Univention Bugzilla – Bug 39214
php5: Multiple issues (3.2)
Last modified: 2015-11-19 16:20:43 CET
With Bug 37093 released, these issues are still open in php5 in UCS 3.2: * Predictable cache file when using the pear tool allows local denial of service (CVE-2014-5459) [Minor issue] * Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Multiple vulnerabilities in the phar extension may result in denial of service or potentially the execution of arbitrary code when processing malformed archives (CVE-2015-4021) * Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022) * Denial of service when processing multipart/form-data requests (CVE-2015-4024) * Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 / CVE-2015-4026) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644)
Fixed in in 5.3.3.1-7+squeeze27: * Remote Denial of Service and possibly unspecified other impact via a crafted tar archive due to heap metadata corruption in the phar_parse_metadata function in ext/phar/phar.c (CVE-2015-3307) * missing null byte checks for paths in various PHP extensions (CVE-2015-3411 and CVE-2015-3412) * Remote Denial of Service via a crafted entry in a tar archive due to integer underflow and memory corruption in the phar_parse_tarfile function in ext/phar/tar.c (CVE-2015-4021) * Integer overflow in the ftp_genlist() function may result in denial of service or potentially the execution of arbitrary code (CVE-2015-4022) * Multiple function didn't check for NULL bytes in path names (CVE-2015-4025 CVE-2015-4026) * Arbitrary code execution by providing crafted serialized data with an unexpected data type, due to SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39 not verifying that __default_headers is an array (CVE-2015-4147) * Information disclosure providing crafted serialized data with an int data type due to the do_soap_call function in ext/soap/soap.c in PHP before 5.4.39 not verifying that the uri property is a string (CVE-2015-4148) * missing null byte checks for paths in DOM and GD extensions (CVE-2015-4598) * Type confusion vulnerability in exception::getTraceAsString in unserialize() with various SOAP methods (CVE-2015-4599 CVE-2015-4600 CVE-2015-4601) * Incomplete Class unserialization type confusion (CVE-2015-4602) * denial of service when processing a crafted file with Fileinfo (CVE-2015-4604 CVE-2015-4605) * integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022) (CVE-2015-4643) * NULL pointer dereference in php_pgsql_meta_data() (CVE-2015-4644) * Denial of Service due to Segfault in Phar::convertToData on invalid file (CVE-2015-5589) * Crash or code injection due to Buffer overflow and stack smashing error in phar_fix_filepath (CVE-2015-5590)
Known but still unfixed issues: * CVE-2014-5459 (minor, will not get fixed in squeeze LTS) * Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Denial of service when processing multipart/form-data requests (CVE-2015-4024) * DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)
Still unfixed in 5.3.3.1-7+squeeze27: * vulnerabilities in unserialize (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)
repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7 5.3.3.1-7+squeeze27 r15372 | Revert repo-ng patching Package: php5 Version: 5.3.3.1-7.217.201510211813 Branch: ucs_3.2-0 Scope: errata3.2-7 r64708 | Bug #39214: php5 2015-10-21-php5.yaml
Sorry - just one week after fixing this, 5.3.3.1-7+squeeze28 became available. Please import and build it, as it closes a good amount of security bugs.
repo_admin.py -U -p php5 -d squeeze-lts -r 3.2-0-0 -s errata3.2-7 5.3.3.1-7+squeeze28 r15430 | Bug #39214 php5: Revert repo-ng patching Package: php5 Version: 5.3.3.1-7.218.201511161319 Branch: ucs_3.2-0 Scope: errata3.2-7 r65571 | Bug #39214: php5 2015-10-21-php5.yaml
OK: DEBIAN_FRONTEND=noninteractive apt-get install -y php5 OK: 2015-10-21-php5.yaml OK: Test: echo '<?php phpinfo(); ?>' > /var/www/phpinfo.php ; wget -q -O - http://127.0.0.1/phpinfo.php | egrep -q '5.3.3.*7.218.201511161319' && echo OK
Just for the record, these are the issues listed as fixed in changelog and yaml: * Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833) * Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely (CVE-2015-6834) * A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields (CVE-2015-6836). * The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6837) * The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that (CVE-2015-6838) * A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash (CVE-2015-7803) * An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash (CVE-2015-7804)
<http://errata.software-univention.de/ucs/3.2/381.html>