Описание
Security update for php53
This update for php53 fixes the following issues:
- CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010)
- CVE-2016-5094,CVE-2016-5095: Don't allow creating strings with lengths outside int range, avoids overflows (bsc#982011,bsc#982012)
- CVE-2016-5096: A int/size_t confusion in fread could corrupt memory (bsc#982013)
- CVE-2016-5114: A fpm_log.c memory leak and buffer overflow could leak information out of the php process or overwrite a buffer by 1 byte (bsc#982162)
- CVE-2016-4346: A heap overflow was fixed in ext/standard/string.c (bsc#977994)
- CVE-2016-4342: A heap corruption was fixed in tar/zip/phar parser (bsc#977991)
- CVE-2016-4537, CVE-2016-4538: bcpowmod accepted negative scale causing heap buffer overflow corrupting one definition (bsc#978827)
- CVE-2016-4539: Malformed input causes segmentation fault in xml_parse_into_struct() function (bsc#978828)
- CVE-2016-4540, CVE-2016-4541: Out-of-bounds memory read in zif_grapheme_stripos when given negative offset (bsc#978829)
- CVE-2016-4542, CVE-2016-4543, CVE-2016-4544: Out-of-bounds heap memory read in exif_read_data() caused by malformed input (bsc#978830)
- CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert function (bsc#980366)
- CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c (bsc#980373)
- CVE-2015-8874: Stack consumption vulnerability in GD (bsc#980375)
- CVE-2015-8879: odbc_bindcols function in ext/odbc/php_odbc.c mishandles driver behavior for SQL_WVARCHAR (bsc#981050)
Also fixed previously on SUSE Linux Enterprise 11 SP4, but not yet shipped to SUSE Linux Enterprise Server 11 SP3 LTSS:
- CVE-2015-8838: mysqlnd was vulnerable to BACKRONYM (bnc#973792).
- CVE-2015-8835: SoapClient s_call method suffered from a type confusion issue that could have lead to crashes [bsc#973351]
- CVE-2016-2554: A NULL pointer dereference in phar_get_fp_offset could lead to crashes. [bsc#968284]
- CVE-2015-7803: A Stack overflow vulnerability when decompressing tar phar archives could potentially lead to code execution. [bsc#949961]
- CVE-2016-3141: A use-after-free / double-free in the WDDX deserialization could lead to crashes or potential code execution. [bsc#969821]
- CVE-2016-3142: An Out-of-bounds read in phar_parse_zipfile() could lead to crashes. [bsc#971912]
- CVE-2014-9767: A directory traversal when extracting zip files was fixed that could lead to overwritten files. [bsc#971612]
- CVE-2016-3185: A type confusion vulnerability in make_http_soap_request() could lead to crashes or potentially code execution. [bsc#971611]
- CVE-2016-4073: A remote attacker could have caused denial of service, or possibly execute arbitrary code, due to incorrect handling of string length calculations in mb_strcut() (bsc#977003)
- CVE-2015-8867: The PHP function openssl_random_pseudo_bytes() did not return cryptographically secure random bytes (bsc#977005)
- CVE-2016-4070: The libxml_disable_entity_loader() setting was shared between threads, which could have resulted in XML external entity injection and entity expansion issues (bsc#976997)
- CVE-2015-8866: A remote attacker could have caused denial of service due to incorrect handling of large strings in php_raw_url_encode() (bsc#976996)
Список пакетов
SUSE Linux Enterprise Server 11 SP3-LTSS
SUSE Linux Enterprise Server 11 SP3-TERADATA
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
SUSE Linux Enterprise Software Development Kit 11 SP4
SUSE Manager 2.1
SUSE Manager Proxy 2.1
SUSE OpenStack Cloud 5
Ссылки
- Link for SUSE-SU-2016:1581-1
- E-Mail link for SUSE-SU-2016:1581-1
- SUSE Security Ratings
- SUSE Bug 949961
- SUSE Bug 968284
- SUSE Bug 969821
- SUSE Bug 971611
- SUSE Bug 971612
- SUSE Bug 971912
- SUSE Bug 973351
- SUSE Bug 973792
- SUSE Bug 976996
- SUSE Bug 976997
- SUSE Bug 977003
- SUSE Bug 977005
- SUSE Bug 977991
- SUSE Bug 977994
- SUSE Bug 978827
- SUSE Bug 978828
- SUSE Bug 978829
Описание
Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.
Затронутые продукты
Ссылки
- CVE-2014-9767
- SUSE Bug 971612
- SUSE Bug 980366
Описание
Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.
Затронутые продукты
Ссылки
- CVE-2015-4116
- SUSE Bug 980366
Описание
The phar_get_entry_data function in ext/phar/util.c in PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a .phar file with a crafted TAR archive entry in which the Link indicator references a file that does not exist.
Затронутые продукты
Ссылки
- CVE-2015-7803
- SUSE Bug 949961
- SUSE Bug 980366
Описание
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.
Затронутые продукты
Ссылки
- CVE-2015-8835
- SUSE Bug 973351
- SUSE Bug 980366
Описание
ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof servers via a cleartext-downgrade attack, a related issue to CVE-2015-3152.
Затронутые продукты
Ссылки
- CVE-2015-8838
- SUSE Bug 973792
- SUSE Bug 980366
Описание
ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.
Затронутые продукты
Ссылки
- CVE-2015-8866
- SUSE Bug 976996
- SUSE Bug 980366
Описание
The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.
Затронутые продукты
Ссылки
- CVE-2015-8867
- SUSE Bug 977005
- SUSE Bug 980366
Описание
Stack consumption vulnerability in Zend/zend_exceptions.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to cause a denial of service (segmentation fault) via recursive method calls.
Затронутые продукты
Ссылки
- CVE-2015-8873
- SUSE Bug 980366
- SUSE Bug 980373
Описание
Stack consumption vulnerability in GD in PHP before 5.6.12 allows remote attackers to cause a denial of service via a crafted imagefilltoborder call.
Затронутые продукты
Ссылки
- CVE-2015-8874
- SUSE Bug 980366
- SUSE Bug 980375
Описание
The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.
Затронутые продукты
Ссылки
- CVE-2015-8879
- SUSE Bug 981050
Описание
Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.
Затронутые продукты
Ссылки
- CVE-2016-2554
- SUSE Bug 968284
- SUSE Bug 980366
Описание
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
Затронутые продукты
Ссылки
- CVE-2016-3141
- SUSE Bug 969821
- SUSE Bug 980366
Описание
The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid location.
Затронутые продукты
Ссылки
- CVE-2016-3142
- SUSE Bug 971912
- SUSE Bug 980366
Описание
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c.
Затронутые продукты
Ссылки
- CVE-2016-3185
- SUSE Bug 971611
- SUSE Bug 973351
- SUSE Bug 980366
Описание
** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this qualifies as security issue (probably not)."
Затронутые продукты
Ссылки
- CVE-2016-4070
- SUSE Bug 976997
- SUSE Bug 980366
Описание
Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call.
Затронутые продукты
Ссылки
- CVE-2016-4073
- SUSE Bug 977003
- SUSE Bug 980366
Описание
ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-length uncompressed data, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.
Затронутые продукты
Ссылки
- CVE-2016-4342
- SUSE Bug 977991
- SUSE Bug 980366
Описание
Integer overflow in the str_pad function in ext/standard/string.c in PHP before 7.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a long string, leading to a heap-based buffer overflow.
Затронутые продукты
Ссылки
- CVE-2016-4346
- SUSE Bug 977993
- SUSE Bug 977994
- SUSE Bug 977995
- SUSE Bug 980366
Описание
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
Затронутые продукты
Ссылки
- CVE-2016-4537
- SUSE Bug 978827
- SUSE Bug 980366
Описание
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
Затронутые продукты
Ссылки
- CVE-2016-4538
- SUSE Bug 978827
- SUSE Bug 980366
Описание
The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.
Затронутые продукты
Ссылки
- CVE-2016-4539
- SUSE Bug 978828
- SUSE Bug 980366
Описание
The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
Затронутые продукты
Ссылки
- CVE-2016-4540
- SUSE Bug 978829
- SUSE Bug 980366
Описание
The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
Затронутые продукты
Ссылки
- CVE-2016-4541
- SUSE Bug 978829
- SUSE Bug 980366
Описание
The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
Затронутые продукты
Ссылки
- CVE-2016-4542
- SUSE Bug 978830
- SUSE Bug 980366
Описание
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
Затронутые продукты
Ссылки
- CVE-2016-4543
- SUSE Bug 978830
- SUSE Bug 980366
Описание
The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
Затронутые продукты
Ссылки
- CVE-2016-4544
- SUSE Bug 978830
- SUSE Bug 980366
Описание
The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted locale_get_primary_language call.
Затронутые продукты
Ссылки
- CVE-2016-5093
- SUSE Bug 982010
Описание
Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.
Затронутые продукты
Ссылки
- CVE-2016-5094
- SUSE Bug 982011
- SUSE Bug 982012
Описание
Integer overflow in the php_escape_html_entities_ex function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from a FILTER_SANITIZE_FULL_SPECIAL_CHARS filter_var call. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-5094.
Затронутые продукты
Ссылки
- CVE-2016-5095
- SUSE Bug 982011
- SUSE Bug 982012
Описание
Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.
Затронутые продукты
Ссылки
- CVE-2016-5096
- SUSE Bug 982013
Описание
sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging.
Затронутые продукты
Ссылки
- CVE-2016-5114
- SUSE Bug 982162