Описание
Security update for php53
This update fixes the following vulnerabilities in php:
Security Issues:
Список пакетов
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server for SAP Applications 11 SP3
SUSE Linux Enterprise Software Development Kit 11 SP3
Ссылки
- Link for SUSE-SU-2015:0436-1
- E-Mail link for SUSE-SU-2015:0436-1
- SUSE Security Ratings
- SUSE Bug 828020
- SUSE Bug 829207
- SUSE Bug 837746
- SUSE Bug 842676
- SUSE Bug 853045
- SUSE Bug 854880
- SUSE Bug 868624
- SUSE Bug 880904
- SUSE Bug 880905
- SUSE Bug 882992
- SUSE Bug 884986
- SUSE Bug 884987
- SUSE Bug 884989
- SUSE Bug 884990
- SUSE Bug 884991
- SUSE Bug 884992
- SUSE Bug 885961
Описание
ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.
Затронутые продукты
Ссылки
- CVE-2013-4113
- SUSE Bug 829207
Описание
The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Затронутые продукты
Ссылки
- CVE-2013-4248
- SUSE Bug 837746
Описание
Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.
Затронутые продукты
Ссылки
- CVE-2013-4635
- SUSE Bug 828020
Описание
The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function.
Затронутые продукты
Ссылки
- CVE-2013-6420
- SUSE Bug 854880
- SUSE Bug 880238
Описание
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_sdl function in ext/soap/php_sdl.c.
Затронутые продукты
Ссылки
- CVE-2013-6501
- SUSE Bug 917302
Описание
The scan function in ext/date/lib/parse_iso_intervals.c in PHP through 5.5.6 does not properly restrict creation of DateInterval objects, which might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted interval specification.
Затронутые продукты
Ссылки
- CVE-2013-6712
- SUSE Bug 853045
Описание
The cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted CDF file.
Затронутые продукты
Ссылки
- CVE-2014-0207
- SUSE Bug 884986
- SUSE Bug 980366
- SUSE Bug 992991
Описание
The cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (performance degradation) by triggering many file_printf calls.
Затронутые продукты
Ссылки
- CVE-2014-0237
- SUSE Bug 880905
- SUSE Bug 992991
Описание
The cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 allows remote attackers to cause a denial of service (infinite loop or out-of-bounds memory access) via a vector that (1) has zero length or (2) is too long.
Затронутые продукты
Ссылки
- CVE-2014-0238
- SUSE Bug 880904
- SUSE Bug 992991
Описание
The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted color table in an XPM file.
Затронутые продукты
Ссылки
- CVE-2014-2497
- SUSE Bug 868624
Описание
Buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, allows remote attackers to cause a denial of service (application crash) via a crafted Pascal string in a FILE_PSTRING conversion.
Затронутые продукты
Ссылки
- CVE-2014-3478
- SUSE Bug 884987
- SUSE Bug 980366
- SUSE Bug 992991
Описание
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.
Затронутые продукты
Ссылки
- CVE-2014-3479
- SUSE Bug 884989
- SUSE Bug 980366
- SUSE Bug 992991
Описание
The cdf_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate sector-count data, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
Затронутые продукты
Ссылки
- CVE-2014-3480
- SUSE Bug 884990
- SUSE Bug 980366
Описание
The cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, does not properly validate a stream offset, which allows remote attackers to cause a denial of service (application crash) via a crafted CDF file.
Затронутые продукты
Ссылки
- CVE-2014-3487
- SUSE Bug 884991
- SUSE Bug 980366
Описание
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
Затронутые продукты
Ссылки
- CVE-2014-3515
- SUSE Bug 884992
- SUSE Bug 980366
- SUSE Bug 992991
Описание
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation.
Затронутые продукты
Ссылки
- CVE-2014-3668
- SUSE Bug 902368
- SUSE Bug 980366
Описание
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
Затронутые продукты
Ссылки
- CVE-2014-3669
- SUSE Bug 902360
- SUSE Bug 980366
Описание
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function.
Затронутые продукты
Ссылки
- CVE-2014-3670
- SUSE Bug 902357
- SUSE Bug 980366
Описание
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function.
Затронутые продукты
Ссылки
- CVE-2014-4049
- SUSE Bug 882992
- SUSE Bug 893853
Описание
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments.
Затронутые продукты
Ссылки
- CVE-2014-4670
- SUSE Bug 886059
- SUSE Bug 980366
- SUSE Bug 992991
Описание
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments.
Затронутые продукты
Ссылки
- CVE-2014-4698
- SUSE Bug 886060
- SUSE Bug 980366
Описание
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php.
Затронутые продукты
Ссылки
- CVE-2014-4721
- SUSE Bug 885961
- SUSE Bug 980366
- SUSE Bug 992991
Описание
The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions.
Затронутые продукты
Ссылки
- CVE-2014-5459
- SUSE Bug 893849
- SUSE Bug 980366
- SUSE Bug 992991
Описание
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
Затронутые продукты
Ссылки
- CVE-2014-8142
- SUSE Bug 910659
- SUSE Bug 980366
Описание
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted file.
Затронутые продукты
Ссылки
- CVE-2014-9652
- SUSE Bug 917150
- SUSE Bug 917302
- SUSE Bug 918768
- SUSE Bug 980366
Описание
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.
Затронутые продукты
Ссылки
- CVE-2014-9705
- SUSE Bug 922451
- SUSE Bug 980366
Описание
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.
Затронутые продукты
Ссылки
- CVE-2014-9709
- SUSE Bug 923945
- SUSE Bug 923946
- SUSE Bug 980366
Описание
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
Затронутые продукты
Ссылки
- CVE-2015-0231
- SUSE Bug 910659
- SUSE Bug 924972
- SUSE Bug 980366
- SUSE Bug 992991
Описание
The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.
Затронутые продукты
Ссылки
- CVE-2015-0232
- SUSE Bug 914690
- SUSE Bug 980366
- SUSE Bug 992991
Описание
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
Затронутые продукты
Ссылки
- CVE-2015-2301
- SUSE Bug 922452
- SUSE Bug 980366
Описание
Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2015-2305
- SUSE Bug 1040662
- SUSE Bug 921950
- SUSE Bug 922022
- SUSE Bug 922028
- SUSE Bug 922030
- SUSE Bug 922043
- SUSE Bug 922560
- SUSE Bug 922567
- SUSE Bug 929192
- SUSE Bug 980366
Описание
ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (buffer over-read and application crash) via a crafted length value in conjunction with crafted serialized data in a phar archive, related to the phar_parse_metadata and phar_parse_pharfile functions.
Затронутые продукты
Ссылки
- CVE-2015-2783
- SUSE Bug 928408
- SUSE Bug 928506
- SUSE Bug 928511
- SUSE Bug 931418
- SUSE Bug 980366
Описание
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.
Затронутые продукты
Ссылки
- CVE-2015-2787
- SUSE Bug 924972
- SUSE Bug 980366
Описание
Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a crafted length value in a (1) tar, (2) phar, or (3) ZIP archive.
Затронутые продукты
Ссылки
- CVE-2015-3329
- SUSE Bug 928408
- SUSE Bug 928506
- SUSE Bug 928511
- SUSE Bug 980366
Описание
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.
Затронутые продукты
Ссылки
- CVE-2015-3411
- SUSE Bug 935074
- SUSE Bug 935227
- SUSE Bug 935229
- SUSE Bug 935232
- SUSE Bug 980366
Описание
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.
Затронутые продукты
Ссылки
- CVE-2015-3412
- SUSE Bug 935227
- SUSE Bug 935229
- SUSE Bug 935232
- SUSE Bug 980366
Описание
The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.
Затронутые продукты
Ссылки
- CVE-2015-4021
- SUSE Bug 931769
- SUSE Bug 935074
- SUSE Bug 980366
Описание
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2015-4022
- SUSE Bug 931769
- SUSE Bug 931772
- SUSE Bug 935275
- SUSE Bug 980366
Описание
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
Затронутые продукты
Ссылки
- CVE-2015-4024
- SUSE Bug 931421
- SUSE Bug 980366
Описание
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
Затронутые продукты
Ссылки
- CVE-2015-4026
- SUSE Bug 931776
- SUSE Bug 935227
- SUSE Bug 980366
Описание
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.
Затронутые продукты
Ссылки
- CVE-2015-4148
- SUSE Bug 933227
- SUSE Bug 935074
- SUSE Bug 935226
- SUSE Bug 980366
Описание
PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may write to only .html files.
Затронутые продукты
Ссылки
- CVE-2015-4598
- SUSE Bug 935227
- SUSE Bug 935232
- SUSE Bug 980366
Описание
The SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to obtain sensitive information, cause a denial of service (application crash), or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
Затронутые продукты
Ссылки
- CVE-2015-4599
- SUSE Bug 935074
- SUSE Bug 935226
- SUSE Bug 935234
- SUSE Bug 980366
Описание
The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.
Затронутые продукты
Ссылки
- CVE-2015-4600
- SUSE Bug 935226
- SUSE Bug 935234
- SUSE Bug 980366
Описание
PHP before 5.6.7 might allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c, a different issue than CVE-2015-4600.
Затронутые продукты
Ссылки
- CVE-2015-4601
- SUSE Bug 935226
- SUSE Bug 935234
- SUSE Bug 980366
Описание
The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
Затронутые продукты
Ссылки
- CVE-2015-4602
- SUSE Bug 935074
- SUSE Bug 935224
- SUSE Bug 935226
- SUSE Bug 980366
Описание
The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data type, related to a "type confusion" issue.
Затронутые продукты
Ссылки
- CVE-2015-4603
- SUSE Bug 935074
- SUSE Bug 935226
- SUSE Bug 935234
- SUSE Bug 980366
Описание
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022.
Затронутые продукты
Ссылки
- CVE-2015-4643
- SUSE Bug 931769
- SUSE Bug 935074
- SUSE Bug 935275
- SUSE Bug 980366
Описание
The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.
Затронутые продукты
Ссылки
- CVE-2015-4644
- SUSE Bug 935074
- SUSE Bug 935274
- SUSE Bug 980366