Vulnerabilities > CVE-2015-2305 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyCGI abuses
    NASL idPHP_5_6_7.NASL
    descriptionAccording to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.7. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function
    last seen2020-06-01
    modified2020-06-02
    plugin id82027
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82027
    titlePHP 5.6.x < 5.6.7 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(82027);
      script_version("1.15");
      script_cvs_date("Date: 2019/11/22");
    
      script_cve_id(
        "CVE-2015-0231",
        "CVE-2015-2305",
        "CVE-2015-2331",
        "CVE-2015-2348",
        "CVE-2015-2787",
        "CVE-2015-4147",
        "CVE-2015-4148"
      );
      script_bugtraq_id(
        72539,
        73182,
        73357,
        73381,
        73383,
        73385,
        73431,
        73434,
        75103
      );
    
      script_name(english:"PHP 5.6.x < 5.6.7 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server uses a version of PHP that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP 5.6.x installed on the
    remote host is prior to 5.6.7. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A use-after-free error exists related to function
        'unserialize', which can allow a remote attacker to
        execute arbitrary code. Note that this issue is due to
        an incomplete fix for CVE-2014-8142. (CVE-2015-0231)
    
      - An integer overflow error exists in function 'regcomp'
        in the Henry Spencer regex library, due to improper
        validation of user-supplied input. An attacker can
        exploit this to cause a denial of service or to execute
        arbitrary code. (CVE-2015-2305)
    
      - An integer overflow error exists in the '_zip_cdir_new'
        function, due to improper validation of user-supplied
        input. An attacker, using a crafted ZIP archive, can
        exploit this to cause a denial of service or to execute
        arbitrary code. (CVE-2015-2331)
    
      - A filter bypass vulnerability exists due to a flaw in
        the move_uploaded_file() function in which pathnames are
        truncated when a NULL byte is encountered. This allows a
        remote attacker, via a crafted second argument, to
        bypass intended extension restrictions and create files
        with unexpected names. (CVE-2015-2348)
    
      - A user-after-free error exists in the
        process_nested_data() function. This allows a remote
        attacker, via a crafted unserialize call, to dereference
        already freed memory, resulting in the execution of
        arbitrary code. (CVE-2015-2787)
    
      - A type confusion vulnerability in the
        SoapClient's __call() function in ext/soap/soap.c
        could allow a remote attacker to execute arbitrary
        code by providing crafted serialized data with an
        unexpected data type (CVE-2015-4147, CVE-2015-4148)
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.7");
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=69207");
      script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68976");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 5.6.7 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4147");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/03/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/24");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    # Check that it is the correct version of PHP
    if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
    if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port);
    
    if (version =~ "^5\.6\.[0-6]($|[^0-9])")
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : '+source +
          '\n  Installed version : '+version +
          '\n  Fixed version     : 5.6.7' +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-111-10.NASL
    descriptionNew php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82923
    published2015-04-22
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82923
    titleSlackware 14.0 / 14.1 / current : php (SSA:2015-111-10)
  • NASL familyMisc.
    NASL idCLAMAV_0_98_7.NASL
    descriptionAccording to its version, the ClamAV clamd antivirus daemon on the remote host is prior to 0.98.7. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the pefromupx() function in upx.c. A remote attacker can exploit this flaw, via a specially crafted file, to crash the application. (CVE-2015-2170) - An unspecified flaw exists in the yc_poly_emulator() function in yc.c. A remote attacker can exploit this flaw, via a specially crafted y0da cryptor file, to cause an infinite loop and application hang. (CVE-2015-2221) - An unspecified flaw exists in the cli_scanpe() function in pe.c. A remote attacker can exploit this, via a specially crafted petite packer file, to crash the program. (CVE-2015-2222) - An integer overflow condition exists in the bundled Henry Spencer regex library in the regcomp() function in regcomp.c due to improper validation of user-supplied input. A remote attacker can exploit this to cause a buffer overflow, resulting in a denial of service or the execution of arbitrary code. (CVE-2015-2305) - An unspecified flaw exists when handling specially crafted xz archive files. A remote attacker can exploit this to cause an infinite loop. (CVE-2015-2668)
    last seen2020-06-01
    modified2020-06-02
    plugin id83352
    published2015-05-12
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83352
    titleClamAV < 0.98.7 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-282.NASL
    descriptionPHP was updated to fix several security issues. The following vulnerabilities were fixed : - A specially crafted GIF file could cause a buffer read overflow in php-gd (CVE-2014-9709 bnc#923946) - Memory was use after it was freed in PHAR (CVE-2015-2301 bnc#922022) - heap overflow vulnerability in regcomp.c (CVE-2015-2305 bnc#922452) - heap buffer overflow in Enchant (CVE-2014-9705 bnc#922451) For openSUSE 13.2, the following additional vulnerability was fixed : - A specially crafted zip file could lead to writing past the heap boundary (CVE-2015-2331 bnc#922894)
    last seen2020-06-05
    modified2015-04-02
    plugin id82516
    published2015-04-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82516
    titleopenSUSE Security Update : php5 (openSUSE-2015-282)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_11.NASL
    descriptionThe remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id86270
    published2015-10-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86270
    titleMac OS X < 10.11 Multiple Vulnerabilities (GHOST)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4255.NASL
    description**19 Mar 2015, PHP 5.6.7** Core : - Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) - Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) - Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net) - Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike) - Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) - Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com) - Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). (Stas) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) CGI : - Fixed bug #69015 (php-cgi
    last seen2020-06-05
    modified2015-03-27
    plugin id82284
    published2015-03-27
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82284
    titleFedora 22 : php-5.6.7-2.fc22 (2015-4255)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1638-1.NASL
    descriptionThis update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id93161
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93161
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-444.NASL
    descriptionCVE-2015-2305 Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-2348 The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. CVE-2016-tmp, Bug #71039 exec functions ignore length but look for NULL termination CVE-2016-tmp, Bug #71089 No check to duplicate zend_extension CVE-2016-tmp, Bug #71201 round() segfault on 64-bit builds CVE-2016-tmp, Bug #71459 Integer overflow in iptcembed() CVE-2016-tmp, Bug #71354 Heap corruption in tar/zip/phar parser CVE-2016-tmp, Bug #71391 NULL pointer Dereference in phar_tar_setupmetadata() CVE-2016-tmp, Bug #70979 Crash on bad SOAP request NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2016-03-01
    plugin id89044
    published2016-03-01
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89044
    titleDebian DLA-444-1 : php5 security update
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-506.NASL
    descriptionA use-after-free flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id82834
    published2015-04-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82834
    titleAmazon Linux AMI : php54 (ALAS-2015-506)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3D0428B2FDFB11E4894FD050996490D0.NASL
    descriptionClamAV project reports : ClamAV 0.98.7 is here! This release contains new scanning features and bug fixes. Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. Fix an infinite loop condition on a crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id83555
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83555
    titleFreeBSD : clamav -- multiple vulnerabilities (3d0428b2-fdfb-11e4-894f-d050996490d0)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-7378.NASL
    descriptionClamAV 0.98.7 ============= This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted
    last seen2020-06-05
    modified2015-05-13
    plugin id83386
    published2015-05-13
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83386
    titleFedora 20 : clamav-0.98.7-1.fc20 (2015-7378)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0868-1.NASL
    descriptionPHP was updated to fix ten security issues. The following vulnerabilities were fixed : - CVE-2014-9709: A specially crafted GIF file could cause a buffer read overflow in php-gd (bnc#923946) - CVE-2015-2301: Memory was use after it was freed in PHAR (bnc#922022) - CVE-2015-2305: heap overflow vulnerability in regcomp.c (bnc#922452) - CVE-2014-9705: heap buffer overflow in Enchant (bnc#922451) - CVE-2015-2787: use-after-free vulnerability in the process_nested_data function (bnc#924972) - unserialize SoapClient type confusion (bnc#925109) - CVE-2015-2348: move_uploaded_file truncates a pathNAME upon encountering a x00 character (bnc#924970) - CVE-2015-3330: Specially crafted PHAR files could, when executed under Apache httpd 2.4 (apache2handler), allow arbitrary code execution (bnc#928506) - CVE-2015-3329: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer overflow (bnc#928506) - CVE-2015-2783: Specially crafted PHAR data could lead to disclosure of sensitive information due to a buffer over-read (bnc#928511) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119964
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119964
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2015:0868-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-7346.NASL
    descriptionClamAV 0.98.7 ============= This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted
    last seen2020-06-05
    modified2015-05-04
    plugin id83227
    published2015-05-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83227
    titleFedora 22 : clamav-0.98.7-1.fc22 (2015-7346)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_742563D4D77611E4B5954061861086C1.NASL
    descriptionThe PHP project reports : The PHP development team announces the immediate availability of PHP 5.6.7. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.6 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.5.23. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.5 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.4.39. Six security-related bugs were fixed in this release, including CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.4 users are encouraged to upgrade to this version.
    last seen2020-06-01
    modified2020-06-02
    plugin id82514
    published2015-04-02
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82514
    titleFreeBSD : Several vulnerabilities found in PHP (742563d4-d776-11e4-b595-4061861086c1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2572-1.NASL
    descriptionIt was discovered that PHP incorrectly handled cleanup when used with Apache 2.4. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3330) It was discovered that PHP incorrectly handled opening tar, zip or phar archives through the PHAR extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-3329) It was discovered that PHP incorrectly handled regular expressions. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2305) Paulos Yibelo discovered that PHP incorrectly handled moving files when a pathname contained a null character. A remote attacker could use this issue to possibly bypass filename restrictions. This issue only applied to Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2015-2348) It was discovered that PHP incorrectly handled unserializing PHAR files. A remote attacker could use this issue to cause PHP to possibly expose sensitive information. (CVE-2015-2783) Taoguang Chen discovered that PHP incorrectly handled unserializing certain objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-2787). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id82911
    published2015-04-21
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82911
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : php5 vulnerabilities (USN-2572-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2594-1.NASL
    descriptionIt was discovered that ClamAV incorrectly handled certain malformed files. A remote attacker could use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code. In the default installation, attackers would be isolated by the ClamAV AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83255
    published2015-05-06
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83255
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : clamav vulnerabilities (USN-2594-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-524.NASL
    descriptionInteger overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id83494
    published2015-05-18
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83494
    titleAmazon Linux AMI : php (ALAS-2015-524)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0946-1.NASL
    descriptionMySQL was updated to version 5.5.43 to fix several security and non security issues : CVEs fixed: CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, CVE-2015-0405, CVE-2015-0423, CVE-2015-0433, CVE-2015-0438, CVE-2015-0439, CVE-2015-0441, CVE-2015-0498, CVE-2015-0499, CVE-2015-0500, CVE-2015-0501, CVE-2015-0503, CVE-2015-0505, CVE-2015-0506, CVE-2015-0507, CVE-2015-0508, CVE-2015-0511, CVE-2015-2566, CVE-2015-2567, CVE-2015-2568, CVE-2015-2571, CVE-2015-2573, CVE-2015-2576. Fix integer overflow in regcomp (Henry Spencer
    last seen2020-06-01
    modified2020-06-02
    plugin id83860
    published2015-05-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83860
    titleSUSE SLED11 / SLES11 Security Update : MySQL (SUSE-SU-2015:0946-1) (FREAK)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-366.NASL
    descriptionThe ClamAV antivirus engine was updated to version 0.98.7 to fix several security and non-security issues. The following vulnerabilities were fixed (bsc#929192) : - CVE-2015-2170: Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. - CVE-2015-2221: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. - CVE-2015-2222: Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. - CVE-2015-2668: Fix an infinite loop condition on a crafted
    last seen2020-06-05
    modified2015-05-20
    plugin id83558
    published2015-05-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83558
    titleopenSUSE Security Update : clamav (openSUSE-2015-366)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-507.NASL
    descriptionA use-after-free flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id82835
    published2015-04-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82835
    titleAmazon Linux AMI : php55 (ALAS-2015-507)
  • NASL familyCGI abuses
    NASL idPHP_5_5_23.NASL
    descriptionAccording to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.23. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function
    last seen2020-06-01
    modified2020-06-02
    plugin id82026
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82026
    titlePHP 5.5.x < 5.5.23 Multiple Vulnerabilities
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-508.NASL
    descriptionA use-after-free flaw was found in the way PHP
    last seen2020-06-01
    modified2020-06-02
    plugin id82836
    published2015-04-17
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/82836
    titleAmazon Linux AMI : php56 (ALAS-2015-508)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-4236.NASL
    description**19 Mar 2015, PHP 5.6.7** Core : - Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) - Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) - Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net) - Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike) - Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) - Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com) - Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). (Stas) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) CGI : - Fixed bug #69015 (php-cgi
    last seen2020-06-05
    modified2015-03-31
    plugin id82435
    published2015-03-31
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82435
    titleFedora 21 : php-5.6.7-1.fc21 (2015-4236)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3195.NASL
    descriptionMultiple vulnerabilities have been discovered in the PHP language : - CVE-2015-2305 Guido Vranken discovered a heap overflow in the ereg extension (only applicable to 32 bit systems). - CVE-2014-9705 Buffer overflow in the enchant extension. - CVE-2015-0231 Stefan Esser discovered a use-after-free in the unserialisation of objects. - CVE-2015-0232 Alex Eubanks discovered incorrect memory management in the exif extension. - CVE-2015-0273 Use-after-free in the unserialisation of DateTimeZone.
    last seen2020-03-17
    modified2015-03-19
    plugin id81926
    published2015-03-19
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/81926
    titleDebian DSA-3195-1 : php5 - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-7334.NASL
    descriptionClamAV 0.98.7 ============= This release contains new scanning features and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. - Scanning/analysis of additional Microsoft Office 2003 XML format. - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221. - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2222. - Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. - Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. - Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. - Fix an infinite loop condition on a crafted
    last seen2020-06-05
    modified2015-05-04
    plugin id83226
    published2015-05-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83226
    titleFedora 21 : clamav-0.98.7-1.fc21 (2015-7334)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1018-1.NASL
    descriptionPHP 5.3 was updated to fix multiple security issues : bnc#931776: pcntl_exec() does not check path validity (CVE-2015-4026) bnc#931772: overflow in ftp_genlist() resulting in heap overflow (CVE-2015-4022) bnc#931769: memory corruption in phar_parse_tarfile when entry filename starts with NULL (CVE-2015-4021) bnc#931421: multipart/form-data remote denial-of-service vulnerability (CVE-2015-4024) bnc#928511: buffer over-read in unserialize when parsing Phar (CVE-2015-2783) bnc#928506: buffer over flow when parsing tar/zip/phar in phar_set_inode() (CVE-2015-3329) bnc#925109: SoapClient
    last seen2020-06-01
    modified2020-06-02
    plugin id84082
    published2015-06-10
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84082
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2015:1018-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_CLAMAV-150507.NASL
    descriptionThe ClamAV antivirus engine was updated to version 0.98.7 to fix several security issues : - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. (CVE-2015-2170) - Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. (CVE-2015-2221) - Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. (CVE-2015-2222) - Fix an infinite loop condition on a crafted
    last seen2020-06-01
    modified2020-06-02
    plugin id83461
    published2015-05-14
    reporterThis script is Copyright (C) 2015 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83461
    titleSuSE 11.3 Security Update : clamav (SAT Patch Number 10664)
  • NASL familyCGI abuses
    NASL idPHP_5_4_39.NASL
    descriptionAccording to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.39. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function
    last seen2020-06-01
    modified2020-06-02
    plugin id82025
    published2015-03-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/82025
    titlePHP 5.4.x < 5.4.39 Multiple Vulnerabilities
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-221.NASL
    descriptionMultiple vulnerabilities has been found and corrected in clamav : Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior (CVE-2015-2221). Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior (CVE-2015-2222). Fix an infinite loop condition on a crafted xz archive file. This was reported by Dimitri Kirchner and Goulven Guiheux (CVE-2015-2668). Apply upstream patch for possible heap overflow in Henry Spencer
    last seen2020-06-01
    modified2020-06-02
    plugin id83245
    published2015-05-05
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83245
    titleMandriva Linux Security Advisory : clamav (MDVSA-2015:221)

Redhat

advisories
  • rhsa
    idRHSA-2015:1053
  • rhsa
    idRHSA-2015:1066
rpms
  • php55-0:2.0-1.el6
  • php55-0:2.0-1.el7
  • php55-php-0:5.5.21-2.el6
  • php55-php-0:5.5.21-2.el7
  • php55-php-bcmath-0:5.5.21-2.el6
  • php55-php-bcmath-0:5.5.21-2.el7
  • php55-php-cli-0:5.5.21-2.el6
  • php55-php-cli-0:5.5.21-2.el7
  • php55-php-common-0:5.5.21-2.el6
  • php55-php-common-0:5.5.21-2.el7
  • php55-php-dba-0:5.5.21-2.el6
  • php55-php-dba-0:5.5.21-2.el7
  • php55-php-debuginfo-0:5.5.21-2.el6
  • php55-php-debuginfo-0:5.5.21-2.el7
  • php55-php-devel-0:5.5.21-2.el6
  • php55-php-devel-0:5.5.21-2.el7
  • php55-php-enchant-0:5.5.21-2.el6
  • php55-php-enchant-0:5.5.21-2.el7
  • php55-php-fpm-0:5.5.21-2.el6
  • php55-php-fpm-0:5.5.21-2.el7
  • php55-php-gd-0:5.5.21-2.el6
  • php55-php-gd-0:5.5.21-2.el7
  • php55-php-gmp-0:5.5.21-2.el6
  • php55-php-gmp-0:5.5.21-2.el7
  • php55-php-imap-0:5.5.21-2.el6
  • php55-php-intl-0:5.5.21-2.el6
  • php55-php-intl-0:5.5.21-2.el7
  • php55-php-ldap-0:5.5.21-2.el6
  • php55-php-ldap-0:5.5.21-2.el7
  • php55-php-mbstring-0:5.5.21-2.el6
  • php55-php-mbstring-0:5.5.21-2.el7
  • php55-php-mysqlnd-0:5.5.21-2.el6
  • php55-php-mysqlnd-0:5.5.21-2.el7
  • php55-php-odbc-0:5.5.21-2.el6
  • php55-php-odbc-0:5.5.21-2.el7
  • php55-php-opcache-0:5.5.21-2.el6
  • php55-php-opcache-0:5.5.21-2.el7
  • php55-php-pdo-0:5.5.21-2.el6
  • php55-php-pdo-0:5.5.21-2.el7
  • php55-php-pgsql-0:5.5.21-2.el6
  • php55-php-pgsql-0:5.5.21-2.el7
  • php55-php-process-0:5.5.21-2.el6
  • php55-php-process-0:5.5.21-2.el7
  • php55-php-pspell-0:5.5.21-2.el6
  • php55-php-pspell-0:5.5.21-2.el7
  • php55-php-recode-0:5.5.21-2.el6
  • php55-php-recode-0:5.5.21-2.el7
  • php55-php-snmp-0:5.5.21-2.el6
  • php55-php-snmp-0:5.5.21-2.el7
  • php55-php-soap-0:5.5.21-2.el6
  • php55-php-soap-0:5.5.21-2.el7
  • php55-php-tidy-0:5.5.21-2.el6
  • php55-php-xml-0:5.5.21-2.el6
  • php55-php-xml-0:5.5.21-2.el7
  • php55-php-xmlrpc-0:5.5.21-2.el6
  • php55-php-xmlrpc-0:5.5.21-2.el7
  • php55-runtime-0:2.0-1.el6
  • php55-runtime-0:2.0-1.el7
  • php55-scldevel-0:2.0-1.el6
  • php55-scldevel-0:2.0-1.el7
  • php54-0:2.0-1.el6
  • php54-0:2.0-1.el7
  • php54-php-0:5.4.40-1.el6
  • php54-php-0:5.4.40-1.el7
  • php54-php-bcmath-0:5.4.40-1.el6
  • php54-php-bcmath-0:5.4.40-1.el7
  • php54-php-cli-0:5.4.40-1.el6
  • php54-php-cli-0:5.4.40-1.el7
  • php54-php-common-0:5.4.40-1.el6
  • php54-php-common-0:5.4.40-1.el7
  • php54-php-dba-0:5.4.40-1.el6
  • php54-php-dba-0:5.4.40-1.el7
  • php54-php-debuginfo-0:5.4.40-1.el6
  • php54-php-debuginfo-0:5.4.40-1.el7
  • php54-php-devel-0:5.4.40-1.el6
  • php54-php-devel-0:5.4.40-1.el7
  • php54-php-enchant-0:5.4.40-1.el6
  • php54-php-enchant-0:5.4.40-1.el7
  • php54-php-fpm-0:5.4.40-1.el6
  • php54-php-fpm-0:5.4.40-1.el7
  • php54-php-gd-0:5.4.40-1.el6
  • php54-php-gd-0:5.4.40-1.el7
  • php54-php-imap-0:5.4.40-1.el6
  • php54-php-intl-0:5.4.40-1.el6
  • php54-php-intl-0:5.4.40-1.el7
  • php54-php-ldap-0:5.4.40-1.el6
  • php54-php-ldap-0:5.4.40-1.el7
  • php54-php-mbstring-0:5.4.40-1.el6
  • php54-php-mbstring-0:5.4.40-1.el7
  • php54-php-mysqlnd-0:5.4.40-1.el6
  • php54-php-mysqlnd-0:5.4.40-1.el7
  • php54-php-odbc-0:5.4.40-1.el6
  • php54-php-odbc-0:5.4.40-1.el7
  • php54-php-pdo-0:5.4.40-1.el6
  • php54-php-pdo-0:5.4.40-1.el7
  • php54-php-pecl-zendopcache-0:7.0.4-3.el6
  • php54-php-pecl-zendopcache-0:7.0.4-3.el7
  • php54-php-pecl-zendopcache-debuginfo-0:7.0.4-3.el6
  • php54-php-pecl-zendopcache-debuginfo-0:7.0.4-3.el7
  • php54-php-pgsql-0:5.4.40-1.el6
  • php54-php-pgsql-0:5.4.40-1.el7
  • php54-php-process-0:5.4.40-1.el6
  • php54-php-process-0:5.4.40-1.el7
  • php54-php-pspell-0:5.4.40-1.el6
  • php54-php-pspell-0:5.4.40-1.el7
  • php54-php-recode-0:5.4.40-1.el6
  • php54-php-recode-0:5.4.40-1.el7
  • php54-php-snmp-0:5.4.40-1.el6
  • php54-php-snmp-0:5.4.40-1.el7
  • php54-php-soap-0:5.4.40-1.el6
  • php54-php-soap-0:5.4.40-1.el7
  • php54-php-tidy-0:5.4.40-1.el6
  • php54-php-xml-0:5.4.40-1.el6
  • php54-php-xml-0:5.4.40-1.el7
  • php54-php-xmlrpc-0:5.4.40-1.el6
  • php54-php-xmlrpc-0:5.4.40-1.el7
  • php54-runtime-0:2.0-1.el6
  • php54-runtime-0:2.0-1.el7
  • php54-scldevel-0:2.0-1.el6
  • php54-scldevel-0:2.0-1.el7

References