Bug 39214 - php5: Multiple issues (3.2)
php5: Multiple issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P2 normal (vote)
: UCS 3.2-7-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on:
Blocks: 39608
  Show dependency treegraph
 
Reported: 2015-08-18 13:16 CEST by Arvid Requate
Modified: 2015-11-19 16:20 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-08-18 13:16:17 CEST
With Bug 37093 released, these issues are still open in php5 in UCS 3.2:

* Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459) [Minor issue]

* Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)

* Heap overflow vulnerability in regcomp.c (CVE-2015-2305)

* Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)

* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412)

* Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives (CVE-2015-4021)

* Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022)

* Denial of service when processing multipart/form-data requests (CVE-2015-4024)

* Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 / CVE-2015-4026)

* Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147)

* Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148)

* Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601)

* Incomplete Class unserialization type confusion (CVE-2015-4602)

* exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

* missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598)

* integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643)

* NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)
Comment 1 Arvid Requate univentionstaff 2015-09-16 12:22:02 CEST
Fixed in in 5.3.3.1-7+squeeze27:

* Remote Denial of Service and possibly unspecified other impact via a crafted tar archive due to heap metadata corruption in the phar_parse_metadata function in ext/phar/phar.c (CVE-2015-3307)

* missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412)

* Remote Denial of Service via a crafted entry in a tar archive due to integer underflow and memory corruption in the phar_parse_tarfile function in ext/phar/tar.c (CVE-2015-4021)

* Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022)

* Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 CVE-2015-4026)

* Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147)

* Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148)

* missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598)

* Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601)

* Incomplete Class unserialization type confusion (CVE-2015-4602)

* denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605)

* integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643)

* NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)

* Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589)

* Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590)
Comment 2 Arvid Requate univentionstaff 2015-09-16 12:22:13 CEST
Known but still unfixed issues:

* CVE-2014-5459 (minor, will not get fixed in squeeze LTS)

* Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)

* Heap overflow vulnerability in regcomp.c (CVE-2015-2305)

* Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)

* Denial of service when processing multipart/form-data requests (CVE-2015-4024)

* DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

* use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834)

* Use after free vulnerability in session deserializer (CVE-2015-6835)

* SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836)

* Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)
Comment 3 Arvid Requate univentionstaff 2015-10-15 15:31:14 CEST
Still unfixed in 5.3.3.1-7+squeeze27:

* vulnerabilities in unserialize (CVE-2015-6831)
* Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832)
* Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)
Comment 4 Philipp Hahn univentionstaff 2015-10-21 19:17:02 CEST
repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7
 5.3.3.1-7+squeeze27

r15372 | Revert repo-ng patching

Package: php5
Version: 5.3.3.1-7.217.201510211813
Branch: ucs_3.2-0
Scope: errata3.2-7

r64708 | Bug #39214: php5
 2015-10-21-php5.yaml
Comment 5 Daniel Tröder univentionstaff 2015-11-16 12:56:55 CET
Sorry - just one week after fixing this, 5.3.3.1-7+squeeze28 became available. Please import and build it, as it closes a good amount of security bugs.
Comment 6 Philipp Hahn univentionstaff 2015-11-16 13:49:00 CET
repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7
 5.3.3.1-7+squeeze28

r15430 | Bug #39214 php5: Revert repo-ng patching

Package: php5
Version: 5.3.3.1-7.218.201511161319
Branch: ucs_3.2-0
Scope: errata3.2-7

r65571 | Bug #39214: php5
 2015-10-21-php5.yaml
Comment 7 Daniel Tröder univentionstaff 2015-11-16 14:57:21 CET
OK: DEBIAN_FRONTEND=noninteractive apt-get install -y php5
OK: 2015-10-21-php5.yaml
OK: Test: echo '<?php phpinfo(); ?>' > /var/www/phpinfo.php ; wget -q -O - http://127.0.0.1/phpinfo.php | egrep -q '5.3.3.*7.218.201511161319' && echo OK
Comment 8 Arvid Requate univentionstaff 2015-11-16 16:32:15 CET
Just for the record, these are the issues listed as fixed in changelog and yaml:

* Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6831)

* Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832)

* Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)

* Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6834)

* A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields (CVE-2015-6836).

* The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6837)

* The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6838)

* A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash (CVE-2015-7803)

* An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash (CVE-2015-7804)
Comment 9 Janek Walkenhorst univentionstaff 2015-11-19 16:20:43 CET
<http://errata.software-univention.de/ucs/3.2/381.html>