oss-sec mailing list archives
Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases
From: cve-assign () mitre org
Date: Sat, 23 Apr 2016 23:55:25 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
http://www.ubuntu.com/usn/usn-2952-1/
- - Buffer over-write in finfo_open with malformed magic file https://bugs.php.net/bug.php?id=71527 http://bugs.gw.com/view.php?id=522 https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e
It was discovered that the PHP Fileinfo component incorrectly handled certain magic files. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Use CVE-2015-8865 for this issue affecting file before 5.23 (see the http://bugs.gw.com/view.php?id=522#c1237 comment). The security relevance depends, in part, on "If a compiled magic file is found alongside a file or directory, it will be used instead" in the https://github.com/file/file/blob/master/doc/file.man man page.
- - Integer overflow in php_raw_url_encode https://bugs.php.net/bug.php?id=71798 https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451
It was discovered that the PHP rawurlencode() function incorrectly handled large strings. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service.
Use CVE-2016-4070. Note that the 71798 [2016-03-27 21:25 UTC] comment says "Not sure if this qualifies as security issue (probably not)."
- - php_snmp_error() Format String Vulnerability https://bugs.php.net/bug.php?id=71704 https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
It was discovered that the PHP php_snmp_error() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Use CVE-2016-4071.
- - Invalid memory write in phar on filename containing \0 inside name https://bugs.php.net/bug.php?id=71860 https://gist.github.com/smalyshev/80b5c2909832872f2ba2 https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a
It was discovered that the PHP phar extension incorrectly handled certain filenames in archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Use CVE-2016-4072.
- - AddressSanitizer: negative-size-param (-1) in mbfl_strcut https://bugs.php.net/bug.php?id=71906 https://gist.github.com/smalyshev/d8355c96a657cc5dba70 https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1
It was discovered that the PHP mb_strcut() function incorrectly handled string formatting. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code.
Use CVE-2016-4073.
http://www.openwall.com/lists/oss-security/2016/04/21/8
1- libxml_disable_entity_loader setting is shared between threads https://bugs.php.net/bug.php?id=64938 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
It was discovered that the PHP libxml_disable_entity_loader() setting was shared between threads. When running under PHP-FPM, this could result in XML external entity injection and entity expansion issues.
Use CVE-2015-8866. Note that the related http://framework.zend.com/security/advisory/ZF2015-06 issue was already assigned CVE-2015-5161.
2- openssl_random_pseudo_bytes() is not cryptographically secure https://bugs.php.net/bug.php?id=70014 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
It was discovered that the PHP openssl_random_pseudo_bytes() function did not return cryptographically strong pseudo-random bytes.
Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes
Use CVE-2015-8867. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXHEKSAAoJEHb/MwWLVhi2HHwP/RHXiG+18j0extiWJbw2cWTx nWe5+2WsBPJlpmuUpe/P62KGmbpIIzsrceYtm6GGam8Az4XH2R9JGK6oFBOPoVzl t40kRgQWHB2yROHUylS8hbdspsUU4gKqZxzphqqAS7LHfOEfX2nNgbYuHYBtI1WF g5yY0RimAkKqe7mPsamms7eKlk0+jKVkE6tgxA/I3RmeuEzwEtJ9uJwpWze3HZTa aMGFt0bCuPdlVMEGtE+son4NDP8D2V7CFarJMEl1U6OLpxGjQATVn550YOcy50Lf MCjOpJ2LPkLA80ZLVn+fKkkAPQG99U5axPnMWcTxCiC1I374WHqKY0vjqrpKivrq VXsqPixF/jUxghFMYKKb/xg+GCr4oId13KrWVXpKDAwoxwYNHC/c9UgNwgPRdjeg sNSpJP46UH1vvC8GD3wBnd6IE8rPc3Zc/zEHSCe0F4Za2w5HmaT5cxkz97mPVzF6 jEQemPGfZjQDgNQyGtHhMCqxUUJ7bTXo3vg9NkpUHl1Wpg8C+YFIb8lwtBRR/5qc Rf0/+ho7fPYi4u1IClYMp+zBA9SJHD+XzK6gFTHjTq/XFYJEJkxDZQGQ9JmroABg GIK+zQDyn7SSRblpZyBmkzBUjToa/zvYwh0n9GfXPEWZc/px9eDPJsu0v+d7j1Tt vmqTwo44mo+NdkNIyBTA =bA5Y -----END PGP SIGNATURE-----
Current thread:
- CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Matthias Geerdsen (Apr 11)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Salvatore Bonaccorso (Apr 21)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Marc Deslauriers (Apr 21)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases cve-assign (Apr 23)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Salvatore Bonaccorso (Apr 21)