Univention Bugzilla – Bug 39608
php5: Multiple issues (3.2)
Last modified: 2019-04-11 19:23:10 CEST
+++ This bug was initially created as a clone of Bug #39214 +++ Known but still unfixed issues: * CVE-2014-5459 (minor, will not get fixed in squeeze LTS) * Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) * Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348) * Denial of service when processing multipart/form-data requests (CVE-2015-4024) * DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603) * use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834) * Use after free vulnerability in session deserializer (CVE-2015-6835) * SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836) * Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838) Still unfixed in 5.3.3.1-7+squeeze27: * vulnerabilities in unserialize (CVE-2015-6831) * Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832) * Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)
The following issues have been fixed in 5.3.3.1-7+squeeze29: CVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-2348 The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2016-tmp, Bug #71039 exec functions ignore length but look for NULL termination CVE-2016-tmp, Bug #71089 No check to duplicate zend_extension CVE-2016-tmp, Bug #71201 round() segfault on 64-bit builds CVE-2016-tmp, Bug #71459 Integer overflow in iptcembed() CVE-2016-tmp, Bug #71354 Heap corruption in tar/zip/phar parser CVE-2016-tmp, Bug #71391 NULL Pointer Dereference in phar_tar_setupmetadata() CVE-2016-tmp, Bug #70979 Crash on bad SOAP request
Additional issues, individual patches available upstream: * The make_http_soap_request function in ext/soap/php_http.c in PHP ... (CVE-2015-8835) * Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, ... (CVE-2016-2554) * Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. (CVE-2016-3141) * The phar_parse_zipfile function in zip.c in the PHAR extension allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. (CVE-2016-3142)
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 3.2. UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.