Univention Bugzilla – Bug 40918
php5: Multiple issues (4.1)
Last modified: 2017-10-26 13:53:55 CEST
Upstream Debian package version 5.4.45-0+deb7u2 fixes these issues: * Denial of service due to crash of the phar extension caused by NULL pointer dereference when processing tar archives containing links referring to non-existing files. (CVE-2015-7803) https://bugs.php.net/bug.php?id=69720 * Denial of service and potential information disclosure due to the phar extension incorrectly processing directory entries found in archive files with the name "/". (CVE-2015-7804) https://bugs.php.net/bug.php?id=70433
Info: Debian Jessie updated to 5.6.20, which fixes these issues: * Buffer over-write in finfo_open with malformed magic file (CVE-2015-8865) * Integer Overflow in php_raw_url_encode (CVE-2016-4070) * php_snmp_error() Format String Vulnerability (CVE-2016-4071) * Invalid memory write in phar on filename with \0 in name (CVE-2016-4072) * AddressSanitizer: negative-size-param (-1) in mbfl_strcut (CVE-2016-4073)
Additional issues, individual patches available upstream: * The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function. (CVE-2016-1903) * Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, ... (CVE-2016-2554) * Use-after-free vulnerability in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element. (CVE-2016-3141) * The phar_parse_zipfile function in zip.c in the PHAR extension allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location. (CVE-2016-3142)
Upstream Debian package version 5.4.45-0+deb7u3 fixes these issues: * The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file (CVE-2015-8865) * libxml_disable_entity_loader setting is shared between threads ext/libxml/libxml.c in PHP before 5.5.22, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (CVE-2015-8866). * main/php_open_temporary_file.c in PHP before 5.5.28 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses (CVE-2015-8878). * The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (CVE-2015-8879). * Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (CVE-2016-4070). * Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call (CVE-2016-4071). * The Phar extension in PHP before 5.5.34 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c (CVE-2016-4072). * Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (CVE-2016-4073). * The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive (CVE-2016-4343). * The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (CVE-2016-4537). * The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (CVE-2016-4539). * The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (CVE-2016-4540, CVE-2016-4541). * The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544).
* CVE-2016-5093.patch Absence of null character causes unexpected zend_string length and leaks heap memory. The test script uses locale_get_primary_language to reach get_icu_value_internal but there are some other functions that also trigger this issue: locale_canonicalize, locale_filter_matches, locale_lookup, locale_parse * CVE-2016-5094.patch don't create strings with lengths outside int range * CVE-2016-5095.patch similar to CVE-2016-5094 don't create strings with lengths outside int range * CVE-2016-5096.patch int/size_t confusion in fread * CVE-TEMP-bug-70661.patch bug70661: Use After Free Vulnerability in WDDX Packet Deserialization * CVE-TEMP-bug-70728.patch bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker() * CVE-TEMP-bug-70741.patch bug70741: Session WDDX Packet Deserialization Type Confusion Vulnerability * CVE-TEMP-bug-70480-raw.patch bug70480: php_url_parse_ex() buffer overflow read For Debian 7 "Wheezy", these problems have been fixed in version 5.4.45-0+deb7u4.
The following issues have been reported as fixed in the Jessie version: * _php_mb_regex_ereg_replace_exec - double free (CVE-2016-5768) * Heap Overflow due to integer overflows (CVE-2016-5769) * int/size_t confusion in SplFileObject::fread (CVE-2016-5770) * Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016-5771) * Double Free Courruption in wddx_deserialize (CVE-2016-5772) * ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize (CVE-2016- 5773) Of all of the above CVE-2016-4071 and CVE-2016-5771 have the highest impact CVSS v2 Base score 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
The following issues have been fixed in the Debian "Jessie" php5 package version 5.6.24+dfsg-0+deb8u1: * PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue. (CVE-2016-5385) * Improper error handling in bzread() (CVE-2016-5399) * Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. (CVE-2016-6289) * ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. (CVE-2016-6290) * The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. (CVE-2016-6291) * The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image. (CVE-2016-6292) * The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument. (CVE-2016-6294) * ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773. (CVE-2016-6295) * Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function. (CVE-2016-6296) * Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. (CVE-2016-6297)
That "bug70480" above is now known as CVE-2016-6288: * The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288) The following issues have been reported as fixed in Ubuntu (Jessie version is unaffected): * Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation. (CVE-2015-4116) * sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging. (CVE-2016-5114) CVE-2015-4116: CVSS v2 base score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) CVE-2016-5114: CVSS v2 base score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues: * An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473) * Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538) * sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114) * Improper error handling in bzread (CVE-2016-5399) * Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768) * Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769) * Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770) * spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771) * Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772) * php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773) * Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289) * ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290) * The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291) * The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292) * The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote ttackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294) * ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295) * Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296) * Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297) * Use After Free Vulnerability in unserialize() (Debianbug 70436) * PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681)
The following issue have been reported as fixed in the Debian jessie PHP version 5.6, they might affect 5.4 too: CVE-2016-7124 CVE-2016-7125 CVE-2016-7126 CVE-2016-7127 CVE-2016-7128 CVE-2016-7129 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7411 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418
I've imported and built 5.4.45-0+deb7u5. That version is not affected by CVE-2016-1903 (code not present) The other open issues have been transferred to Bug 42987 Advisory: php5.yaml
OK - CVE OK - univention patches OK - horde docker installation with new php5, owncloud installation OK - YAML
<http://errata.software-univention.de/ucs/4.1/330.html>