Vulnerabilities > CVE-2016-5096 - Integer Overflow or Wraparound vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
HIGH Summary
Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-707.NASL description The following security-related issues were resolved : Out-of-bounds read in imagescale (CVE-2013-7456) Integer underflow causing arbitrary null write in fread/gzread (CVE-2016-5096) The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive. (CVE-2016-4343) Integer overflow in php_html_entities() (CVE-2016-5094) Integer overflow in php_filter_full_special_chars() (CVE-2016-5095) Out-of-bounds heap read in get_icu_value_internal (CVE-2016-5093) (Updated 2016-06-15: CVE-2016-5095 was fixed in this version, but was not previously listed in this errata.) last seen 2020-06-01 modified 2020-06-02 plugin id 91466 published 2016-06-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91466 title Amazon Linux AMI : php55 (ALAS-2016-707) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-707. # include("compat.inc"); if (description) { script_id(91466); script_version("2.8"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2013-7456", "CVE-2016-4343", "CVE-2016-5093", "CVE-2016-5094", "CVE-2016-5095", "CVE-2016-5096"); script_xref(name:"ALAS", value:"2016-707"); script_name(english:"Amazon Linux AMI : php55 (ALAS-2016-707)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "The following security-related issues were resolved : Out-of-bounds read in imagescale (CVE-2013-7456) Integer underflow causing arbitrary null write in fread/gzread (CVE-2016-5096) The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive. (CVE-2016-4343) Integer overflow in php_html_entities() (CVE-2016-5094) Integer overflow in php_filter_full_special_chars() (CVE-2016-5095) Out-of-bounds heap read in get_icu_value_internal (CVE-2016-5093) (Updated 2016-06-15: CVE-2016-5095 was fixed in this version, but was not previously listed in this errata.)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-707.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update php55' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mssql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php55-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/06/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php55-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-bcmath-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-cli-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-common-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-dba-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-debuginfo-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-devel-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-embedded-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-enchant-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-fpm-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-gd-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-gmp-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-imap-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-intl-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-ldap-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mbstring-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mcrypt-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mssql-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-mysqlnd-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-odbc-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-opcache-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pdo-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pgsql-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-process-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-pspell-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-recode-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-snmp-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-soap-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-tidy-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-xml-5.5.36-1.115.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php55-xmlrpc-5.5.36-1.115.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php55 / php55-bcmath / php55-cli / php55-common / php55-dba / etc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2016-B967AC1A74.NASL description 26 May 2016, **PHP 5.6.22** **Core:** - Fixed bug #72172 (zend_hex_strtod should not use strlen). (bwitz at hotmail dot com ) - Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (Stas) - Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas) **GD:** - Fixed bug #72227 (imagescale out-of-bounds read). (Stas) **Intl:** - Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) - Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas) **Postgres:** - Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92149 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92149 title Fedora 24 : php (2016-b967ac1a74) NASL family CGI abuses NASL id PHP_5_5_36.NASL description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.36. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the _gdContributionsCalc() function within file ext/gd/libgd/gd_interpolation.c. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2013-7456) - An uninitialized pointer flaw exists in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - An out-of-bounds read error exists in the get_icu_value_internal() function within file ext/intl/locale/locale_methods.c due to improper handling of user-supplied input. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2016-5093) - An integer overflow condition exists in the php_html_entities() and php_filter_full_special_chars() functions within file ext/standard/html.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-5094) - An integer underflow condition exists in file ext/standard/file.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a NULL write, resulting in crashing the process linked against the library. (CVE-2016-5096) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 91441 published 2016-06-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91441 title PHP 5.5.x < 5.5.36 Multiple Vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3045-1.NASL description It was discovered that PHP incorrectly handled certain SplMinHeap::compare operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-4116) It was discovered that PHP incorrectly handled recursive method calls. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8873) It was discovered that PHP incorrectly validated certain Exception objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8876) It was discovered that PHP header() function performed insufficient filtering for Internet Explorer. A remote attacker could possibly use this issue to perform a XSS attack. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2015-8935) It was discovered that PHP incorrectly handled certain locale operations. An attacker could use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5093) It was discovered that the PHP php_html_entities() function incorrectly handled certain string lengths. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5094, CVE-2016-5095) It was discovered that the PHP fread() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5096) It was discovered that the PHP FastCGI Process Manager (FPM) SAPI incorrectly handled memory in the access logging feature. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly expose sensitive information. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5114) It was discovered that PHP would not protect applications from contents of the HTTP_PROXY environment variable when based on the contents of the Proxy header from HTTP requests. A remote attacker could possibly use this issue in combination with scripts that honour the HTTP_PROXY variable to redirect outgoing HTTP requests. (CVE-2016-5385) Hans Jerry Illikainen discovered that the PHP bzread() function incorrectly performed error handling. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-5399) It was discovered that certain PHP multibyte string functions incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-5768) It was discovered that the PHP Mcrypt extension incorrectly handled memory. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5769) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing malicious data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue was only addressed in Ubuntu Ubuntu 14.04 LTS. (CVE-2016-5771, CVE-2016-5773) It was discovered that PHP incorrectly handled memory when unserializing malicious xml data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-5772) It was discovered that the PHP php_url_parse_ex() function incorrectly handled string termination. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2016-6288) It was discovered that PHP incorrectly handled path lengths when extracting certain Zip archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6289) It was discovered that PHP incorrectly handled session deserialization. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6290) It was discovered that PHP incorrectly handled exif headers when processing certain JPEG images. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6291, CVE-2016-6292) It was discovered that PHP incorrectly handled certain locale operations. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6294) It was discovered that the PHP garbage collector incorrectly handled certain objects when unserializing SNMP data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6295) It was discovered that the PHP xmlrpc_encode_request() function incorrectly handled certain lengths. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6296) It was discovered that the PHP php_stream_zip_opener() function incorrectly handled memory. An attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-6297). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 92699 published 2016-08-03 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92699 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : php5, php7.0 vulnerabilities (USN-3045-1) (httpoxy) NASL family Fedora Local Security Checks NASL id FEDORA_2016-6B1938566F.NASL description 26 May 2016, **PHP 5.6.22** **Core:** - Fixed bug #72172 (zend_hex_strtod should not use strlen). (bwitz at hotmail dot com ) - Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (Stas) - Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas) **GD:** - Fixed bug #72227 (imagescale out-of-bounds read). (Stas) **Intl:** - Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) - Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas) **Postgres:** - Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92106 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92106 title Fedora 23 : php (2016-6b1938566f) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-703.NASL description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-05 modified 2016-06-14 plugin id 91585 published 2016-06-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91585 title openSUSE Security Update : php5 (openSUSE-2016-703) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1633-1.NASL description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-01 modified 2020-06-02 plugin id 93160 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93160 title SUSE SLED12 / SLES12 Security Update : php5 (SUSE-SU-2016:1633-1) NASL family Firewalls NASL id PFSENSE_SA-16_08.NASL description According to its self-reported version number, the remote pfSense install is prior to 2.3.1-p5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 106502 published 2018-01-31 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106502 title pfSense < 2.3.1-p5 Multiple Vulnerabilities (SA-16_07 / SA-16_08) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1638-1.NASL description This update for php53 to version 5.3.17 fixes the following issues : These security issues were fixed : - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-01 modified 2020-06-02 plugin id 93161 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93161 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1638-1) (BACKRONYM) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-776.NASL description This update for php5 fixes the following issues : - CVE-2013-7456: imagescale out-of-bounds read (bnc#982009). - CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010). - CVE-2016-5094: Don last seen 2020-06-05 modified 2016-06-28 plugin id 91869 published 2016-06-28 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91869 title openSUSE Security Update : php5 (openSUSE-2016-776) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1795.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.(CVE-2015-8865) - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.(CVE-2016-4537) - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.(CVE-2016-4538) - Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument.(CVE-2016-5096) - An out-of-bounds write flaw was found in the fpm_log_write() logging function of PHP last seen 2020-05-06 modified 2019-08-23 plugin id 128087 published 2019-08-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128087 title EulerOS 2.0 SP5 : php (EulerOS-SA-2019-1795) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL43449212.NASL description Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer in the second argument. (CVE-2016-5096) last seen 2020-06-01 modified 2020-06-02 plugin id 92959 published 2016-08-15 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92959 title F5 Networks BIG-IP : PHP vulnerability (K43449212) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1865.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds write flaw was found in the fpm_log_write() logging function of PHP last seen 2020-05-08 modified 2019-09-17 plugin id 128917 published 2019-09-17 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128917 title EulerOS 2.0 SP2 : php (EulerOS-SA-2019-1865) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_6B110175246D11E68DD3002590263BF5.NASL description The PHP Group reports : - Core : - Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (CVE-2016-5096) (PHP 5.5/5.6 only) - Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094) (PHP 5.5/5.6 only) - GD : - Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456) - Intl : - Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (CVE-2016-5093) - Phar : - Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()). (CVE-2016-4343) (PHP 5.5 only) last seen 2020-06-01 modified 2020-06-02 plugin id 91373 published 2016-05-31 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91373 title FreeBSD : php -- multiple vulnerabilities (6b110175-246d-11e6-8dd3-002590263bf5) NASL family MacOS X Local Security Checks NASL id MACOSX_10_11_6.NASL description The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.6. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php - Audio - bsdiff - CFNetwork - CoreGraphics - FaceTime - Graphics Drivers - ImageIO - Intel Graphics Driver - IOHIDFamily - IOKit - IOSurface - Kernel - libc++abi - libexpat - LibreSSL - libxml2 - libxslt - Login Window - OpenSSL - QuickTime - Safari Login AutoFill - Sandbox Profiles Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 92496 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92496 title Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3602.NASL description Several vulnerabilities were found in PHP, a general-purpose scripting language commonly used for web application development. The vulnerabilities are addressed by upgrading PHP to the new upstream version 5.6.22, which includes additional bug fixes. Please refer to the upstream changelog for more information : - https://php.net/ChangeLog-5.php#5.6.21 - https://php.net/ChangeLog-5.php#5.6.22 last seen 2020-06-01 modified 2020-06-02 plugin id 91615 published 2016-06-15 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91615 title Debian DSA-3602-1 : php5 - security update NASL family Fedora Local Security Checks NASL id FEDORA_2016-65F1FFDC0C.NASL description 26 May 2016, **PHP 5.6.22** **Core:** - Fixed bug #72172 (zend_hex_strtod should not use strlen). (bwitz at hotmail dot com ) - Fixed bug #72114 (Integer underflow / arbitrary null write in fread/gzread). (Stas) - Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas) **GD:** - Fixed bug #72227 (imagescale out-of-bounds read). (Stas) **Intl:** - Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol) - Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas) **Postgres:** - Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92104 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92104 title Fedora 22 : php (2016-65f1ffdc0c) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-706.NASL description The following security-related issues were resolved : Out-of-bounds read in imagescale (CVE-2013-7456) Integer underflow causing arbitrary null write in fread/gzread (CVE-2016-5096) Integer overflow in php_html_entities() (CVE-2016-5094) Integer overflow in php_filter_full_special_chars() (CVE-2016-5095) Out-of-bounds heap read in get_icu_value_internal (CVE-2016-5093) (Updated 2016-06-15: CVE-2016-5095 was fixed in this version, but was not previously listed in this errata.) last seen 2020-06-01 modified 2020-06-02 plugin id 91465 published 2016-06-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91465 title Amazon Linux AMI : php56 (ALAS-2016-706) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-148-03.NASL description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 91355 published 2016-05-31 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91355 title Slackware 14.0 / 14.1 / current : php (SSA:2016-148-03) NASL family CGI abuses NASL id PHP_5_6_22.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.22. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the _gdContributionsCalc() function within file ext/gd/libgd/gd_interpolation.c. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2013-7456) - An out-of-bounds read error exists in the get_icu_value_internal() function within file ext/intl/locale/locale_methods.c due to improper handling of user-supplied input. An unauthenticated, remote attacker can exploit this to disclose sensitive information or crash the process linked against the library. (CVE-2016-5093) - An integer overflow condition exists in the php_html_entities() and php_filter_full_special_chars() functions within file ext/standard/html.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-5094) - An integer underflow condition exists in file ext/standard/file.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a NULL write, resulting in crashing the process linked against the library. (CVE-2016-5096) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 91442 published 2016-06-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91442 title PHP 5.6.x < 5.6.22 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1581-1.NASL description This update for php53 fixes the following issues : - CVE-2016-5093: A get_icu_value_internal out-of-bounds read could crash the php interpreter (bsc#982010) - CVE-2016-5094,CVE-2016-5095: Don last seen 2020-06-01 modified 2020-06-02 plugin id 91665 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91665 title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:1581-1) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2016-004.NASL description The remote host is running a version of Mac OS X that is 10.9.5 or 10.10.5 and is missing Security Update 2016-004. It is, therefore, affected by multiple vulnerabilities in the following components : - apache_mod_php (affects 10.10.5 only) - CoreGraphics - ImageIO - libxml2 - libxslt Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 92497 published 2016-07-21 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92497 title Mac OS X 10.9.5 and 10.10.5 Multiple Vulnerabilities (Security Update 2016-004) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-533.NASL description - CVE-2016-5093.patch Absence of null character causes unexpected zend_string length and leaks heap memory. The test script uses locale_get_primary_language to reach get_icu_value_internal but there are some other functions that also trigger this issue: locale_canonicalize, locale_filter_matches, locale_lookup, locale_parse - CVE-2016-5094.patch don last seen 2020-03-17 modified 2016-07-01 plugin id 91900 published 2016-07-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91900 title Debian DLA-533-1 : php5 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2043.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11040) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11042) - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11041) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - A flaw was found in the way the way PHP last seen 2020-05-08 modified 2019-09-24 plugin id 129236 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129236 title EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2043) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-628.NASL description - CVE-2016-4473.patch An invalid free may occur under certain conditions when processing phar-compatible archives. - CVE-2016-4538.patch The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call. (already fixed with patch for CVE-2016-4537) - CVE-2016-5114.patch sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the semantics of the snprintf return value, which allows attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as demonstrated by a long URI in a configuration with custom REQUEST_URI logging. - CVE-2016-5399.patch Improper error handling in bzread() - CVE-2016-5768.patch Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by leveraging a callback exception. - CVE-2016-5769.patch Multiple integer overflows in mcrypt.c in the mcrypt extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allow remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted length value, related to the (1) mcrypt_generic and (2) mdecrypt_generic functions. - CVE-2016-5770.patch Integer overflow in the SplFileObject::fread function in spl_directory.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large integer argument, a related issue to CVE-2016-5096. - CVE-2016-5771.patch spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data. - CVE-2016-5772.patch Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in a wddx_deserialize call. - CVE-2016-5773.patch php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object. - CVE-2016-6289.patch Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. - CVE-2016-6290.patch ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. - CVE-2016-6291.patch The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. - CVE-2016-6292.patch The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image. - CVE-2016-6294.patch The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument. - CVE-2016-6295.patch ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773. - CVE-2016-6296.patch Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function. - CVE-2016-6297.patch Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. - BUG-70436.patch Use After Free Vulnerability in unserialize() - BUG-72681.patch PHP Session Data Injection Vulnerability, consume data even if we last seen 2020-03-17 modified 2016-09-19 plugin id 93568 published 2016-09-19 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93568 title Debian DLA-628-1 : php5 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1928.NASL description According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way the way PHP last seen 2020-06-01 modified 2020-06-02 plugin id 128931 published 2019-09-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128931 title EulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2019-1928)
Redhat
advisories |
| ||||
rpms |
|
References
- https://bugs.php.net/bug.php?id=72114
- http://php.net/ChangeLog-5.php
- http://www.openwall.com/lists/oss-security/2016/05/26/3
- https://github.com/php/php-src/commit/abd159cce48f3e34f08e4751c568e09677d5ec9c?w=1
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- http://www.debian.org/security/2016/dsa-3602
- http://www.securityfocus.com/bid/90861
- http://rhn.redhat.com/errata/RHSA-2016-2750.html