Bug 39608 – php5: Multiple issues (3.2)

Bug 39608 - php5: Multiple issues (3.2)


Summary:	php5: Multiple issues (3.2)

Status:	CLOSED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.2
Hardware:	Other Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assigned To:	Security maintainers
QA Contact:

URL:
Keywords:

Depends on:	39214
Blocks:
	Show dependency tree / graph

Reported:	2015-10-21 19:18 CEST by Philipp Hahn
Modified:	2019-04-11 19:23 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Flags:	requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2015-10-21 19:18:12 CEST

+++ This bug was initially created as a clone of Bug #39214 +++

Known but still unfixed issues:

* CVE-2014-5459 (minor, will not get fixed in squeeze LTS)

* Remote code execution due to use after free vulnerability in unserialize() of the DateTimeZone implementation (CVE-2015-0273)

* Heap overflow vulnerability in regcomp.c (CVE-2015-2305)

* Bypass of extension restrictions in move_uploaded_file, creation of files with unexpected names by remote attacker (CVE-2015-2348)

* Denial of service when processing multipart/form-data requests (CVE-2015-4024)

* DoS and code injection due to exception::getTraceAsString type confusion issue after unserialize (CVE-2015-4603)

* use-after-free attack and remote code injection via vulnerability in unserialize() (CVE-2015-6834)

* Use after free vulnerability in session deserializer (CVE-2015-6835)

* SOAP serialize_function_call() type confusion / RCE (CVE-2015-6836)

* Remote Denial of Service due to NULL pointer dereference in XSLTProcessor (CVE-2015-6837 CVE-2015-6838)


Still unfixed in 5.3.3.1-7+squeeze27:

* vulnerabilities in unserialize (CVE-2015-6831)
* Dangling pointer in the unserialization of ArrayObject items (CVE-2015-6832)
* Files extracted from archive may be placed outside of destination directory (CVE-2015-6833)

Comment 1 Arvid Requate

2016-03-01 11:50:21 CET

The following issues have been fixed in 5.3.3.1-7+squeeze29:

CVE-2015-2305
    Integer overflow in the regcomp implementation in the Henry
    Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on
    32-bit platforms, as used in NetBSD through 6.1.5 and other
    products, might allow context-dependent attackers to execute
    arbitrary code via a large regular expression that leads to
    a heap-based buffer overflow.
CVE-2015-2348
    The move_uploaded_file implementation in
    ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x
    before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon
    encountering a \x00 character, which allows remote attackers to
    bypass intended extension restrictions and create files with
    unexpected names via a crafted second argument.
    NOTE: this vulnerability exists because of an incomplete fix for
          CVE-2006-7243.
CVE-2016-tmp, Bug #71039
    exec functions ignore length but look for NULL termination
CVE-2016-tmp, Bug #71089
    No check to duplicate zend_extension
CVE-2016-tmp, Bug #71201
    round() segfault on 64-bit builds
CVE-2016-tmp, Bug #71459
    Integer overflow in iptcembed()
CVE-2016-tmp, Bug #71354
    Heap corruption in tar/zip/phar parser
CVE-2016-tmp, Bug #71391
    NULL Pointer Dereference in phar_tar_setupmetadata()
CVE-2016-tmp, Bug #70979
    Crash on bad SOAP request

Comment 2 Arvid Requate

2016-05-17 20:50:37 CEST

Additional issues, individual patches available upstream: 

* The make_http_soap_request function in ext/soap/php_http.c in PHP ... (CVE-2015-8835)

* Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, ... (CVE-2016-2554)

* Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. (CVE-2016-3141)

* The phar_parse_zipfile function in zip.c in the PHAR extension allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. (CVE-2016-3142)

Comment 3 Stefan Gohmann

2017-06-16 20:35:47 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 4 Stefan Gohmann

2017-08-08 07:10:35 CEST

This issue has been filed against UCS 3.2.

UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.