Univention Bugzilla – Full Text Bug Listing |
Summary: | php5: Multiple issues (3.2/component/php54) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Security maintainers <security-maintainers> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, hahn, jmm, requate |
Version: | UCS 3.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 3.2-x-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: | |||
Bug Depends on: | 41479 | ||
Bug Blocks: |
Description
Arvid Requate
2016-07-05 12:07:51 CEST
* CVE-2016-5093.patch Absence of null character causes unexpected zend_string length and leaks heap memory. The test script uses locale_get_primary_language to reach get_icu_value_internal but there are some other functions that also trigger this issue: locale_canonicalize, locale_filter_matches, locale_lookup, locale_parse * CVE-2016-5094.patch don't create strings with lengths outside int range * CVE-2016-5095.patch similar to CVE-2016-5094 don't create strings with lengths outside int range * CVE-2016-5096.patch int/size_t confusion in fread * CVE-TEMP-bug-70661.patch bug70661: Use After Free Vulnerability in WDDX Packet Deserialization * CVE-TEMP-bug-70728.patch bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker() * CVE-TEMP-bug-70741.patch bug70741: Session WDDX Packet Deserialization Type Confusion Vulnerability * CVE-TEMP-bug-70480-raw.patch bug70480: php_url_parse_ex() buffer overflow read For Debian 7 "Wheezy", these problems have been fixed in version 5.4.45-0+deb7u4. That "bug70480" above is now known as CVE-2016-6288: * The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288) Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues: * An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473) * Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538) * sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114) * Improper error handling in bzread (CVE-2016-5399) * Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768) * Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769) * Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770) * spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771) * Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772) * php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773) * Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289) * ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290) * The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291) * The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292) * The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294) * ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295) * Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296) * Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297) * Use After Free Vulnerability in unserialize() (Debianbug 70436) * PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681) This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks. This issue has been filed against UCS 3.2. UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you. |