Univention Bugzilla – Full Text Bug Listing |
Summary: | php5: Multiple issues (3.3) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, hahn, jmm, requate, walkenhorst |
Version: | UCS 3.3 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 3.3-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 40918 | ||
Bug Blocks: | 41728 |
Description
Arvid Requate
2016-06-06 18:57:49 CEST
* CVE-2016-5093.patch Absence of null character causes unexpected zend_string length and leaks heap memory. The test script uses locale_get_primary_language to reach get_icu_value_internal but there are some other functions that also trigger this issue: locale_canonicalize, locale_filter_matches, locale_lookup, locale_parse * CVE-2016-5094.patch don't create strings with lengths outside int range * CVE-2016-5095.patch similar to CVE-2016-5094 don't create strings with lengths outside int range * CVE-2016-5096.patch int/size_t confusion in fread * CVE-TEMP-bug-70661.patch bug70661: Use After Free Vulnerability in WDDX Packet Deserialization * CVE-TEMP-bug-70728.patch bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker() * CVE-TEMP-bug-70741.patch bug70741: Session WDDX Packet Deserialization Type Confusion Vulnerability * CVE-TEMP-bug-70480-raw.patch bug70480: php_url_parse_ex() buffer overflow read For Debian 7 "Wheezy", these problems have been fixed in version 5.4.45-0+deb7u4. That "bug70480" above is now known as CVE-2016-6288: * The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288) Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues: * An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473) * Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538) * sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114) * Improper error handling in bzread (CVE-2016-5399) * Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768) * Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769) * Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770) * spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771) * Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772) * php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773) * Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289) * ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290) * The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291) * The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292) * The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294) * ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295) * Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296) * Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297) * Use After Free Vulnerability in unserialize() (Debianbug 70436) * PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681) I've cherry picked the version from errata4.1-4. Advisory: php5.yaml OK - CVE OK - univention patches OK - horde phpinfo() OK - YAML OK - update to 4.0 |