Vulnerabilities > CVE-2015-2331 - Numeric Errors vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id PHP_5_6_7.NASL description According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.7. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82027 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82027 title PHP 5.6.x < 5.6.7 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(82027); script_version("1.15"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2015-0231", "CVE-2015-2305", "CVE-2015-2331", "CVE-2015-2348", "CVE-2015-2787", "CVE-2015-4147", "CVE-2015-4148" ); script_bugtraq_id( 72539, 73182, 73357, 73381, 73383, 73385, 73431, 73434, 75103 ); script_name(english:"PHP 5.6.x < 5.6.7 Multiple Vulnerabilities"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The remote web server uses a version of PHP that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP 5.6.x installed on the remote host is prior to 5.6.7. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function 'unserialize', which can allow a remote attacker to execute arbitrary code. Note that this issue is due to an incomplete fix for CVE-2014-8142. (CVE-2015-0231) - An integer overflow error exists in function 'regcomp' in the Henry Spencer regex library, due to improper validation of user-supplied input. An attacker can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-2305) - An integer overflow error exists in the '_zip_cdir_new' function, due to improper validation of user-supplied input. An attacker, using a crafted ZIP archive, can exploit this to cause a denial of service or to execute arbitrary code. (CVE-2015-2331) - A filter bypass vulnerability exists due to a flaw in the move_uploaded_file() function in which pathnames are truncated when a NULL byte is encountered. This allows a remote attacker, via a crafted second argument, to bypass intended extension restrictions and create files with unexpected names. (CVE-2015-2348) - A user-after-free error exists in the process_nested_data() function. This allows a remote attacker, via a crafted unserialize call, to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2015-2787) - A type confusion vulnerability in the SoapClient's __call() function in ext/soap/soap.c could allow a remote attacker to execute arbitrary code by providing crafted serialized data with an unexpected data type (CVE-2015-4147, CVE-2015-4148) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-5.php#5.6.7"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=69207"); script_set_attribute(attribute:"see_also", value:"https://bugs.php.net/bug.php?id=68976"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 5.6.7 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4147"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2015/03/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/24"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); php = get_php_from_kb( port : port, exit_on_fail : TRUE ); version = php["ver"]; source = php["src"]; backported = get_kb_item('www/php/'+port+'/'+version+'/backported'); if (report_paranoia < 2 && backported) audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install"); # Check that it is the correct version of PHP if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version); if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port); if (version =~ "^5\.6\.[0-6]($|[^0-9])") { if (report_verbosity > 0) { report = '\n Version source : '+source + '\n Installed version : '+version + '\n Fixed version : 5.6.7' + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2015-111-10.NASL description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82923 published 2015-04-22 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82923 title Slackware 14.0 / 14.1 / current : php (SSA:2015-111-10) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-282.NASL description PHP was updated to fix several security issues. The following vulnerabilities were fixed : - A specially crafted GIF file could cause a buffer read overflow in php-gd (CVE-2014-9709 bnc#923946) - Memory was use after it was freed in PHAR (CVE-2015-2301 bnc#922022) - heap overflow vulnerability in regcomp.c (CVE-2015-2305 bnc#922452) - heap buffer overflow in Enchant (CVE-2014-9705 bnc#922451) For openSUSE 13.2, the following additional vulnerability was fixed : - A specially crafted zip file could lead to writing past the heap boundary (CVE-2015-2331 bnc#922894) last seen 2020-06-05 modified 2015-04-02 plugin id 82516 published 2015-04-02 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82516 title openSUSE Security Update : php5 (openSUSE-2015-282) NASL family MacOS X Local Security Checks NASL id MACOSX_10_11.NASL description The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components : - Address Book - AirScan - apache_mod_php - Apple Online Store Kit - AppleEvents - Audio - bash - Certificate Trust Policy - CFNetwork Cookies - CFNetwork FTPProtocol - CFNetwork HTTPProtocol - CFNetwork Proxies - CFNetwork SSL - CoreCrypto - CoreText - Dev Tools - Disk Images - dyld - EFI - Finder - Game Center - Heimdal - ICU - Install Framework Legacy - Intel Graphics Driver - IOAudioFamily - IOGraphics - IOHIDFamily - IOStorageFamily - Kernel - libc - libpthread - libxpc - Login Window - lukemftpd - Mail - Multipeer Connectivity - NetworkExtension - Notes - OpenSSH - OpenSSL - procmail - remote_cmds - removefile - Ruby - Safari - Safari Downloads - Safari Extensions - Safari Safe Browsing - Security - SMB - SQLite - Telephony - Terminal - tidy - Time Machine - WebKit - WebKit CSS - WebKit JavaScript Bindings - WebKit Page Loading - WebKit Plug-ins Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 86270 published 2015-10-05 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86270 title Mac OS X < 10.11 Multiple Vulnerabilities (GHOST) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-080.NASL description Multiple vulnerabilities has been discovered and corrected in php : It was discovered that the file utility contains a flaw in the handling of indirect magic rules in the libmagic library, which leads to an infinite recursion when trying to determine the file type of certain files (CVE-2014-1943). A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code (CVE-2014-2270). The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters (CVE-2013-7345). PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain socket with world-writable permissions by default, which allows any local user to connect to it and execute PHP scripts as the apache user (CVE-2014-0185). A flaw was found in the way file last seen 2020-06-01 modified 2020-06-02 plugin id 82333 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82333 title Mandriva Linux Security Advisory : php (MDVSA-2015:080) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4255.NASL description **19 Mar 2015, PHP 5.6.7** Core : - Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) - Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) - Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net) - Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike) - Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) - Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com) - Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). (Stas) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) CGI : - Fixed bug #69015 (php-cgi last seen 2020-06-05 modified 2015-03-27 plugin id 82284 published 2015-03-27 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82284 title Fedora 22 : php-5.6.7-2.fc22 (2015-4255) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-506.NASL description A use-after-free flaw was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 82834 published 2015-04-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82834 title Amazon Linux AMI : php54 (ALAS-2015-506) NASL family Web Servers NASL id HPSMH_7_5.NASL description According to the web server last seen 2020-06-01 modified 2020-06-02 plugin id 84923 published 2015-07-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84923 title HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4559.NASL description Security fix for CVE-2015-2331. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-03 plugin id 82550 published 2015-04-03 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82550 title Fedora 22 : mingw-libzip-0.11.2-3.fc22 (2015-4559) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_742563D4D77611E4B5954061861086C1.NASL description The PHP project reports : The PHP development team announces the immediate availability of PHP 5.6.7. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.6 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.5.23. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.5 users are encouraged to upgrade to this version. The PHP development team announces the immediate availability of PHP 5.4.39. Six security-related bugs were fixed in this release, including CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.4 users are encouraged to upgrade to this version. last seen 2020-06-01 modified 2020-06-02 plugin id 82514 published 2015-04-02 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82514 title FreeBSD : Several vulnerabilities found in PHP (742563d4-d776-11e4-b595-4061861086c1) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4553.NASL description CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-17 plugin id 82840 published 2015-04-17 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82840 title Fedora 22 : libzip-0.11.2-5.fc22 (2015-4553) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4556.NASL description CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-22 plugin id 82937 published 2015-04-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82937 title Fedora 20 : libzip-0.11.2-5.fc20 (2015-4556) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-212.NASL description CVE-2014-9705 Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries. CVE-2015-0232 The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. CVE-2015-2301 Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file. CVE-2015-2331 Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. CVE-2015-2783 Buffer Over-read in unserialize when parsing Phar CVE-2015-2787 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. CVE-2015-3329 Buffer Overflow when parsing tar/zip/phar in phar_set_inode) CVE-2015-3330 PHP potential remote code execution with apache 2.4 apache2handler CVE-2015-temp-68819 denial of service when processing a crafted file with Fileinfo NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-04-30 plugin id 83144 published 2015-04-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83144 title Debian DLA-212-1 : php5 security update NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-079.NASL description Multiple vulnerabilities has been discovered and corrected in php : S. Paraschoudis discovered that PHP incorrectly handled memory in the enchant binding. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-9705). Taoguang Chen discovered that PHP incorrectly handled unserializing objects. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-0273). It was discovered that PHP incorrectly handled memory in the phar extension. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-2301). Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142 (CVE-2015-0231). An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code (CVE-2015-2331). It was discovered that the PHP opcache component incorrectly handled memory. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1351). It was discovered that the PHP PostgreSQL database extension incorrectly handled certain pointers. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2015-1352). The updated php packages have been patched and upgraded to the 5.5.23 version which is not vulnerable to these issues. The libzip packages has been patched to address the CVE-2015-2331 flaw. Additionally the php-xdebug package has been upgraded to the latest 2.3.2 and the PECL packages which requires so has been rebuilt for php-5.5.23. last seen 2020-06-01 modified 2020-06-02 plugin id 82332 published 2015-03-30 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82332 title Mandriva Linux Security Advisory : php (MDVSA-2015:079) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4699.NASL description CVE-2015-2331: integer overflow when processing ZIP archives (#1204676,#1204677) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-22 plugin id 82942 published 2015-04-22 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82942 title Fedora 21 : libzip-0.11.2-5.fc21 (2015-4699) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0668-1.NASL description Libzip was updated to fix one security issue. A zip file with an unusually large number of entries could have caused an integer overflow leading to a write past the heap boundary, crashing the application. (CVE-2015-2331 bnc#923240) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 83711 published 2015-05-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83711 title SUSE SLED12 / SLES12 Security Update : libzip (SUSE-SU-2015:0668-1) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4565.NASL description Security fix for CVE-2015-2331. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-07 plugin id 82604 published 2015-04-07 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82604 title Fedora 21 : mingw-libzip-0.11.2-3.fc21 (2015-4565) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3198.NASL description Multiple vulnerabilities have been discovered in the PHP language : - CVE-2015-2301 Use-after-free in the phar extension. - CVE-2015-2331 Emmanuel Law discovered an integer overflow in the processing of ZIP archives, resulting in denial of service or potentially the execution of arbitrary code. last seen 2020-03-17 modified 2015-03-23 plugin id 81982 published 2015-03-23 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81982 title Debian DSA-3198-1 : php5 - security update NASL family Fedora Local Security Checks NASL id FEDORA_2015-4669.NASL description Security fix for CVE-2015-2331. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-07 plugin id 82607 published 2015-04-07 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82607 title Fedora 20 : mingw-libzip-0.11.2-3.fc20 (2015-4669) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-507.NASL description A use-after-free flaw was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 82835 published 2015-04-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82835 title Amazon Linux AMI : php55 (ALAS-2015-507) NASL family CGI abuses NASL id PHP_5_5_23.NASL description According to its banner, the version of PHP 5.5.x installed on the remote host is prior to 5.5.23. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82026 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82026 title PHP 5.5.x < 5.5.23 Multiple Vulnerabilities NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-508.NASL description A use-after-free flaw was found in the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 82836 published 2015-04-17 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82836 title Amazon Linux AMI : php56 (ALAS-2015-508) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4236.NASL description **19 Mar 2015, PHP 5.6.7** Core : - Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) - Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) - Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net) - Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike) - Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) - Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com) - Fixed bug #68976 (Use After Free Vulnerability in unserialize()) (CVE-2015-0231). (Stas) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) CGI : - Fixed bug #69015 (php-cgi last seen 2020-06-05 modified 2015-03-31 plugin id 82435 published 2015-03-31 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82435 title Fedora 21 : php-5.6.7-1.fc21 (2015-4236) NASL family Fedora Local Security Checks NASL id FEDORA_2015-4216.NASL description **19 Mar 2015, PHP 5.5.23** Core : - Fixed bug #69174 (leaks when unused inner class use traits precedence). (Laruence) - Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). (Laruence) - Fixed bug #69121 (Segfault in get_current_user when script owner is not in passwd with ZTS build). (dan at syneto dot net) - Fixed bug #65593 (Segfault when calling ob_start from output buffering callback). (Mike) - Fixed bug #69017 (Fail to push to the empty array with the constant value defined in class scope). (Laruence) - Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file not validated in memory.c). (nayana at ddproperty dot com) - Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - Fixed bug #69141 (Missing arguments in reflection info for some builtin functions). (kostyantyn dot lysyy at oracle dot com) - Fixed bug #68976 (Use After Free Vulnerability in unserialize()). (Stas) - Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) - Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) CGI : - Fixed bug #69015 (php-cgi last seen 2020-06-05 modified 2015-04-03 plugin id 82545 published 2015-04-03 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82545 title Fedora 20 : php-5.5.23-1.fc20 (2015-4216) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_264749AED56511E4B54500269EE29E57.NASL description libzip developers report : Avoid integer overflow. Fixed similarly to patch used in PHP copy of libzip. last seen 2020-06-01 modified 2020-06-02 plugin id 82313 published 2015-03-30 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82313 title FreeBSD : libzip -- integer overflow (264749ae-d565-11e4-b545-00269ee29e57) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-265.NASL description Libzip was updated to fix one security issue. A zip file with an unusually large number of entries could have caused an integer overflow leading to a write past the heap boundary, crashing the application. (CVE-2015-2331 bnc#923240) last seen 2020-06-05 modified 2015-03-30 plugin id 82423 published 2015-03-30 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82423 title openSUSE Security Update : libzip (openSUSE-2015-265) NASL family CGI abuses NASL id PHP_5_4_39.NASL description According to its banner, the version of PHP 5.4.x installed on the remote host is prior to 5.4.39. It is, therefore, affected by multiple vulnerabilities : - A use-after-free error exists related to function last seen 2020-06-01 modified 2020-06-02 plugin id 82025 published 2015-03-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82025 title PHP 5.4.x < 5.4.39 Multiple Vulnerabilities
References
- https://bugs.php.net/bug.php?id=69253
- http://hg.nih.at/libzip/rev/9f11d54f692e
- http://php.net/ChangeLog-5.php
- http://lists.opensuse.org/opensuse-updates/2015-03/msg00083.html
- http://www.debian.org/security/2015/dsa-3198
- http://www.securitytracker.com/id/1031985
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/153983.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154266.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154276.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:079
- https://support.apple.com/HT205267
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00008.html
- http://marc.info/?l=bugtraq&m=143403519711434&w=2
- http://marc.info/?l=bugtraq&m=143748090628601&w=2
- http://marc.info/?l=bugtraq&m=144050155601375&w=2
- http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154666.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155299.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155622.html
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5