First Last Prev Next    This bug is not in your last search results.
Bug 41728 - php5: Multiple issues (3.2/component/php54)
php5: Multiple issues (3.2/component/php54)
Status: CLOSED WONTFIX
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-x-errata
Assigned To: Security maintainers
:
Depends on: 41479
Blocks:
  Show dependency treegraph
 
Reported: 2016-07-05 12:07 CEST by Arvid Requate
Modified: 2019-04-11 19:23 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
requate: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-07-05 12:07:51 CEST 
+++ This bug was initially created as a clone of Bug #41479 +++

Upstream Debian package version 5.4.45-0+deb7u3 fixes these issues:

* The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file (CVE-2015-8865)

* libxml_disable_entity_loader setting is shared between threads ext/libxml/libxml.c in PHP before 5.5.22, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161 (CVE-2015-8866).

* main/php_open_temporary_file.c in PHP before 5.5.28 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses (CVE-2015-8878).

* The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table (CVE-2015-8879).

* Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function (CVE-2016-4070).

* Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call (CVE-2016-4071).

* The Phar extension in PHP before 5.5.34 allows remote attackers to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the phar_analyze_path function in ext/phar/phar.c (CVE-2016-4072).

* Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call (CVE-2016-4073).

* The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive (CVE-2016-4343).

* The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call (CVE-2016-4537).

* The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero (CVE-2016-4539).

* The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset (CVE-2016-4540, CVE-2016-4541).

* The exif_process_* function in ext/exif/exif.c in PHP before 5.5.35 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data (CVE-2016-4542, CVE-2016-4543, CVE-2016-4544).
Comment 1 Arvid Requate univentionstaff 2016-07-05 12:08:36 CEST 
    * CVE-2016-5093.patch
      Absence of null character causes unexpected zend_string length and
      leaks heap memory. The test script uses locale_get_primary_language
      to reach get_icu_value_internal but there are some other functions
      that also trigger this issue:
        locale_canonicalize, locale_filter_matches,
        locale_lookup, locale_parse
    * CVE-2016-5094.patch
      don't create strings with lengths outside int range
    * CVE-2016-5095.patch
      similar to CVE-2016-5094
      don't create strings with lengths outside int range
    * CVE-2016-5096.patch
      int/size_t confusion in fread
    * CVE-TEMP-bug-70661.patch
      bug70661: Use After Free Vulnerability in WDDX Packet Deserialization
    * CVE-TEMP-bug-70728.patch
      bug70728: Type Confusion Vulnerability in PHP_to_XMLRPC_worker()
    * CVE-TEMP-bug-70741.patch
      bug70741: Session WDDX Packet Deserialization Type Confusion
                Vulnerability
    * CVE-TEMP-bug-70480-raw.patch
      bug70480: php_url_parse_ex() buffer overflow read


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u4.
Comment 2 Arvid Requate univentionstaff 2016-08-09 19:49:28 CEST 
That "bug70480" above is now known as CVE-2016-6288:

* The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. (CVE-2016-6288)
Comment 3 Arvid Requate univentionstaff 2016-10-04 16:42:38 CEST 
Upstream Debian package version 5.4.45-0+deb7u5 fixes these issues:

* An invalid free may occur under certain conditions when processing phar-compatible archives (CVE-2016-4473)

* Remote denial of service or unspecified other impact via crafted call to the bcpowmod function in ext/bcmath/bcmath.c (CVE-2016-4538)

* sapi/fpm/fpm/fpm_log.c misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging (CVE-2016-5114)

* Improper error handling in bzread (CVE-2016-5399)

* Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception (CVE-2016-5768)

* Multiple integer overflows in mcrypt.c in the mcrypt extension allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions (CVE-2016-5769)

* Integer overflow in the SplFileObject::fread function spl_directory.c allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096 (CVE-2016-5770)

* spl_array.c in the SPL extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data (CVE-2016-5771)

* Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call (CVE-2016-5772)

* php_zip.c in the zip extension improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object (CVE-2016-5773)

* Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive (CVE-2016-6289)

* ext/session/session.c does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other Impact via vectors related to session deserialization (CVE-2016-6290)

* The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image (CVE-2016-6291)

* The exif_process_user_comment function in ext/exif/exif.c allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image (CVE-2016-6292)

* The locale_accept_from_http function in ext/intl/locale/locale_methods.c does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (CVE-2016-6294)

* ext/snmp/snmp.c improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773 (CVE-2016-6295)

* Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function (CVE-2016-6296)

* Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL (CVE-2016-6297)

* Use After Free Vulnerability in unserialize() (Debianbug 70436)

* PHP Session Data Injection Vulnerability, consume data even if not storing it (Debianbug 72681)
Comment 4 Stefan Gohmann univentionstaff 2017-06-16 20:36:59 CEST 
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
Comment 5 Stefan Gohmann univentionstaff 2017-08-08 07:11:28 CEST 
This issue has been filed against UCS 3.2.

UCS 3.2 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.