Bug 41479 - php5: Multiple issues (3.3)
php5: Multiple issues (3.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.3
Other Linux
: P5 normal (vote)
: UCS 3.3-0-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 40918
Blocks: 41728
  Show dependency treegraph
 
Reported: 2016-06-06 18:57 CEST by Arvid Requate
Modified: 2016-11-23 12:16 CET (History)
5 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-06-06 18:57:49 CEST
+++ This bug was initially created as a clone of Bug #40918 +++

Upstream Debian package version 5.4.45-0+deb7u3 fixes these issues:

* The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file (CVE-2015-8865)

* libxml_disable_entity_loader setting is shared between threads ext/libxml/libxml.c in PHP before 5.5.22, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (CVE-2015-8866).

* main/php_open_temporary_file.c in PHP before 5.5.28 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses (CVE-2015-8878).

* The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (CVE-2015-8879).

* Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (CVE-2016-4070).

* Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call (CVE-2016-4071).

* The Phar extension in PHP before 5.5.34 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c (CVE-2016-4072).

* Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (CVE-2016-4073).

* The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive (CVE-2016-4343).

* The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (CVE-2016-4537).

* The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (CVE-2016-4539).

* The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (CVE-2016-4540, CVE-2016-4541).

* The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544).
Comment 1 Janek Walkenhorst univentionstaff 2016-07-04 18:20:05 CEST
    * CVE-2016-5093.patch
      Absence of null character causes unexpected zend_string length and
      leaks heap memory. The test script uses locale_get_primary_language
      to reach get_icu_value_internal but there are some other functions
      that also trigger this issue:
        locale_canonicalize, locale_filter_matches,
        locale_lookup, locale_parse
    * CVE-2016-5094.patch
      don't create strings with lengths outside int range
    * CVE-2016-5095.patch
      similar to CVE-2016-5094
      don't create strings with lengths outside int range
    * CVE-2016-5096.patch
      int/size_t confusion in fread
    * CVE-TEMP-bug-70661.patch
      bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
    * CVE-TEMP-bug-70728.patch
      bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
    * CVE-TEMP-bug-70741.patch
      bug70741: Session WDDX Packet Deserialization Type Confusion
                Vulnerability
    * CVE-TEMP-bug-70480-raw.patch
      bug70480: php_url_parse_ex() buffer overflow read


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u4.
Comment 2 Arvid Requate univentionstaff 2016-08-09 19:49:01 CEST
That "bug70480" above is now known as CVE-2016-6288:

* The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288)
Comment 3 Arvid Requate univentionstaff 2016-10-04 16:43:01 CEST
Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues:

* An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473)

* Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538)

* sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114)

* Improper error handling in bzread (CVE-2016-5399)

* Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768)

* Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769)

* Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770)

* spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771)

* Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772)

* php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773)

* Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289)

* ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290)

* The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291)

* The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292)

* The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294)

* ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295)

* Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296)

* Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297)

* Use After Free Vulnerability in unserialize() (Debianbug 70436)

* PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681)
Comment 4 Arvid Requate univentionstaff 2016-11-17 18:46:55 CET
I've cherry picked the version from errata4.1-4.

Advisory: php5.yaml
Comment 5 Felix Botner univentionstaff 2016-11-21 17:18:16 CET
OK - CVE
OK - univention patches
OK - horde phpinfo()
OK - YAML
OK - update to 4.0
Comment 6 Philipp Hahn univentionstaff 2016-11-23 12:16:45 CET
<http://errata.software-univention.de/ucs/3.3/23.html>