SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
(Red Hat Issues Fix) PHP Multiple Flaws Let Remote and Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code
SecurityTracker Alert ID:  1037218
SecurityTracker URL:  http://securitytracker.com/id/1037218
CVE Reference:   CVE-2016-5399   (Links to External Site)
Date:  Nov 4 2016
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several vulnerabilities were reported in PHP. A remote or local user can obtain potentially sensitive information on the target system. A remote or local user can execute arbitrary code on the target system.

A buffer over read error may occur in php_url_parse_ex() [CVE-2016-6288]. Version 5.5.x is affected.

An integer overflow my occur in processing string-typed ZVAL. Version 5.6.x is affected.

A stack overflow may occur in virtual_file_ex() [CVE-2016-6289].

A use-after-free may occur in unserialize() [CVE-2016-6290]. Versions 5.5.x and 5.6.x are affected.

A type confusion error may occur in php_bz2_filter_create(). Version 5.6.x is affected.

An out-of-bounds write may occur due to inadequate error handling in bzread() [CVE-2016-5399].

A null pointer dereference may occur in variant_date_from_timestamp(). Version 7.x is affected.

A heap overflow may occur in curl. Version 7.x is affected.

An out-of-bounds read error may occur in exif_process_IFD_in_MAKERNOTE() [CVE-2016-6291].

A null pointer dereference may occur in exif_process_user_comment() [CVE-2016-6292].

A read/write access error may occur in gdImageAALine(). Version 7.x is affected.

An out-of-bounds access error may occur in imagecropauto(). Version 7.x is affected.

A read/write access error may occur in gdImageTrueColorToPaletteBody().

An out-of-bounds access error may occur in imagegif/output.

An integer overflow may occur in _gdContributionsAlloc().

An out-of-bounds access error may occur in locale_accept_from_http() [CVE-2016-6294].

An out-of-bounds read error may occur in mb_ereg_replace - mbc_to_code. Version 7.x is affected.

A use-after-free memory error may occur in MBString. Version 7.x is affected.

A cast error and heap overflow may occur in mdecrypt_generic(). Version 7.x is affected.

A heap overflow may occur in proc_open() in the processing of the '$env' parameter in the PCRE component. Version 7.x is affected.

A buffer overflow may occur in ps_files_cleanup_dir(). Version 7.x is affected.

A use-after-free memory error may occur in unserialize(). Version 7.x is affected.

A use-after-free memory error may occur in SNMP [CVE-2016-6295].

A heap overflow may occur in simplestring_addn() in 'simplestring.c' in the XMLRPC component [CVE-2016-6296].

A stack overflow may occur in php_stream_zip_opener() [CVE-2016-6297].

Impact:   A remote or local user can obtain potentially sensitive information on the target system.

A remote or local user can execute arbitrary code on the target system.

The impact depends on the application using PHP on the target system.

Solution:   Red Hat has issued a fix for CVE-2016-5399.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2016-2598.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2016-2598.html (Links to External Site)
Cause:   Access control error, Boundary error, Exception handling error, Input validation error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jul 22 2016 PHP Multiple Flaws Let Remote and Local Users Obtain Potentially Sensitive Information and Execute Arbitrary Code



 Source Message Contents

Subject:  [RHSA-2016:2598-02] Moderate: php security and bug fix update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: php security and bug fix update
Advisory ID:       RHSA-2016:2598-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2598.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-5399 CVE-2016-5766 CVE-2016-5767 
                   CVE-2016-5768 
=====================================================================

1. Summary:

An update for php is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

Security Fix(es):

* A flaw was found in the way certain error conditions were handled by
bzread() function in PHP. An attacker could use this flaw to upload a
specially crafted bz2 archive which, when parsed via the vulnerable
function, could cause the application to crash or execute arbitrary code
with the permissions of the user running the PHP application.
(CVE-2016-5399)

* An integer overflow flaw, leading to a heap-based buffer overflow was
found in the imagecreatefromgd2() function of PHP's gd extension. A remote
attacker could use this flaw to crash a PHP application or execute
arbitrary code with the privileges of the user running that PHP application
using gd via a specially crafted GD2 image. (CVE-2016-5766)

* An integer overflow flaw, leading to a heap-based buffer overflow was
found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A
remote attacker could use this flaw to crash a PHP application or execute
arbitrary code with the privileges of the user running that PHP application
using gd via a specially crafted image buffer. (CVE-2016-5767)

* A double free flaw was found in the mb_ereg_replace_callback() function
of php which is used to perform regex search. This flaw could possibly
cause a PHP application to crash. (CVE-2016-5768)

Red Hat would like to thank Hans Jerry Illikainen for reporting
CVE-2016-5399.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted
for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1073388 - ext/openssl: default_md algo is MD5
1131979 - Segfault running ZendFramework test suite (php_wddx_serialize_var)
1289457 - httpd segfault in php_module_shutdown when opcache loaded twice
1291667 - No TLS1.1 or TLS1.2 support for php curl module
1297179 - PHP crashes with [core:notice] [pid 3864] AH00052: child pid 95199 exit signal Segmentation fault (11)
1344578 - Segmentation fault while header_register_callback
1351068 - CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow
1351069 - CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
1351168 - CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec
1358395 - CVE-2016-5399 php: Improper error handling in bzread()

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

aarch64:
php-5.4.16-42.el7.aarch64.rpm
php-cli-5.4.16-42.el7.aarch64.rpm
php-common-5.4.16-42.el7.aarch64.rpm
php-debuginfo-5.4.16-42.el7.aarch64.rpm
php-gd-5.4.16-42.el7.aarch64.rpm
php-ldap-5.4.16-42.el7.aarch64.rpm
php-mysql-5.4.16-42.el7.aarch64.rpm
php-odbc-5.4.16-42.el7.aarch64.rpm
php-pdo-5.4.16-42.el7.aarch64.rpm
php-pgsql-5.4.16-42.el7.aarch64.rpm
php-process-5.4.16-42.el7.aarch64.rpm
php-recode-5.4.16-42.el7.aarch64.rpm
php-soap-5.4.16-42.el7.aarch64.rpm
php-xml-5.4.16-42.el7.aarch64.rpm
php-xmlrpc-5.4.16-42.el7.aarch64.rpm

ppc64:
php-5.4.16-42.el7.ppc64.rpm
php-cli-5.4.16-42.el7.ppc64.rpm
php-common-5.4.16-42.el7.ppc64.rpm
php-debuginfo-5.4.16-42.el7.ppc64.rpm
php-gd-5.4.16-42.el7.ppc64.rpm
php-ldap-5.4.16-42.el7.ppc64.rpm
php-mysql-5.4.16-42.el7.ppc64.rpm
php-odbc-5.4.16-42.el7.ppc64.rpm
php-pdo-5.4.16-42.el7.ppc64.rpm
php-pgsql-5.4.16-42.el7.ppc64.rpm
php-process-5.4.16-42.el7.ppc64.rpm
php-recode-5.4.16-42.el7.ppc64.rpm
php-soap-5.4.16-42.el7.ppc64.rpm
php-xml-5.4.16-42.el7.ppc64.rpm
php-xmlrpc-5.4.16-42.el7.ppc64.rpm

ppc64le:
php-5.4.16-42.el7.ppc64le.rpm
php-cli-5.4.16-42.el7.ppc64le.rpm
php-common-5.4.16-42.el7.ppc64le.rpm
php-debuginfo-5.4.16-42.el7.ppc64le.rpm
php-gd-5.4.16-42.el7.ppc64le.rpm
php-ldap-5.4.16-42.el7.ppc64le.rpm
php-mysql-5.4.16-42.el7.ppc64le.rpm
php-odbc-5.4.16-42.el7.ppc64le.rpm
php-pdo-5.4.16-42.el7.ppc64le.rpm
php-pgsql-5.4.16-42.el7.ppc64le.rpm
php-process-5.4.16-42.el7.ppc64le.rpm
php-recode-5.4.16-42.el7.ppc64le.rpm
php-soap-5.4.16-42.el7.ppc64le.rpm
php-xml-5.4.16-42.el7.ppc64le.rpm
php-xmlrpc-5.4.16-42.el7.ppc64le.rpm

s390x:
php-5.4.16-42.el7.s390x.rpm
php-cli-5.4.16-42.el7.s390x.rpm
php-common-5.4.16-42.el7.s390x.rpm
php-debuginfo-5.4.16-42.el7.s390x.rpm
php-gd-5.4.16-42.el7.s390x.rpm
php-ldap-5.4.16-42.el7.s390x.rpm
php-mysql-5.4.16-42.el7.s390x.rpm
php-odbc-5.4.16-42.el7.s390x.rpm
php-pdo-5.4.16-42.el7.s390x.rpm
php-pgsql-5.4.16-42.el7.s390x.rpm
php-process-5.4.16-42.el7.s390x.rpm
php-recode-5.4.16-42.el7.s390x.rpm
php-soap-5.4.16-42.el7.s390x.rpm
php-xml-5.4.16-42.el7.s390x.rpm
php-xmlrpc-5.4.16-42.el7.s390x.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
php-bcmath-5.4.16-42.el7.aarch64.rpm
php-dba-5.4.16-42.el7.aarch64.rpm
php-debuginfo-5.4.16-42.el7.aarch64.rpm
php-devel-5.4.16-42.el7.aarch64.rpm
php-embedded-5.4.16-42.el7.aarch64.rpm
php-enchant-5.4.16-42.el7.aarch64.rpm
php-fpm-5.4.16-42.el7.aarch64.rpm
php-intl-5.4.16-42.el7.aarch64.rpm
php-mbstring-5.4.16-42.el7.aarch64.rpm
php-mysqlnd-5.4.16-42.el7.aarch64.rpm
php-pspell-5.4.16-42.el7.aarch64.rpm
php-snmp-5.4.16-42.el7.aarch64.rpm

ppc64:
php-bcmath-5.4.16-42.el7.ppc64.rpm
php-dba-5.4.16-42.el7.ppc64.rpm
php-debuginfo-5.4.16-42.el7.ppc64.rpm
php-devel-5.4.16-42.el7.ppc64.rpm
php-embedded-5.4.16-42.el7.ppc64.rpm
php-enchant-5.4.16-42.el7.ppc64.rpm
php-fpm-5.4.16-42.el7.ppc64.rpm
php-intl-5.4.16-42.el7.ppc64.rpm
php-mbstring-5.4.16-42.el7.ppc64.rpm
php-mysqlnd-5.4.16-42.el7.ppc64.rpm
php-pspell-5.4.16-42.el7.ppc64.rpm
php-snmp-5.4.16-42.el7.ppc64.rpm

ppc64le:
php-bcmath-5.4.16-42.el7.ppc64le.rpm
php-dba-5.4.16-42.el7.ppc64le.rpm
php-debuginfo-5.4.16-42.el7.ppc64le.rpm
php-devel-5.4.16-42.el7.ppc64le.rpm
php-embedded-5.4.16-42.el7.ppc64le.rpm
php-enchant-5.4.16-42.el7.ppc64le.rpm
php-fpm-5.4.16-42.el7.ppc64le.rpm
php-intl-5.4.16-42.el7.ppc64le.rpm
php-mbstring-5.4.16-42.el7.ppc64le.rpm
php-mysqlnd-5.4.16-42.el7.ppc64le.rpm
php-pspell-5.4.16-42.el7.ppc64le.rpm
php-snmp-5.4.16-42.el7.ppc64le.rpm

s390x:
php-bcmath-5.4.16-42.el7.s390x.rpm
php-dba-5.4.16-42.el7.s390x.rpm
php-debuginfo-5.4.16-42.el7.s390x.rpm
php-devel-5.4.16-42.el7.s390x.rpm
php-embedded-5.4.16-42.el7.s390x.rpm
php-enchant-5.4.16-42.el7.s390x.rpm
php-fpm-5.4.16-42.el7.s390x.rpm
php-intl-5.4.16-42.el7.s390x.rpm
php-mbstring-5.4.16-42.el7.s390x.rpm
php-mysqlnd-5.4.16-42.el7.s390x.rpm
php-pspell-5.4.16-42.el7.s390x.rpm
php-snmp-5.4.16-42.el7.s390x.rpm

x86_64:
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-5399
https://access.redhat.com/security/cve/CVE-2016-5766
https://access.redhat.com/security/cve/CVE-2016-5767
https://access.redhat.com/security/cve/CVE-2016-5768
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYGv0TXlSAg2UNWIIRAp5HAJ9klb3/2rtiS6x3SPaFdGuYWwxEegCfafaI
5XgUajtsAnxecqRTeRWw5H4=
=G7qP
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC