SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   PHP Vendors:   PHP Group
(Red Hat Issues Fix) PHP Multiple Flaws Let Remote and Local Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code
SecurityTracker Alert ID:  1039806
SecurityTracker URL:  http://securitytracker.com/id/1039806
CVE Reference:   CVE-2016-10167, CVE-2016-10168   (Links to External Site)
Date:  Nov 15 2017
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.6.x, 7.0.x
Description:   Multiple vulnerabilities were reported in PHP. A remote or local user can cause denial of service conditions on the target system. A remote or local user can obtain potentially sensitive information on the target system. A remote or local user can execute arbitrary code on the target system.

A use-after-free memory error may occur in GD in the imagepng() function. Version 5.6.x is affected.

A out-of-bounds heap read error may occur in finish_nested_data() [CVE-2016-10161]. Version 7.0.x is affected.

A null pointer dereference may occur in unserializing a PHP object [CVE-2016-10162]. Version 7.0.x is affected.

The unserialize() function may use uninitialized memory [CVE-2017-5340]. Version 7.0.x is affected.

A use-after-free memory error may occur when resizing an unserialized object's properties hash table [CVE-2016-7479]. Version 7.0.x is affected.

A divide error may occur in exif_convert_any_to_int() when parsing an EXIF tag format [CVE-2016-10158].

A use-after-free memory error may occur in unserialize()). Version 7.0.x is affected.

A type confusion error may occur in object deserialization. Version 7.0.x is affected.

A signed integer overflow may occur in 'gd_io.c' [CVE-2016-10168].

A denial of service error may occur in gdImageCreateFromGd2Ctx() [CVE-2016-10167].

A type confusion error may occur in GMP deserialization. Version 7.0.x is affected.

A memory leak may occur in preg_*() functions. Version 7.0.x is affected.

A memory corruption error may occur in phar [CVE-2016-10160].

A crash may occur when loading a phar archive [CVE-2016-10159].

A memory leak may occur in ReflectionObject. Version 7.0.x is affected.

The specific impact depends on the application using PHP.

Impact:   A remote or local user can cause denial of service conditions.

A remote or local user can execute arbitrary code on the target system.

A remote or local user can obtain potentially sensitive information on the target system.

Solution:   Red Hat has issued a fix for CVE-2016-10167 and CVE-2016-10168.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2017:3221

Vendor URL:  access.redhat.com/errata/RHSA-2017:3221 (Links to External Site)
Cause:   Access control error, Boundary error, Not specified, State error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Jan 20 2017 PHP Multiple Flaws Let Remote and Local Users Obtain Potentially Sensitive Information, Deny Service, and Execute Arbitrary Code



 Source Message Contents

Subject:  [RHSA-2017:3221-01] Moderate: php security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: php security update
Advisory ID:       RHSA-2017:3221-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:3221
Issue date:        2017-11-15
CVE Names:         CVE-2016-10167 CVE-2016-10168 
=====================================================================

1. Summary:

An update for php is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7) - aarch64, ppc64le
Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7) - aarch64, ppc64le

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

Security Fix(es):

* A null pointer dereference flaw was found in libgd. An attacker could use
a specially-crafted .gd2 file to cause an application linked with libgd to
crash, leading to denial of service. (CVE-2016-10167)

* An integer overflow flaw, leading to a heap-based buffer overflow was
found in the way libgd read some specially-crafted gd2 files. A remote
attacker could use this flaw to crash an application compiled with libgd or
in certain cases execute arbitrary code with the privileges of the user
running that application. (CVE-2016-10168)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted
for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1418984 - CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx()
1418986 - CVE-2016-10168 gd: Integer overflow in gd_io.c

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
php-5.4.16-43.el7_4.src.rpm

x86_64:
php-5.4.16-43.el7_4.x86_64.rpm
php-bcmath-5.4.16-43.el7_4.x86_64.rpm
php-cli-5.4.16-43.el7_4.x86_64.rpm
php-common-5.4.16-43.el7_4.x86_64.rpm
php-dba-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-devel-5.4.16-43.el7_4.x86_64.rpm
php-embedded-5.4.16-43.el7_4.x86_64.rpm
php-enchant-5.4.16-43.el7_4.x86_64.rpm
php-fpm-5.4.16-43.el7_4.x86_64.rpm
php-gd-5.4.16-43.el7_4.x86_64.rpm
php-intl-5.4.16-43.el7_4.x86_64.rpm
php-ldap-5.4.16-43.el7_4.x86_64.rpm
php-mbstring-5.4.16-43.el7_4.x86_64.rpm
php-mysql-5.4.16-43.el7_4.x86_64.rpm
php-mysqlnd-5.4.16-43.el7_4.x86_64.rpm
php-odbc-5.4.16-43.el7_4.x86_64.rpm
php-pdo-5.4.16-43.el7_4.x86_64.rpm
php-pgsql-5.4.16-43.el7_4.x86_64.rpm
php-process-5.4.16-43.el7_4.x86_64.rpm
php-pspell-5.4.16-43.el7_4.x86_64.rpm
php-recode-5.4.16-43.el7_4.x86_64.rpm
php-snmp-5.4.16-43.el7_4.x86_64.rpm
php-soap-5.4.16-43.el7_4.x86_64.rpm
php-xml-5.4.16-43.el7_4.x86_64.rpm
php-xmlrpc-5.4.16-43.el7_4.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
php-5.4.16-43.el7_4.src.rpm

x86_64:
php-5.4.16-43.el7_4.x86_64.rpm
php-bcmath-5.4.16-43.el7_4.x86_64.rpm
php-cli-5.4.16-43.el7_4.x86_64.rpm
php-common-5.4.16-43.el7_4.x86_64.rpm
php-dba-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-devel-5.4.16-43.el7_4.x86_64.rpm
php-embedded-5.4.16-43.el7_4.x86_64.rpm
php-enchant-5.4.16-43.el7_4.x86_64.rpm
php-fpm-5.4.16-43.el7_4.x86_64.rpm
php-gd-5.4.16-43.el7_4.x86_64.rpm
php-intl-5.4.16-43.el7_4.x86_64.rpm
php-ldap-5.4.16-43.el7_4.x86_64.rpm
php-mbstring-5.4.16-43.el7_4.x86_64.rpm
php-mysql-5.4.16-43.el7_4.x86_64.rpm
php-mysqlnd-5.4.16-43.el7_4.x86_64.rpm
php-odbc-5.4.16-43.el7_4.x86_64.rpm
php-pdo-5.4.16-43.el7_4.x86_64.rpm
php-pgsql-5.4.16-43.el7_4.x86_64.rpm
php-process-5.4.16-43.el7_4.x86_64.rpm
php-pspell-5.4.16-43.el7_4.x86_64.rpm
php-recode-5.4.16-43.el7_4.x86_64.rpm
php-snmp-5.4.16-43.el7_4.x86_64.rpm
php-soap-5.4.16-43.el7_4.x86_64.rpm
php-xml-5.4.16-43.el7_4.x86_64.rpm
php-xmlrpc-5.4.16-43.el7_4.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
php-5.4.16-43.el7_4.src.rpm

ppc64:
php-5.4.16-43.el7_4.ppc64.rpm
php-cli-5.4.16-43.el7_4.ppc64.rpm
php-common-5.4.16-43.el7_4.ppc64.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64.rpm
php-gd-5.4.16-43.el7_4.ppc64.rpm
php-ldap-5.4.16-43.el7_4.ppc64.rpm
php-mysql-5.4.16-43.el7_4.ppc64.rpm
php-odbc-5.4.16-43.el7_4.ppc64.rpm
php-pdo-5.4.16-43.el7_4.ppc64.rpm
php-pgsql-5.4.16-43.el7_4.ppc64.rpm
php-process-5.4.16-43.el7_4.ppc64.rpm
php-recode-5.4.16-43.el7_4.ppc64.rpm
php-soap-5.4.16-43.el7_4.ppc64.rpm
php-xml-5.4.16-43.el7_4.ppc64.rpm
php-xmlrpc-5.4.16-43.el7_4.ppc64.rpm

ppc64le:
php-5.4.16-43.el7_4.ppc64le.rpm
php-cli-5.4.16-43.el7_4.ppc64le.rpm
php-common-5.4.16-43.el7_4.ppc64le.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64le.rpm
php-gd-5.4.16-43.el7_4.ppc64le.rpm
php-ldap-5.4.16-43.el7_4.ppc64le.rpm
php-mysql-5.4.16-43.el7_4.ppc64le.rpm
php-odbc-5.4.16-43.el7_4.ppc64le.rpm
php-pdo-5.4.16-43.el7_4.ppc64le.rpm
php-pgsql-5.4.16-43.el7_4.ppc64le.rpm
php-process-5.4.16-43.el7_4.ppc64le.rpm
php-recode-5.4.16-43.el7_4.ppc64le.rpm
php-soap-5.4.16-43.el7_4.ppc64le.rpm
php-xml-5.4.16-43.el7_4.ppc64le.rpm
php-xmlrpc-5.4.16-43.el7_4.ppc64le.rpm

s390x:
php-5.4.16-43.el7_4.s390x.rpm
php-cli-5.4.16-43.el7_4.s390x.rpm
php-common-5.4.16-43.el7_4.s390x.rpm
php-debuginfo-5.4.16-43.el7_4.s390x.rpm
php-gd-5.4.16-43.el7_4.s390x.rpm
php-ldap-5.4.16-43.el7_4.s390x.rpm
php-mysql-5.4.16-43.el7_4.s390x.rpm
php-odbc-5.4.16-43.el7_4.s390x.rpm
php-pdo-5.4.16-43.el7_4.s390x.rpm
php-pgsql-5.4.16-43.el7_4.s390x.rpm
php-process-5.4.16-43.el7_4.s390x.rpm
php-recode-5.4.16-43.el7_4.s390x.rpm
php-soap-5.4.16-43.el7_4.s390x.rpm
php-xml-5.4.16-43.el7_4.s390x.rpm
php-xmlrpc-5.4.16-43.el7_4.s390x.rpm

x86_64:
php-5.4.16-43.el7_4.x86_64.rpm
php-cli-5.4.16-43.el7_4.x86_64.rpm
php-common-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-gd-5.4.16-43.el7_4.x86_64.rpm
php-ldap-5.4.16-43.el7_4.x86_64.rpm
php-mysql-5.4.16-43.el7_4.x86_64.rpm
php-odbc-5.4.16-43.el7_4.x86_64.rpm
php-pdo-5.4.16-43.el7_4.x86_64.rpm
php-pgsql-5.4.16-43.el7_4.x86_64.rpm
php-process-5.4.16-43.el7_4.x86_64.rpm
php-recode-5.4.16-43.el7_4.x86_64.rpm
php-soap-5.4.16-43.el7_4.x86_64.rpm
php-xml-5.4.16-43.el7_4.x86_64.rpm
php-xmlrpc-5.4.16-43.el7_4.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server (v. 7):

Source:
php-5.4.16-43.el7_4.src.rpm

aarch64:
php-5.4.16-43.el7_4.aarch64.rpm
php-cli-5.4.16-43.el7_4.aarch64.rpm
php-common-5.4.16-43.el7_4.aarch64.rpm
php-debuginfo-5.4.16-43.el7_4.aarch64.rpm
php-gd-5.4.16-43.el7_4.aarch64.rpm
php-ldap-5.4.16-43.el7_4.aarch64.rpm
php-mysql-5.4.16-43.el7_4.aarch64.rpm
php-odbc-5.4.16-43.el7_4.aarch64.rpm
php-pdo-5.4.16-43.el7_4.aarch64.rpm
php-pgsql-5.4.16-43.el7_4.aarch64.rpm
php-process-5.4.16-43.el7_4.aarch64.rpm
php-recode-5.4.16-43.el7_4.aarch64.rpm
php-soap-5.4.16-43.el7_4.aarch64.rpm
php-xml-5.4.16-43.el7_4.aarch64.rpm
php-xmlrpc-5.4.16-43.el7_4.aarch64.rpm

ppc64le:
php-5.4.16-43.el7_4.ppc64le.rpm
php-cli-5.4.16-43.el7_4.ppc64le.rpm
php-common-5.4.16-43.el7_4.ppc64le.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64le.rpm
php-gd-5.4.16-43.el7_4.ppc64le.rpm
php-ldap-5.4.16-43.el7_4.ppc64le.rpm
php-mysql-5.4.16-43.el7_4.ppc64le.rpm
php-odbc-5.4.16-43.el7_4.ppc64le.rpm
php-pdo-5.4.16-43.el7_4.ppc64le.rpm
php-pgsql-5.4.16-43.el7_4.ppc64le.rpm
php-process-5.4.16-43.el7_4.ppc64le.rpm
php-recode-5.4.16-43.el7_4.ppc64le.rpm
php-soap-5.4.16-43.el7_4.ppc64le.rpm
php-xml-5.4.16-43.el7_4.ppc64le.rpm
php-xmlrpc-5.4.16-43.el7_4.ppc64le.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

ppc64:
php-bcmath-5.4.16-43.el7_4.ppc64.rpm
php-dba-5.4.16-43.el7_4.ppc64.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64.rpm
php-devel-5.4.16-43.el7_4.ppc64.rpm
php-embedded-5.4.16-43.el7_4.ppc64.rpm
php-enchant-5.4.16-43.el7_4.ppc64.rpm
php-fpm-5.4.16-43.el7_4.ppc64.rpm
php-intl-5.4.16-43.el7_4.ppc64.rpm
php-mbstring-5.4.16-43.el7_4.ppc64.rpm
php-mysqlnd-5.4.16-43.el7_4.ppc64.rpm
php-pspell-5.4.16-43.el7_4.ppc64.rpm
php-snmp-5.4.16-43.el7_4.ppc64.rpm

ppc64le:
php-bcmath-5.4.16-43.el7_4.ppc64le.rpm
php-dba-5.4.16-43.el7_4.ppc64le.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64le.rpm
php-devel-5.4.16-43.el7_4.ppc64le.rpm
php-embedded-5.4.16-43.el7_4.ppc64le.rpm
php-enchant-5.4.16-43.el7_4.ppc64le.rpm
php-fpm-5.4.16-43.el7_4.ppc64le.rpm
php-intl-5.4.16-43.el7_4.ppc64le.rpm
php-mbstring-5.4.16-43.el7_4.ppc64le.rpm
php-mysqlnd-5.4.16-43.el7_4.ppc64le.rpm
php-pspell-5.4.16-43.el7_4.ppc64le.rpm
php-snmp-5.4.16-43.el7_4.ppc64le.rpm

s390x:
php-bcmath-5.4.16-43.el7_4.s390x.rpm
php-dba-5.4.16-43.el7_4.s390x.rpm
php-debuginfo-5.4.16-43.el7_4.s390x.rpm
php-devel-5.4.16-43.el7_4.s390x.rpm
php-embedded-5.4.16-43.el7_4.s390x.rpm
php-enchant-5.4.16-43.el7_4.s390x.rpm
php-fpm-5.4.16-43.el7_4.s390x.rpm
php-intl-5.4.16-43.el7_4.s390x.rpm
php-mbstring-5.4.16-43.el7_4.s390x.rpm
php-mysqlnd-5.4.16-43.el7_4.s390x.rpm
php-pspell-5.4.16-43.el7_4.s390x.rpm
php-snmp-5.4.16-43.el7_4.s390x.rpm

x86_64:
php-bcmath-5.4.16-43.el7_4.x86_64.rpm
php-dba-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-devel-5.4.16-43.el7_4.x86_64.rpm
php-embedded-5.4.16-43.el7_4.x86_64.rpm
php-enchant-5.4.16-43.el7_4.x86_64.rpm
php-fpm-5.4.16-43.el7_4.x86_64.rpm
php-intl-5.4.16-43.el7_4.x86_64.rpm
php-mbstring-5.4.16-43.el7_4.x86_64.rpm
php-mysqlnd-5.4.16-43.el7_4.x86_64.rpm
php-pspell-5.4.16-43.el7_4.x86_64.rpm
php-snmp-5.4.16-43.el7_4.x86_64.rpm

Red Hat Enterprise Linux for ARM and IBM Power LE (POWER9) Server Optional (v. 7):

aarch64:
php-bcmath-5.4.16-43.el7_4.aarch64.rpm
php-dba-5.4.16-43.el7_4.aarch64.rpm
php-debuginfo-5.4.16-43.el7_4.aarch64.rpm
php-devel-5.4.16-43.el7_4.aarch64.rpm
php-embedded-5.4.16-43.el7_4.aarch64.rpm
php-enchant-5.4.16-43.el7_4.aarch64.rpm
php-fpm-5.4.16-43.el7_4.aarch64.rpm
php-intl-5.4.16-43.el7_4.aarch64.rpm
php-mbstring-5.4.16-43.el7_4.aarch64.rpm
php-mysqlnd-5.4.16-43.el7_4.aarch64.rpm
php-pspell-5.4.16-43.el7_4.aarch64.rpm
php-snmp-5.4.16-43.el7_4.aarch64.rpm

ppc64le:
php-bcmath-5.4.16-43.el7_4.ppc64le.rpm
php-dba-5.4.16-43.el7_4.ppc64le.rpm
php-debuginfo-5.4.16-43.el7_4.ppc64le.rpm
php-devel-5.4.16-43.el7_4.ppc64le.rpm
php-embedded-5.4.16-43.el7_4.ppc64le.rpm
php-enchant-5.4.16-43.el7_4.ppc64le.rpm
php-fpm-5.4.16-43.el7_4.ppc64le.rpm
php-intl-5.4.16-43.el7_4.ppc64le.rpm
php-mbstring-5.4.16-43.el7_4.ppc64le.rpm
php-mysqlnd-5.4.16-43.el7_4.ppc64le.rpm
php-pspell-5.4.16-43.el7_4.ppc64le.rpm
php-snmp-5.4.16-43.el7_4.ppc64le.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
php-5.4.16-43.el7_4.src.rpm

x86_64:
php-5.4.16-43.el7_4.x86_64.rpm
php-cli-5.4.16-43.el7_4.x86_64.rpm
php-common-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-gd-5.4.16-43.el7_4.x86_64.rpm
php-ldap-5.4.16-43.el7_4.x86_64.rpm
php-mysql-5.4.16-43.el7_4.x86_64.rpm
php-odbc-5.4.16-43.el7_4.x86_64.rpm
php-pdo-5.4.16-43.el7_4.x86_64.rpm
php-pgsql-5.4.16-43.el7_4.x86_64.rpm
php-process-5.4.16-43.el7_4.x86_64.rpm
php-recode-5.4.16-43.el7_4.x86_64.rpm
php-soap-5.4.16-43.el7_4.x86_64.rpm
php-xml-5.4.16-43.el7_4.x86_64.rpm
php-xmlrpc-5.4.16-43.el7_4.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
php-bcmath-5.4.16-43.el7_4.x86_64.rpm
php-dba-5.4.16-43.el7_4.x86_64.rpm
php-debuginfo-5.4.16-43.el7_4.x86_64.rpm
php-devel-5.4.16-43.el7_4.x86_64.rpm
php-embedded-5.4.16-43.el7_4.x86_64.rpm
php-enchant-5.4.16-43.el7_4.x86_64.rpm
php-fpm-5.4.16-43.el7_4.x86_64.rpm
php-intl-5.4.16-43.el7_4.x86_64.rpm
php-mbstring-5.4.16-43.el7_4.x86_64.rpm
php-mysqlnd-5.4.16-43.el7_4.x86_64.rpm
php-pspell-5.4.16-43.el7_4.x86_64.rpm
php-snmp-5.4.16-43.el7_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-10167
https://access.redhat.com/security/cve/CVE-2016-10168
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFaC8oXXlSAg2UNWIIRAjgpAKC7tNVMZ8WAe80bNA6zVYqKmgvejQCfTEAE
YPk/SfOyhk4gvGSG+f5ofQU=
=Nk0L
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC