unfixed in 5.3.3.1-7+squeeze27: * vulnerabilities in unserialize (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833) repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7 5.3.3.1-7+squeeze27 r15372 | Revert repo-ng patching Package: php5 Version: 5.3.3.1-7.217.201510211813 Branch: ucs_3.2-0 Scope: errata3.2-7 r64708 | Bug #39214: php5 2015-10-21-php5.yaml Sorry - just one week after fixing this, 5.3.3.1-7+squeeze28 became available. Please import and build it, as it closes a good amount of security bugs. repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7 5.3.3.1-7+squeeze28 r15430 | Bug #39214 php5: Revert repo-ng patching Package: php5 Version: 5.3.3.1-7.218.201511161319 Branch: ucs_3.2-0 Scope: errata3.2-7 r65571 | Bug #39214: php5 2015-10-21-php5.yaml OK: DEBIAN_FRONTEND=noninteractive apt-get install -y php5 OK: 2015-10-21-php5.yaml OK: Test: echo '<?php phpinfo(); ?>' > /var/www/phpinfo.php ; wget -q -O - http://127.0.0.1/phpinfo.php | egrep -q '5.3.3.*7.218.201511161319' && echo OK Just for the record, these are the issues listed as fixed in changelog and yaml: * Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833) * Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6834) * A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields (CVE-2015-6836). * The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6837) * The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6838) * A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash (CVE-2015-7803) * An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash (CVE-2015-7804) |