Описание
Security update for php8
This update for php8 fixes the following issues
- CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection (bsc#1264778).
- CVE-2026-6104: out-of-bounds read when processing an encoding name containing an embedded NULL byte in
mb_convert_encoding()can lead to information disclosure and denial of service (bsc#1264777). - CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776).
- CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775).
- CVE-2026-7258: signed
charvalues passed toctypefunctions likeisxdigitcan lead to OOB access and denial of service (bsc#1264774). - CVE-2026-7259: NULL pointer dereference in
php_mb_check_encoding()viamb_ereg_search_init()can lead to a denial of service (bsc#1264773). - CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler objects when SOAP_PERSISTENCE_SESSION is configured can lead to memory corruption, information disclosure and process crashes (bsc#1264772).
- CVE-2026-7262: NULL pointer dereference caused by mistake in the SOAP decoding process when a typemap is configured can lead to a denial of service (bsc#1264771).
- CVE-2026-7263: incorrect processing of XML data in the
DOMNode: C14N()method can lead to an infinite loop and a denial of service (bsc#1264770). - CVE-2026-7568: integer overflow in the
metaphonefunction can lead to undefined behavior and affect the availability of the PHPprocess (bsc#1264769).
Other updates:
- Updated to 8.4.21.
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1264769
- SUSE Bug 1264770
- SUSE Bug 1264771
- SUSE Bug 1264772
- SUSE Bug 1264773
- SUSE Bug 1264774
- SUSE Bug 1264775
- SUSE Bug 1264776
- SUSE Bug 1264777
- SUSE Bug 1264778
- SUSE CVE CVE-2025-14179 page
- SUSE CVE CVE-2026-6104 page
- SUSE CVE CVE-2026-6722 page
- SUSE CVE CVE-2026-6735 page
- SUSE CVE CVE-2026-7258 page
- SUSE CVE CVE-2026-7259 page
- SUSE CVE CVE-2026-7261 page
- SUSE CVE CVE-2026-7262 page
- SUSE CVE CVE-2026-7263 page
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the PDO Firebird driver improperly handles NUL bytes when preparing SQL queries. During token-by-token query construction, a string token containing a NUL byte is copied via strncat(), which stops at the NUL byte, dropping the closing quote and causing subsequent SQL tokens to be interpreted as part of the string. This allows SQL injection when attacker-controlled values are quoted via PDO::quote() and embedded in SQL statements.
Затронутые продукты
Ссылки
- CVE-2025-14179
- SUSE Bug 1264778
Описание
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Затронутые продукты
Ссылки
- CVE-2026-6104
- SUSE Bug 1264777
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution.
Затронутые продукты
Ссылки
- CVE-2026-6722
- SUSE Bug 1264776
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, 8.5.* before 8.5.6, due to improper sanitation of user data, it allows an attacker to compose an URL, which will cause the target to execute arbitrary JavaScript code (XSS) on the target's machine when the target is viewing the PHP-FPM status page.
Затронутые продукты
Ссылки
- CVE-2026-6735
- SUSE Bug 1264775
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and optimized table-lookup ctype functions - such as NetBSD - this can lead to accessing array with negative offset, which can trigger a denial of service.
Затронутые продукты
Ссылки
- CVE-2026-7258
- SUSE Bug 1264774
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to a NULL pointer dereference, resulting in a segmentation fault and denial of service. The vulnerability is exploitable when user-controlled input can influence the encoding passed to mb_regex_encoding().
Затронутые продукты
Ссылки
- CVE-2026-7259
- SUSE Bug 1264773
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the persistance is handled incorrectly, resulting in freeing the object while keeping a pointer to it, which may lead to use-after-free. This may lead to memory corruption, information disclosure, or process crashes, with confidentiality, integrity, and availability impact on the vulnerable system.
Затронутые продукты
Ссылки
- CVE-2026-7261
- SUSE Bug 1264772
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when a SOAP server has a typemap configured, the decoding process contains a mistake which checks the wrong variable in case of missing value element. This leads to dereferences a NULL pointer, causing a segmentation fault. This allows a remote unauthenticated attacker to crash the PHP SOAP server process, resulting in denial of service.
Затронутые продукты
Ссылки
- CVE-2026-7262
- SUSE Bug 1264771
Описание
In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Затронутые продукты
Ссылки
- CVE-2026-7263
- SUSE Bug 1264770
Описание
In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If a string longer than 2,147,483,647 bytes is passed, a signed integer overflow occurs, resulting in undefined behavior. This can lead to an out-of-bounds read, causing a segmentation fault or access to unrelated memory, and may affect the availability of the PHP process.
Затронутые продукты
Ссылки
- CVE-2026-7568
- SUSE Bug 1264769