Vulnerabilities > CVE-2017-9226 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
oniguruma-project
php
CWE-787
critical
nessus

Summary

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of '\700' would produce an invalid code point value larger than 0xff in next_state_val(), resulting in an out-of-bounds write memory corruption.

Vulnerable Configurations

Part Description Count
Application
Oniguruma_Project
1
Application
Php
926

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B8BB4B86E2.NASL
    description**PHP version 7.1.7** (06 Jul 2017) **Core:** - Fixed bug php#74738 (Multiple [PATH=] and [HOST=] sections not properly parsed). (Manuel Mausz) - Fixed bug php#74658 (Undefined constants in array properties result in broken properties). (Laruence) - Fixed misparsing of abstract unix domain socket names. (Sara) - Fixed bug php#74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability). (Stas) - Fixed bug php#74101, bug php#74614 (Unserialize Heap Use-After-Free (READ: 1) in zval_get_type). (Nikita) - Fixed bug php#74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (Nikita) - Fixed bug php#74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()). (Derick) **Date:** - Fixed bug php#74639 (implement clone for DatePeriod and DateInterval). (andrewnester) **DOM:** - Fixed bug php#69373 (References to deleted XPath query results). (ttoohey) **Intl:** - Fixed bug php#73473 (Stack Buffer Overflow in msgfmt_parse_message). (libnex) - Fixed bug php#74705 (Wrong reflection on Collator::getSortKey and collator_get_sort_key). (Tyson Andre, Remi) **Mbstring:** - Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA) **Opcache:** - Fixed bug php#74663 (Segfault with opcache.memory_protect and validate_timestamp). (Laruence) - Revert opcache.enable_cli to default disabled. (Nikita) **OpenSSL:** - Fixed bug php#74720 (pkcs7_en/decrypt does not work if \x1a is used in content). (Anatol) - Fixed bug php#74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()). (Stas) **Reflection:** - Fixed bug php#74673 (Segfault when cast Reflection object to string with undefined constant). (Laruence) **SPL:** - Fixed bug php#74478 (null coalescing operator failing with SplFixedArray). (jhdxr) **FTP:** - Fixed bug php#74598 (ftp:// wrapper ignores context arg). (Sara) **PHAR:** - Fixed bug php#74386 (Phar::__construct reflection incorrect). (villfa) **SOAP** - Fixed bug php#74679 (Incorrect conversion array with WSDL_CACHE_MEMORY). (Dmitry) **Streams:** - Fixed bug php#74556 (stream_socket_get_name() returns
    last seen2020-06-05
    modified2017-07-19
    plugin id101797
    published2017-07-19
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101797
    titleFedora 26 : php (2017-b8bb4b86e2)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-b8bb4b86e2.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101797);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"FEDORA", value:"2017-b8bb4b86e2");
    
      script_name(english:"Fedora 26 : php (2017-b8bb4b86e2)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "**PHP version 7.1.7** (06 Jul 2017)
    
    **Core:**
    
      - Fixed bug php#74738 (Multiple [PATH=] and [HOST=]
        sections not properly parsed). (Manuel Mausz)
    
      - Fixed bug php#74658 (Undefined constants in array
        properties result in broken properties). (Laruence)
    
      - Fixed misparsing of abstract unix domain socket names.
        (Sara)
    
      - Fixed bug php#74603 (PHP INI Parsing Stack Buffer
        Overflow Vulnerability). (Stas)
    
      - Fixed bug php#74101, bug php#74614 (Unserialize Heap
        Use-After-Free (READ: 1) in zval_get_type). (Nikita)
    
      - Fixed bug php#74111 (Heap buffer overread (READ: 1)
        finish_nested_data from unserialize). (Nikita)
    
      - Fixed bug php#74819 (wddx_deserialize() heap
        out-of-bound read via php_parse_date()). (Derick)
    
    **Date:**
    
      - Fixed bug php#74639 (implement clone for DatePeriod and
        DateInterval). (andrewnester)
    
    **DOM:**
    
      - Fixed bug php#69373 (References to deleted XPath query
        results). (ttoohey)
    
    **Intl:**
    
      - Fixed bug php#73473 (Stack Buffer Overflow in
        msgfmt_parse_message). (libnex)
    
      - Fixed bug php#74705 (Wrong reflection on
        Collator::getSortKey and collator_get_sort_key). (Tyson
        Andre, Remi)
    
    **Mbstring:**
    
      - Add oniguruma upstream fix (CVE-2017-9224,
        CVE-2017-9226, CVE-2017-9227, CVE-2017-9228,
        CVE-2017-9229) (Remi, Mamoru TASAKA)
    
    **Opcache:**
    
      - Fixed bug php#74663 (Segfault with
        opcache.memory_protect and validate_timestamp).
        (Laruence)
    
      - Revert opcache.enable_cli to default disabled. (Nikita)
    
    **OpenSSL:**
    
      - Fixed bug php#74720 (pkcs7_en/decrypt does not work if
        \x1a is used in content). (Anatol)
    
      - Fixed bug php#74651 (negative-size-param (-1) in memcpy
        in zif_openssl_seal()). (Stas)
    
    **Reflection:**
    
      - Fixed bug php#74673 (Segfault when cast Reflection
        object to string with undefined constant). (Laruence)
    
    **SPL:**
    
      - Fixed bug php#74478 (null coalescing operator failing
        with SplFixedArray). (jhdxr)
    
    **FTP:**
    
      - Fixed bug php#74598 (ftp:// wrapper ignores context
        arg). (Sara)
    
    **PHAR:**
    
      - Fixed bug php#74386 (Phar::__construct reflection
        incorrect). (villfa)
    
    **SOAP**
    
      - Fixed bug php#74679 (Incorrect conversion array with
        WSDL_CACHE_MEMORY). (Dmitry)
    
    **Streams:**
    
      - Fixed bug php#74556 (stream_socket_get_name() returns
        '\0'). (Sara)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-b8bb4b86e2"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"php-7.1.7-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
    }
    
  • NASL familyCGI abuses
    NASL idPHP_5_6_31.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.31. It is, therefore, affected by the following vulnerabilities : - An out-of-bounds read error exists in the PCRE library in the compile_bracket_matchingpath() function within file pcre_jit_compile.c. An unauthenticated, remote attacker can exploit this, via a specially crafted regular expression, to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-6004) - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A denial of service condition exists in PHP when handling overlarge POST requests. An unauthenticated, remote attacker can exploit this to exhaust available CPU resources. (CVE-2017-11142) - An extended invalid free error exists in PHP in the php_wddx_push_element() function within file ext/wddx/wddx.c when parsing empty boolean tags. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-11143) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-06-01
    modified2020-06-02
    plugin id101525
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101525
    titlePHP 5.6.x < 5.6.31 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101525);
      script_version("1.14");
      script_cvs_date("Date: 2019/03/04 18:17:59");
    
      script_cve_id(
        "CVE-2017-6004",
        "CVE-2017-7890",
        "CVE-2017-9224",
        "CVE-2017-9226",
        "CVE-2017-9227",
        "CVE-2017-9228",
        "CVE-2017-9229",
        "CVE-2017-11142",
        "CVE-2017-11143",
        "CVE-2017-11144",
        "CVE-2017-11145",
        "CVE-2017-11628",
        "CVE-2017-12933"
      );
      script_bugtraq_id(
        96295,
        99489,
        99490,
        99492,
        99501,
        99550,
        99553,
        99601,
        99605,
        100320,
        100538,
        101244
      );
    
      script_name(english:"PHP 5.6.x < 5.6.31 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of PHP running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP running on the remote web
    server is 5.6.x prior to 5.6.31. It is, therefore, affected by the
    following vulnerabilities :
    
      - An out-of-bounds read error exists in the PCRE library
        in the compile_bracket_matchingpath() function within
        file pcre_jit_compile.c. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        regular expression, to crash a process linked to the
        library, resulting in a denial of service condition.
        (CVE-2017-6004)
    
      - An out-of-bounds read error exists in the GD Graphics
        Library (LibGD) in the gdImageCreateFromGifCtx()
        function within file gd_gif_in.c when handling a
        specially crafted GIF file. An unauthenticated, remote
        attacker can exploit this to disclose sensitive memory
        contents or crash a process linked to the library.
        (CVE-2017-7890)
    
      - An out-of-bounds read error exists in Oniguruma in the
        match_at() function within file regexec.c. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive memory contents or crash a process
        linked to the library. (CVE-2017-9224)
    
      - An out-of-bounds write error exists in Oniguruma in the
        next_state_val() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9226)
    
      - An out-of-bounds read error exists in Oniguruma in the
        mbc_enc_len() function within file utf8.c. An
        unauthenticated, remote attacker can exploit this to
        disclose memory contents or crash a process linked to
        the library. (CVE-2017-9227)
    
      - An out-of-bounds write error exists in Oniguruma in the
        bitset_set_range() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9228)
    
      - An invalid pointer deference flaw exists in Oniguruma
        in the left_adjust_char_head() function within file
        regexec.c during regular expression compilation. An
        unauthenticated, remote attacker can exploit this to
        crash a process linked to the library, resulting in a
        denial of service condition. (CVE-2017-9229)
    
      - A denial of service condition exists in PHP when
        handling overlarge POST requests. An unauthenticated,
        remote attacker can exploit this to exhaust available
        CPU resources. (CVE-2017-11142)
    
      - An extended invalid free error exists in PHP in the
        php_wddx_push_element() function within file
        ext/wddx/wddx.c when parsing empty boolean tags.
        An unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2017-11143)
    
      - A flaw exists in OpenSSL in the EVP_SealInit() function
        within file crypto/evp/p_seal.c due to returning an
        undocumented value of '-1'. An unauthenticated, remote
        attacker can exploit this to cause an unspecified
        impact. (CVE-2017-11144)
    
      - An out-of-bounds read error exists in PHP in the
        php_parse_date() function within file
        ext/date/lib/parse_date.c. An unauthenticated, remote
        attacker can exploit this to disclose memory contents or
        cause a denial of service condition.
        (CVE-2017-11145)
    
      - An out-of-bounds read error exists in PHP in the
        finish_nested_data() function within file
        ext/standard/var_unserializer.re. An unauthenticated,
        remote attacker can exploit this to disclose memory
        contents or cause a denial of service condition.
    
      - An off-by-one overflow condition exists in PHP in the
        INI parsing API, specifically in the zend_ini_do_op()
        function within file Zend/zend_ini_parser.y, due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code.
    
      - A Heap buffer overread flaw in finish_nested_data
        while unserializing untrusted data could lead to an
        unspecified impact on the integrity of PHP.
        (CVE-2017-12933)
    
      - A stack-based buffer overflow in the zend_ini_do_op()
        function in Zend/zend_ini_parser.c could cause a denial
        of service or potentially allow executing code.
        (CVE-2017-11628)
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number."
    );
      script_set_attribute(attribute:"see_also", value:"http://www.php.net/ChangeLog-5.php#5.6.31");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 5.6.31 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-9224");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    port = get_http_port(default:80, php:TRUE);
    
    php = get_php_from_kb(
      port : port,
      exit_on_fail : TRUE
    );
    
    version = php["ver"];
    source = php["src"];
    
    backported = get_kb_item('www/php/'+port+'/'+version+'/backported');
    
    if (report_paranoia < 2 && backported)
      audit(AUDIT_BACKPORT_SERVICE, port, "PHP "+version+" install");
    
    # Check that it is the correct version of PHP
    if (version =~ "^5(\.6)?$") audit(AUDIT_VER_NOT_GRANULAR, "PHP", port, version);
    if (version !~ "^5\.6\.") audit(AUDIT_NOT_DETECT, "PHP version 5.6.x", port);
    
    fix = "5.6.31";
    if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
    {
      report =
        '\n  Version source    : ' + source +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, "PHP", port, version);
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1662-1.NASL
    descriptionThis update for php5 fixes the following security issues : - CVE-2016-6294: The locale_accept_from_http function in ext/intl/locale/locale_methods.c did not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (bsc#1035111). - CVE-2017-9227: A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. (bsc#1040883) - CVE-2017-9226: A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. (bsc#1040889) - CVE-2017-9224: A stack out-of-bounds read occurs in match_at() during regular expression searching. (bsc#1040891) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-24
    modified2019-01-02
    plugin id119999
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119999
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2017:1662-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:1662-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119999);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/23");
    
      script_cve_id("CVE-2016-6294", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227");
    
      script_name(english:"SUSE SLES12 Security Update : php5 (SUSE-SU-2017:1662-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for php5 fixes the following security issues :
    
      - CVE-2016-6294: The locale_accept_from_http function in
        ext/intl/locale/locale_methods.c did not properly
        restrict calls to the ICU uloc_acceptLanguageFromHTTP
        function, which allowed remote attackers to cause a
        denial of service (out-of-bounds read) or possibly have
        unspecified other impact via a call with a long argument
        (bsc#1035111).
    
      - CVE-2017-9227: A stack out-of-bounds read occurs in
        mbc_enc_len() during regular expression searching.
        (bsc#1040883)
    
      - CVE-2017-9226: A heap out-of-bounds write or read occurs
        in next_state_val() during regular expression
        compilation. (bsc#1040889)
    
      - CVE-2017-9224: A stack out-of-bounds read occurs in
        match_at() during regular expression searching.
        (bsc#1040891)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040889"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040891"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6294/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9224/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9226/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9227/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20171662-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?fcca347d"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 12-SP2:zypper in -t
    patch SUSE-SLE-SDK-12-SP2-2017-1030=1
    
    SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch
    SUSE-SLE-Module-Web-Scripting-12-2017-1030=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debugsource-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-debuginfo-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-5.5.14-108.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-debuginfo-5.5.14-108.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5");
    }
    
  • NASL familyCGI abuses
    NASL idPHP_7_0_21.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.21. It is, therefore, affected by the following vulnerabilities : - An out-of-bounds read error exists in the PCRE library in the compile_bracket_matchingpath() function within file pcre_jit_compile.c. An unauthenticated, remote attacker can exploit this, via a specially crafted regular expression, to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-6004) - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-04-30
    modified2017-07-13
    plugin id101526
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101526
    titlePHP 7.0.x < 7.0.21 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101526);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");
    
      script_cve_id(
        "CVE-2017-6004",
        "CVE-2017-7890",
        "CVE-2017-9224",
        "CVE-2017-9226",
        "CVE-2017-9227",
        "CVE-2017-9228",
        "CVE-2017-9229",
        "CVE-2017-11144",
        "CVE-2017-11145",
        "CVE-2017-11362",
        "CVE-2017-11628",
        "CVE-2017-12933",
        "CVE-2017-12934"
      );
      script_bugtraq_id(
        96295,
        99489,
        99490,
        99492,
        99501,
        100428
      );
    
      script_name(english:"PHP 7.0.x < 7.0.21 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of PHP.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of PHP running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of PHP running on the remote web
    server is 7.0.x prior to 7.0.21. It is, therefore, affected by the
    following vulnerabilities :
    
      - An out-of-bounds read error exists in the PCRE library
        in the compile_bracket_matchingpath() function within
        file pcre_jit_compile.c. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        regular expression, to crash a process linked to the
        library, resulting in a denial of service condition.
        (CVE-2017-6004)
    
      - An out-of-bounds read error exists in the GD Graphics
        Library (LibGD) in the gdImageCreateFromGifCtx()
        function within file gd_gif_in.c when handling a
        specially crafted GIF file. An unauthenticated, remote
        attacker can exploit this to disclose sensitive memory
        contents or crash a process linked to the library.
        (CVE-2017-7890)
    
      - An out-of-bounds read error exists in Oniguruma in the
        match_at() function within file regexec.c. An
        unauthenticated, remote attacker can exploit this to
        disclose sensitive memory contents or crash a process
        linked to the library. (CVE-2017-9224)
    
      - An out-of-bounds write error exists in Oniguruma in the
        next_state_val() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9226)
    
      - An out-of-bounds read error exists in Oniguruma in the
        mbc_enc_len() function within file utf8.c. An
        unauthenticated, remote attacker can exploit this to
        disclose memory contents or crash a process linked to
        the library. (CVE-2017-9227)
    
      - An out-of-bounds write error exists in Oniguruma in the
        bitset_set_range() function during regular expression
        compilation. An unauthenticated, remote attacker can
        exploit this to execute arbitrary code. (CVE-2017-9228)
    
      - An invalid pointer deference flaw exists in Oniguruma
        in the left_adjust_char_head() function within file
        regexec.c during regular expression compilation. An
        unauthenticated, remote attacker can exploit this to
        crash a process linked to the library, resulting in a
        denial of service condition. (CVE-2017-9229)
    
      - A flaw exists in OpenSSL in the EVP_SealInit() function
        within file crypto/evp/p_seal.c due to returning an
        undocumented value of '-1'. An unauthenticated, remote
        attacker can exploit this to cause an unspecified
        impact. (CVE-2017-11144)
    
      - An out-of-bounds read error exists in PHP in the
        php_parse_date() function within file
        ext/date/lib/parse_date.c. An unauthenticated, remote
        attacker can exploit this to disclose memory contents or
        cause a denial of service condition. (CVE-2017-11145)
    
      - A stack-based buffer overflow condition exists in PHP
        in the msgfmt_parse_message() function due to improper
        validation of user-supplied input when parsing locale.
        An unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-11362)
    
      - An off-by-one overflow condition exists in PHP in the
        INI parsing API, specifically in the zend_ini_do_op()
        function within file Zend/zend_ini_parser.c, due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2017-11628)
    
      - An out-of-bounds read error exists in PHP in the
        finish_nested_data() function within file
        ext/standard/var_unserializer.re. An unauthenticated,
        remote attacker can exploit this to disclose memory
        contents or cause a denial of service condition.
        (CVE-2017-12933)
    
      - A use-after-free error exists in PHP in the
        zval_get_type() function within file
        ext/standard/var_unserializer.c. An unauthenticated,
        remote attacker can exploit this to execute arbitrary
        code. (CVE-2017-12934)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.0.21");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to PHP version 7.0.21 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12933");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("php_version.nasl");
      script_require_keys("www/PHP");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include("vcf.inc");
    include("vcf_extras.inc");
    include("http.inc");
    include("webapp_func.inc");
    
    vcf::php::initialize();
    
    port = get_http_port(default:80, php:TRUE);
    
    app_info = vcf::php::get_app_info(port:port);
    
    constraints = [
      { "min_version" : "7.0.0alpha0", "fixed_version" : "7.0.21" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-EE01A2CED6.NASL
    descriptionMultiple security flaws were found on the previous version of oniguruma. This new version should fix the issue. Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227 CVE-2017-9229 CVE-2017-9228 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101745
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101745
    titleFedora 26 : oniguruma (2017-ee01a2ced6)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-ee01a2ced6.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101745);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9225", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"FEDORA", value:"2017-ee01a2ced6");
    
      script_name(english:"Fedora 26 : oniguruma (2017-ee01a2ced6)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple security flaws were found on the previous version of
    oniguruma. This new version should fix the issue. 
    
    Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227
    CVE-2017-9229 CVE-2017-9228
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-ee01a2ced6"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected oniguruma package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:oniguruma");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"oniguruma-6.3.0-1.fc26")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "oniguruma");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-867.NASL
    descriptionOut-of-bounds heap write in bitset_set_range() : An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it
    last seen2020-06-01
    modified2020-06-02
    plugin id102181
    published2017-08-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102181
    titleAmazon Linux AMI : php70 (ALAS-2017-867)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2017-867.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102181);
      script_version("3.4");
      script_cvs_date("Date: 2019/07/10 16:04:12");
    
      script_cve_id("CVE-2017-7890", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"ALAS", value:"2017-867");
    
      script_name(english:"Amazon Linux AMI : php70 (ALAS-2017-867)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Out-of-bounds heap write in bitset_set_range() :
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write occurs in bitset_set_range() during regular
    expression compilation due to an uninitialized variable from an
    incorrect state transition. An incorrect state transition in
    parse_char_class() could create an execution path that leaves a
    critical local variable uninitialized until it's used as an index,
    resulting in an out-of-bounds write memory corruption. (CVE-2017-9228)
    
    Buffer over-read from unitialized data in gdImageCreateFromGifCtx
    function
    
    The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in
    the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and
    7.x before 7.1.7, does not zero colorMap arrays before use. A
    specially crafted GIF image could use the uninitialized tables to read
    ~700 bytes from the top of the stack, potentially disclosing sensitive
    information. (CVE-2017-7890)
    
    Invalid pointer dereference in left_adjust_char_head() :
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
    occurs in left_adjust_char_head() during regular expression
    compilation. Invalid handling of reg->dmax in forward_search_range()
    could result in an invalid pointer dereference, normally as an
    immediate denial-of-service condition. (CVE-2017-9229)
    
    Heap buffer overflow in next_state_val() during regular expression
    compilation :
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write or read occurs in next_state_val() during regular
    expression compilation. Octal numbers larger than 0xff are not handled
    correctly in fetch_token() and fetch_token_in_cc(). A malformed
    regular expression containing an octal number in the form of \\700
    would produce an invalid code point value larger than 0xff in
    next_state_val(), resulting in an out-of-bounds write memory
    corruption.(CVE-2017-9226)
    
    Out-of-bounds stack read in mbc_enc_len() during regular expression
    searching :
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in mbc_enc_len() during regular expression
    searching. Invalid handling of reg->dmin in forward_search_range()
    could result in an invalid pointer dereference, as an out-of-bounds
    read from a stack buffer. (CVE-2017-9227)
    
    Out-of-bounds stack read in match_at() during regular expression
    searching :
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in match_at() during regular expression
    searching. A logical error involving order of validation and access in
    match_at() could result in an out-of-bounds read from a stack buffer.
    (CVE-2017-9224)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2017-867.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update php70' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-embedded");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mysqlnd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pdo-dblib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-process");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-zip");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"php70-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-bcmath-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-cli-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-common-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-dba-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-dbg-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-debuginfo-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-devel-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-embedded-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-enchant-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-fpm-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-gd-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-gmp-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-imap-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-intl-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-json-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-ldap-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-mbstring-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-mcrypt-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-mysqlnd-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-odbc-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-opcache-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-pdo-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-pdo-dblib-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-pgsql-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-process-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-pspell-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-recode-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-snmp-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-soap-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-tidy-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-xml-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-xmlrpc-7.0.21-1.23.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php70-zip-7.0.21-1.23.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php70 / php70-bcmath / php70-cli / php70-common / php70-dba / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-958.NASL
    descriptionCVE-2017-9224 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer. CVE-2017-9226 An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of
    last seen2020-03-17
    modified2017-05-30
    plugin id100478
    published2017-05-30
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100478
    titleDebian DLA-958-1 : libonig security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-958-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100478);
      script_version("3.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
    
      script_name(english:"Debian DLA-958-1 : libonig security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "CVE-2017-9224
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in match_at() during regular expression
    searching. A logical error involving order of validation and access in
    match_at() could result in an out-of-bounds read from a stack buffer.
    
    CVE-2017-9226
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write or read occurs in next_state_val() during regular
    expression compilation. Octal numbers larger than 0xff are not handled
    correctly in fetch_token() and fetch_token_in_cc(). A malformed
    regular expression containing an octal number in the form of '\700'
    would produce an invalid code point value larger than 0xff in
    next_state_val(), resulting in an out-of-bounds write memory
    corruption.
    
    CVE-2017-9227
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in mbc_enc_len() during regular expression
    searching. Invalid handling of reg-&gt;dmin in forward_search_range()
    could result in an invalid pointer dereference, as an out-of-bounds
    read from a stack buffer.
    
    CVE-2017-9228
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write occurs in bitset_set_range() during regular
    expression compilation due to an uninitialized variable from an
    incorrect state transition. An incorrect state transition in
    parse_char_class() could create an execution path that leaves a
    critical local variable uninitialized until it's used as an index,
    resulting in an out-of-bounds write memory corruption.
    
    CVE-2017-9229
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
    occurs in left_adjust_char_head() during regular expression
    compilation. Invalid handling of reg-&gt;dmax in
    forward_search_range() could result in an invalid pointer dereference,
    normally as an immediate denial of service condition.
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    5.9.1-1+deb7u1.
    
    We recommend that you upgrade your libonig packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/05/msg00029.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/libonig"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected libonig-dev, libonig2, and libonig2-dbg packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libonig-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libonig2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libonig2-dbg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libonig-dev", reference:"5.9.1-1+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libonig2", reference:"5.9.1-1+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libonig2-dbg", reference:"5.9.1-1+deb7u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1585-1.NASL
    descriptionThis update for php53 fixes the following issues: This security issue was fixed : - CVE-2017-7272: PHP enabled potential SSRF in applications that accept an fsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax was recognized, fsockopen used the port number that is specified in the hostname argument, instead of the port number in the second argument of the function (bsc#1031246) - CVE-2016-6294: The locale_accept_from_http function in ext/intl/locale/locale_methods.c did not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (bsc#1035111). - CVE-2017-9227: An issue was discovered in Oniguruma 6.2.0, as used in mbstring in PHP. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer. (bsc#1040883) - CVE-2017-9226: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in mbstring in PHP. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of
    last seen2020-06-01
    modified2020-06-02
    plugin id100866
    published2017-06-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100866
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:1585-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100866);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2016-6294", "CVE-2017-7272", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227");
    
      script_name(english:"SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for php53 fixes the following issues: This security issue
    was fixed :
    
      - CVE-2017-7272: PHP enabled potential SSRF in
        applications that accept an fsockopen hostname argument
        with an expectation that the port number is constrained.
        Because a :port syntax was recognized, fsockopen used
        the port number that is specified in the hostname
        argument, instead of the port number in the second
        argument of the function (bsc#1031246)
    
      - CVE-2016-6294: The locale_accept_from_http function in
        ext/intl/locale/locale_methods.c did not properly
        restrict calls to the ICU uloc_acceptLanguageFromHTTP
        function, which allowed remote attackers to cause a
        denial of service (out-of-bounds read) or possibly have
        unspecified other impact via a call with a long argument
        (bsc#1035111).
    
      - CVE-2017-9227: An issue was discovered in Oniguruma
        6.2.0, as used in mbstring in PHP. A stack out-of-bounds
        read occurs in mbc_enc_len() during regular expression
        searching. Invalid handling of reg->dmin in
        forward_search_range() could result in an invalid
        pointer dereference, as an out-of-bounds read from a
        stack buffer. (bsc#1040883)
    
      - CVE-2017-9226: An issue was discovered in Oniguruma
        6.2.0, as used in Oniguruma-mod in mbstring in PHP. A
        heap out-of-bounds write or read occurs in
        next_state_val() during regular expression compilation.
        Octal numbers larger than 0xff are not handled correctly
        in fetch_token() and fetch_token_in_cc(). A malformed
        regular expression containing an octal number in the
        form of '\700' would produce an invalid code point value
        larger than 0xff in next_state_val(), resulting in an
        out-of-bounds write memory corruption. (bsc#1040889)
    
      - CVE-2017-9224: An issue was discovered in Oniguruma
        6.2.0, as used in Oniguruma-mod in mbstring in PHP. A
        stack out-of-bounds read occurs in match_at() during
        regular expression searching. A logical error involving
        order of validation and access in match_at() could
        result in an out-of-bounds read from a stack buffer.
        (bsc#1040891)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031246"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040889"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1040891"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6294/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7272/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9224/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9226/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9227/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20171585-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?52357544"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-php53-13151=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-php53-13151=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-php53-13151=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php53");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-bz2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-calendar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ctype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-dom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-exif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fastcgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-fileinfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ftp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gettext");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-iconv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pcntl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-shmop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-suhosin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvmsg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvsem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-sysvshm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-tokenizer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-wddx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlreader");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xmlwriter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-xsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php53-zlib");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"apache2-mod_php53-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bcmath-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-bz2-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-calendar-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ctype-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-curl-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dba-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-dom-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-exif-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fastcgi-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-fileinfo-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ftp-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gd-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gettext-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-gmp-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-iconv-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-intl-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-json-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-ldap-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mbstring-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mcrypt-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-mysql-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-odbc-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-openssl-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pcntl-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pdo-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pear-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pgsql-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-pspell-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-shmop-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-snmp-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-soap-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-suhosin-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvmsg-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvsem-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-sysvshm-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-tokenizer-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-wddx-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlreader-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlrpc-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xmlwriter-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-xsl-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zip-5.3.17-108.1")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", reference:"php53-zlib-5.3.17-108.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php53");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-790.NASL
    descriptionThis update for php7 fixes the following security issues : - CVE-2017-9224: stack out-of-bounds read occurs in match_at() could lead to Denial of service (bsc#1040891) - CVE-2017-9226: heap out-of-bounds write orread occurs in next_state_val() could lead to Denial of service(bsc#1040889) - CVE-2017-9227: stack out-of-bounds read in mbc_enc_len() could lead to Denial of service (bsc#1040883) - CVE-2017-6441: The _zval_get_long_func_ex in Zend/zend_operators.c in PHP allowed attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of
    last seen2020-06-05
    modified2017-07-07
    plugin id101287
    published2017-07-07
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101287
    titleopenSUSE Security Update : php7 (openSUSE-2017-790)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-790.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101287);
      script_version("3.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-6294", "CVE-2017-6441", "CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227");
    
      script_name(english:"openSUSE Security Update : php7 (openSUSE-2017-790)");
      script_summary(english:"Check for the openSUSE-2017-790 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for php7 fixes the following security issues :
    
      - CVE-2017-9224: stack out-of-bounds read occurs in
        match_at() could lead to Denial of service (bsc#1040891)
    
      - CVE-2017-9226: heap out-of-bounds write orread occurs in
        next_state_val() could lead to Denial of
        service(bsc#1040889)
    
      - CVE-2017-9227: stack out-of-bounds read in mbc_enc_len()
        could lead to Denial of service (bsc#1040883)
    
      - CVE-2017-6441: The _zval_get_long_func_ex in
        Zend/zend_operators.c in PHP allowed attackers to cause
        a denial of service (NULL pointer dereference and
        application crash) via crafted use of 'declare(ticks='
        in a PHP script (bsc#1032155).
    
      - CVE-2016-6294: The locale_accept_from_http function in
        ext/intl/locale/locale_methods.c did not properly
        restrict calls to the ICU uloc_acceptLanguageFromHTTP
        function, which allowed remote attackers to cause a
        denial of service (out-of-bounds read) or possibly have
        unspecified other impact via a call with a long argument
        (bsc#1035111).
    
    This update was imported from the SUSE:SLE-12:Update update project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1032155"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1035111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040883"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040889"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1040891"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php7 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:apache2-mod_php7-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-bcmath-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-bz2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-bz2-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-calendar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-calendar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ctype");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ctype-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-dba-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-dom");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-dom-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-enchant-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-exif");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-exif-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fastcgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fastcgi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fileinfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fileinfo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-firebird");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-firebird-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-fpm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ftp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ftp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gettext");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gettext-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-gmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-iconv");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-iconv-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-imap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-intl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-json");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-json-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-ldap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mbstring-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mcrypt-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-mysql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-odbc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-opcache-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-openssl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-openssl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pcntl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pcntl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pdo-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pear");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pear-Archive_Tar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pgsql-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-phar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-phar-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-posix");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-posix-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-pspell-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-readline");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-readline-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-shmop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-shmop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-snmp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-soap-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sockets");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sockets-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sqlite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sqlite-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvmsg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvmsg-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvsem");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvsem-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvshm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-sysvshm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-tidy-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-tokenizer");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-tokenizer-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-wddx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-wddx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlreader");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlreader-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlrpc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlwriter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xmlwriter-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xsl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-xsl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-zip");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-zip-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-zlib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:php7-zlib-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"apache2-mod_php7-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"apache2-mod_php7-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-bcmath-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-bcmath-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-bz2-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-bz2-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-calendar-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-calendar-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ctype-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ctype-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-curl-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-curl-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-dba-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-dba-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-debugsource-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-devel-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-dom-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-dom-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-enchant-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-enchant-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-exif-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-exif-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fastcgi-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fastcgi-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fileinfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fileinfo-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-firebird-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-firebird-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fpm-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-fpm-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ftp-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ftp-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gd-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gd-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gettext-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gettext-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gmp-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-gmp-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-iconv-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-iconv-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-imap-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-imap-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-intl-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-intl-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-json-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-json-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ldap-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-ldap-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mbstring-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mbstring-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mcrypt-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mcrypt-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mysql-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-mysql-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-odbc-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-odbc-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-opcache-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-opcache-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-openssl-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-openssl-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pcntl-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pcntl-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pdo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pdo-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pear-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pear-Archive_Tar-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pgsql-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pgsql-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-phar-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-phar-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-posix-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-posix-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pspell-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-pspell-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-readline-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-readline-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-shmop-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-shmop-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-snmp-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-snmp-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-soap-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-soap-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sockets-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sockets-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sqlite-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sqlite-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvmsg-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvmsg-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvsem-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvsem-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvshm-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-sysvshm-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-tidy-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-tidy-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-tokenizer-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-tokenizer-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-wddx-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-wddx-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlreader-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlreader-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlrpc-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlrpc-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlwriter-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xmlwriter-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xsl-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-xsl-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-zip-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-zip-debuginfo-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-zlib-7.0.7-14.6.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"php7-zlib-debuginfo-7.0.7-14.6.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache2-mod_php7 / apache2-mod_php7-debuginfo / php7 / php7-bcmath / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-871.NASL
    descriptionOut-of-bounds heap write in bitset_set_range() An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it
    last seen2020-06-01
    modified2020-06-02
    plugin id102545
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102545
    titleAmazon Linux AMI : php56 (ALAS-2017-871)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2017-871.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102545);
      script_version("3.3");
      script_cvs_date("Date: 2018/04/18 15:09:36");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"ALAS", value:"2017-871");
    
      script_name(english:"Amazon Linux AMI : php56 (ALAS-2017-871)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Out-of-bounds heap write in bitset_set_range()
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write occurs in bitset_set_range() during regular
    expression compilation due to an uninitialized variable from an
    incorrect state transition. An incorrect state transition in
    parse_char_class() could create an execution path that leaves a
    critical local variable uninitialized until it's used as an index,
    resulting in an out-of-bounds write memory corruption. (CVE-2017-9228)
    
    Invalid pointer dereference in left_adjust_char_head()
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
    occurs in left_adjust_char_head() during regular expression
    compilation. Invalid handling of reg->dmax in forward_search_range()
    could result in an invalid pointer dereference, normally as an
    immediate denial-of-service condition. (CVE-2017-9229)
    
    Heap buffer overflow in next_state_val() during regular expression
    compilation
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
    out-of-bounds write or read occurs in next_state_val() during regular
    expression compilation. Octal numbers larger than 0xff are not handled
    correctly in fetch_token() and fetch_token_in_cc(). A malformed
    regular expression containing an octal number in the form of '\\700';
    would produce an invalid code point value larger than 0xff in
    next_state_val(), resulting in an out-of-bounds write memory
    corruption. (CVE-2017-9226)
    
    Out-of-bounds stack read in mbc_enc_len() during regular expression
    searching
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in mbc_enc_len() during regular expression
    searching. Invalid handling of reg>dmin in forward_search_range()
    could result in an invalid pointer dereference, as an out-of-bounds
    read from a stack buffer. CVE-2017-9227 
    
    Out-of-bounds stack read in match_at() during regular expression
    searching
    
    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
    in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
    out-of-bounds read occurs in match_at() during regular expression
    searching. A logical error involving order of validation and access in
    match_at() could result in an out-of-bounds read from a stack buffer.
    (CVE-2017-9224)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2017-871.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update php56' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-bcmath");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-dba");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-embedded");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-enchant");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-fpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-gmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-imap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-intl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mbstring");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mcrypt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mssql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-mysqlnd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-opcache");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-process");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-pspell");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-snmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-tidy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php56-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"php56-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-bcmath-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-cli-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-common-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-dba-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-dbg-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-debuginfo-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-devel-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-embedded-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-enchant-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-fpm-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-gd-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-gmp-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-imap-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-intl-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-ldap-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-mbstring-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-mcrypt-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-mssql-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-mysqlnd-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-odbc-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-opcache-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-pdo-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-pgsql-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-process-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-pspell-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-recode-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-snmp-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-soap-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-tidy-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-xml-5.6.31-1.134.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"php56-xmlrpc-5.6.31-1.134.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php56 / php56-bcmath / php56-cli / php56-common / php56-dba / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2649.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
    last seen2020-05-08
    modified2019-12-18
    plugin id132184
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132184
    titleEulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(132184);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2011-4718",
        "CVE-2014-9767",
        "CVE-2014-9912",
        "CVE-2015-4116",
        "CVE-2015-5589",
        "CVE-2015-6831",
        "CVE-2015-6832",
        "CVE-2015-6833",
        "CVE-2015-7803",
        "CVE-2015-7804",
        "CVE-2015-8835",
        "CVE-2015-8866",
        "CVE-2015-8874",
        "CVE-2015-8879",
        "CVE-2015-8935",
        "CVE-2016-10158",
        "CVE-2016-10159",
        "CVE-2016-10161",
        "CVE-2016-10397",
        "CVE-2016-2554",
        "CVE-2016-3141",
        "CVE-2016-3142",
        "CVE-2016-3185",
        "CVE-2016-4070",
        "CVE-2016-4539",
        "CVE-2016-4540",
        "CVE-2016-4541",
        "CVE-2016-4542",
        "CVE-2016-4543",
        "CVE-2016-5093",
        "CVE-2016-5094",
        "CVE-2016-6288",
        "CVE-2016-6291",
        "CVE-2016-6292",
        "CVE-2016-6294",
        "CVE-2016-7124",
        "CVE-2016-7125",
        "CVE-2016-7128",
        "CVE-2016-7411",
        "CVE-2016-7412",
        "CVE-2016-7414",
        "CVE-2016-7418",
        "CVE-2016-7480",
        "CVE-2016-9934",
        "CVE-2016-9935",
        "CVE-2017-11143",
        "CVE-2017-11144",
        "CVE-2017-11147",
        "CVE-2017-11628",
        "CVE-2017-12933",
        "CVE-2017-16642",
        "CVE-2017-7272",
        "CVE-2017-9224",
        "CVE-2017-9226",
        "CVE-2017-9227",
        "CVE-2017-9228",
        "CVE-2017-9229",
        "CVE-2018-10545",
        "CVE-2018-10547",
        "CVE-2018-14851",
        "CVE-2018-17082",
        "CVE-2018-5711",
        "CVE-2018-5712",
        "CVE-2019-11043"
      );
      script_bugtraq_id(
        61929,
        75974
      );
    
      script_name(english:"EulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the php packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - ** DISPUTED ** Integer overflow in the
        php_raw_url_encode function in ext/standard/url.c in
        PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
        7.0.5 allows remote attackers to cause a denial of
        service (application crash) via a long string to the
        rawurlencode function. NOTE: the vendor says 'Not sure
        if this qualifies as security issue (probably
        not).'(CVE-2016-4070)
    
      - An issue was discovered in ext/phar/phar_object.c in
        PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before
        7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS
        on the PHAR 403 and 404 error pages via request data of
        a request for a .phar file. NOTE: this vulnerability
        exists because of an incomplete fix for
        CVE-2018-5712.(CVE-2018-10547)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A heap out-of-bounds write occurs in
        bitset_set_range() during regular expression
        compilation due to an uninitialized variable from an
        incorrect state transition. An incorrect state
        transition in parse_char_class() could create an
        execution path that leaves a critical local variable
        uninitialized until it's used as an index, resulting in
        an out-of-bounds write memory
        corruption.(CVE-2017-9228)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A heap out-of-bounds write or read
        occurs in next_state_val() during regular expression
        compilation. Octal numbers larger than 0xff are not
        handled correctly in fetch_token() and
        fetch_token_in_cc(). A malformed regular expression
        containing an octal number in the form of '\700' would
        produce an invalid code point value larger than 0xff in
        next_state_val(), resulting in an out-of-bounds write
        memory corruption.(CVE-2017-9226)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A SIGSEGV occurs in
        left_adjust_char_head() during regular expression
        compilation. Invalid handling of reg->dmax in
        forward_search_range() could result in an invalid
        pointer dereference, normally as an immediate
        denial-of-service condition.(CVE-2017-9229)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A stack out-of-bounds read occurs in
        match_at() during regular expression searching. A
        logical error involving order of validation and access
        in match_at() could result in an out-of-bounds read
        from a stack buffer.(CVE-2017-9224)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A stack out-of-bounds read occurs in
        mbc_enc_len() during regular expression searching.
        Invalid handling of reg->dmin in forward_search_range()
        could result in an invalid pointer dereference, as an
        out-of-bounds read from a stack buffer.(CVE-2017-9227)
    
      - An issue was discovered in PHP before 5.6.33, 7.0.x
        before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before
        7.2.1. There is Reflected XSS on the PHAR 404 error
        page via the URI of a request for a .phar
        file.(CVE-2018-5712)
    
      - An issue was discovered in PHP before 5.6.35, 7.0.x
        before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before
        7.2.4. Dumpable FPM child processes allow bypassing
        opcache access controls because fpm_unix.c makes a
        PR_SET_DUMPABLE prctl call, allowing one user (in a
        multiuser environment) to obtain sensitive information
        from the process memory of a second user's PHP
        applications by running gcore on the PID of the PHP-FPM
        worker process.(CVE-2018-10545)
    
      - Directory traversal vulnerability in the PharData class
        in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x
        before 5.6.12 allows remote attackers to write to
        arbitrary files via a .. (dot dot) in a ZIP archive
        entry that is mishandled during an extractTo
        call.(CVE-2015-6833)
    
      - Directory traversal vulnerability in the
        ZipArchive::extractTo function in ext/zip/php_zip.c in
        PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x
        before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before
        3.12.1 allows remote attackers to create arbitrary
        empty directories via a crafted ZIP
        archive.(CVE-2014-9767)
    
      - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP
        before 5.6.37, 7.0.x before 7.0.31, 7.1.x before
        7.1.20, and 7.2.x before 7.2.8 allows remote attackers
        to cause a denial of service (out-of-bounds read and
        application crash) via a crafted JPEG
        file.(CVE-2018-14851)
    
      - ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x
        before 5.6.6, when PHP-FPM is used, does not isolate
        each thread from libxml_disable_entity_loader changes
        in other threads, which allows remote attackers to
        conduct XML External Entity (XXE) and XML Entity
        Expansion (XEE) attacks via a crafted XML document, a
        related issue to CVE-2015-5161.(CVE-2015-8866)
    
      - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26
        and 7.x before 7.0.11 does not verify that a BIT field
        has the UNSIGNED_FLAG flag, which allows remote MySQL
        servers to cause a denial of service (heap-based buffer
        overflow) or possibly have unspecified other impact via
        crafted field metadata.(CVE-2016-7412)
    
      - ext/session/session.c in PHP before 5.6.25 and 7.x
        before 7.0.10 skips invalid session names in a way that
        triggers incorrect parsing, which allows remote
        attackers to inject arbitrary-type session data by
        leveraging control of a session name, as demonstrated
        by object injection.(CVE-2016-7125)
    
      - ext/standard/var_unserializer.c in PHP before 5.6.25
        and 7.x before 7.0.10 mishandles certain invalid
        objects, which allows remote attackers to cause a
        denial of service or possibly have unspecified other
        impact via crafted serialized data that leads to a (1)
        __destruct call or (2) magic method
        call.(CVE-2016-7124)
    
      - ext/standard/var_unserializer.re in PHP before 5.6.26
        mishandles object-deserialization failures, which
        allows remote attackers to cause a denial of service
        (memory corruption) or possibly have unspecified other
        impact via an unserialize call that references a
        partially constructed object.(CVE-2016-7411)
    
      - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before
        7.0.13 allows remote attackers to cause a denial of
        service (NULL pointer dereference) via crafted
        serialized data in a wddxPacket XML document, as
        demonstrated by a PDORow string.(CVE-2016-9934)
    
      - gd_gif_in.c in the GD Graphics Library (aka libgd), as
        used in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x
        before 7.1.13, and 7.2.x before 7.2.1, has an integer
        signedness error that leads to an infinite loop via a
        crafted GIF file, as demonstrated by a call to the
        imagecreatefromgif or imagecreatefromstring PHP
        function. This is related to GetCode_ and
        gdImageCreateFromGifCtx.(CVE-2018-5711)
    
      - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect
        handling of various URI components in the URL parser
        could be used by attackers to bypass hostname-specific
        URL checks, as demonstrated by
        evil.example.com:80#@good.example.com/ and
        evil.example.com:[email protected]/ inputs to the
        parse_url function (implemented in the php_url_parse_ex
        function in ext/standard/url.c).(CVE-2016-10397)
    
      - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR
        archive handler could be used by attackers supplying
        malicious archive files to crash the PHP interpreter or
        potentially disclose information due to a buffer
        over-read in the phar_parse_pharfile function in
        ext/phar/phar.c.(CVE-2017-11147)
    
      - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x
        before 7.1.7, a stack-based buffer overflow in the
        zend_ini_do_op() function in Zend/zend_ini_parser.c
        could cause a denial of service or potentially allow
        executing code. NOTE: this is only relevant for PHP
        applications that accept untrusted input (instead of
        the system's php.ini file) for the parse_ini_string or
        parse_ini_file function, e.g., a web application for
        syntax validation of php.ini
        directives.(CVE-2017-11628)
    
      - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x
        before 7.1.7, the openssl extension PEM sealing code
        did not check the return value of the OpenSSL sealing
        function, which could lead to a crash of the PHP
        interpreter, related to an interpretation conflict for
        a negative number in ext/openssl/openssl.c, and an
        OpenSSL documentation omission.(CVE-2017-11144)
    
      - In PHP before 5.6.31, an invalid free in the WDDX
        deserialization of boolean parameters could be used by
        attackers able to inject XML for deserialization to
        crash the PHP interpreter, related to an invalid free
        for an empty boolean element in
        ext/wddx/wddx.c.(CVE-2017-11143)
    
      - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x
        before 7.1.11, an error in the date extension's
        timelib_meridian handling of 'front of' and 'back of'
        directives could be used by attackers able to supply
        date strings to leak information from the interpreter,
        related to ext/date/lib/parse_date.c out-of-bounds
        reads affecting the php_parse_date function. NOTE: this
        is a different issue than
        CVE-2017-11145.(CVE-2017-16642)
    
      - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24
        and 7.3.x below 7.3.11 in certain configurations of FPM
        setup it is possible to cause FPM module to write past
        allocated buffers into the space reserved for FCGI
        protocol data, thus opening the possibility of remote
        code execution.(CVE-2019-11043)
    
      - Integer overflow in the phar_parse_pharfile function in
        ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before
        7.0.15 allows remote attackers to cause a denial of
        service (memory consumption or application crash) via a
        truncated manifest entry in a PHAR
        archive.(CVE-2016-10159)
    
      - Integer overflow in the php_html_entities function in
        ext/standard/html.c in PHP before 5.5.36 and 5.6.x
        before 5.6.22 allows remote attackers to cause a denial
        of service or possibly have unspecified other impact by
        triggering a large output string from the
        htmlspecialchars function.(CVE-2016-5094)
    
      - Multiple use-after-free vulnerabilities in SPL in PHP
        before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before
        5.6.12 allow remote attackers to execute arbitrary code
        via vectors involving (1) ArrayObject, (2)
        SplObjectStorage, and (3) SplDoublyLinkedList, which
        are mishandled during unserialization.(CVE-2015-6831)
    
      - Off-by-one error in the phar_parse_zipfile function in
        ext/phar/zip.c in PHP before 5.5.30 and 5.6.x before
        5.6.14 allows remote attackers to cause a denial of
        service (uninitialized pointer dereference and
        application crash) by including the / filename in a
        .zip PHAR archive.(CVE-2015-7804)
    
      - PHP through 7.1.11 enables potential SSRF in
        applications that accept an fsockopen or pfsockopen
        hostname argument with an expectation that the port
        number is constrained. Because a :port syntax is
        recognized, fsockopen will use the port number that is
        specified in the hostname argument, instead of the port
        number in the second argument of the
        function.(CVE-2017-7272)
    
      - Session fixation vulnerability in the Sessions
        subsystem in PHP before 5.5.2 allows remote attackers
        to hijack web sessions by specifying a session
        ID.(CVE-2011-4718)
    
      - Stack consumption vulnerability in GD in PHP before
        5.6.12 allows remote attackers to cause a denial of
        service via a crafted imagefilltoborder
        call.(CVE-2015-8874)
    
      - Stack-based buffer overflow in ext/phar/tar.c in PHP
        before 5.5.32, 5.6.x before 5.6.18, and 7.x before
        7.0.3 allows remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted TAR
        archive.(CVE-2016-2554)
    
      - The Apache2 component in PHP before 5.6.38, 7.0.x
        before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before
        7.2.10 allows XSS via the body of a 'Transfer-Encoding:
        chunked' request, because the bucket brigade is
        mishandled in the php_handler function in
        sapi/apache2handler/sapi_apache2.c.(CVE-2018-17082)
    
      - The exif_convert_any_to_int function in ext/exif/exif.c
        in PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x
        before 7.1.1 allows remote attackers to cause a denial
        of service (application crash) via crafted EXIF data
        that triggers an attempt to divide the minimum
        representable negative integer by -1.(CVE-2016-10158)
    
      - The exif_process_IFD_in_JPEG function in
        ext/exif/exif.c in PHP before 5.5.35, 5.6.x before
        5.6.21, and 7.x before 7.0.6 does not validate IFD
        sizes, which allows remote attackers to cause a denial
        of service (out-of-bounds read) or possibly have
        unspecified other impact via crafted header
        data.(CVE-2016-4543)
    
      - The exif_process_IFD_in_MAKERNOTE function in
        ext/exif/exif.c in PHP before 5.5.38, 5.6.x before
        5.6.24, and 7.x before 7.0.9 allows remote attackers to
        cause a denial of service (out-of-bounds array access
        and memory corruption), obtain sensitive information
        from process memory, or possibly have unspecified other
        impact via a crafted JPEG image.(CVE-2016-6291)
    
      - The exif_process_IFD_in_TIFF function in
        ext/exif/exif.c in PHP before 5.6.25 and 7.x before
        7.0.10 mishandles the case of a thumbnail offset that
        exceeds the file size, which allows remote attackers to
        obtain sensitive information from process memory via a
        crafted TIFF image.(CVE-2016-7128)
    
      - The exif_process_IFD_TAG function in ext/exif/exif.c in
        PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
        7.0.6 does not properly construct spprintf arguments,
        which allows remote attackers to cause a denial of
        service (out-of-bounds read) or possibly have
        unspecified other impact via crafted header
        data.(CVE-2016-4542)
    
      - The exif_process_user_comment function in
        ext/exif/exif.c in PHP before 5.5.38, 5.6.x before
        5.6.24, and 7.x before 7.0.9 allows remote attackers to
        cause a denial of service (NULL pointer dereference and
        application crash) via a crafted JPEG
        image.(CVE-2016-6292)
    
      - The finish_nested_data function in
        ext/standard/var_unserializer.re in PHP before 5.6.31,
        7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to
        a buffer over-read while unserializing untrusted data.
        Exploitation of this issue can have an unspecified
        impact on the integrity of PHP.(CVE-2017-12933)
    
      - The get_icu_disp_value_src_php function in
        ext/intl/locale/locale_methods.c in PHP before 5.3.29,
        5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not
        properly restrict calls to the ICU uresbund.cpp
        component, which allows remote attackers to cause a
        denial of service (buffer overflow) or possibly have
        unspecified other impact via a locale_get_display_name
        call with a long first argument.(CVE-2014-9912)
    
      - The get_icu_value_internal function in
        ext/intl/locale/locale_methods.c in PHP before 5.5.36,
        5.6.x before 5.6.22, and 7.x before 7.0.7 does not
        ensure the presence of a '\0' character, which allows
        remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a crafted locale_get_primary_language
        call.(CVE-2016-5093)
    
      - The grapheme_stripos function in
        ext/intl/grapheme/grapheme_string.c in PHP before
        5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6
        allows remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a negative offset.(CVE-2016-4540)
    
      - The grapheme_strpos function in
        ext/intl/grapheme/grapheme_string.c in PHP before
        5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6
        allows remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a negative offset.(CVE-2016-4541)
    
      - The locale_accept_from_http function in
        ext/intl/locale/locale_methods.c in PHP before 5.5.38,
        5.6.x before 5.6.24, and 7.x before 7.0.9 does not
        properly restrict calls to the ICU
        uloc_acceptLanguageFromHTTP function, which allows
        remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a call with a long argument.(CVE-2016-6294)
    
      - The make_http_soap_request function in
        ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before
        5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4
        allows remote attackers to obtain sensitive information
        from process memory or cause a denial of service (type
        confusion and application crash) via crafted serialized
        _cookies data, related to the SoapClient::__call method
        in ext/soap/soap.c.(CVE-2016-3185)
    
      - The make_http_soap_request function in
        ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before
        5.5.28, and 5.6.x before 5.6.12 does not properly
        retrieve keys, which allows remote attackers to cause a
        denial of service (NULL pointer dereference, type
        confusion, and application crash) or possibly execute
        arbitrary code via crafted serialized data representing
        a numerically indexed _cookies array, related to the
        SoapClient::__call method in
        ext/soap/soap.c.(CVE-2015-8835)
    
      - The object_common1 function in
        ext/standard/var_unserializer.c in PHP before 5.6.30,
        7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows
        remote attackers to cause a denial of service (buffer
        over-read and application crash) via crafted serialized
        data that is mishandled in a finish_nested_data
        call.(CVE-2016-10161)
    
      - The odbc_bindcols function in ext/odbc/php_odbc.c in
        PHP before 5.6.12 mishandles driver behavior for
        SQL_WVARCHAR columns, which allows remote attackers to
        cause a denial of service (application crash) in
        opportunistic circumstances by leveraging use of the
        odbc_fetch_array function to access a certain type of
        Microsoft SQL Server table.(CVE-2015-8879)
    
      - The phar_convert_to_other function in
        ext/phar/phar_object.c in PHP before 5.4.43, 5.5.x
        before 5.5.27, and 5.6.x before 5.6.11 does not
        validate a file pointer before a close operation, which
        allows remote attackers to cause a denial of service
        (segmentation fault) or possibly have unspecified other
        impact via a crafted TAR archive that is mishandled in
        a Phar::convertToData call.(CVE-2015-5589)
    
      - The phar_get_entry_data function in ext/phar/util.c in
        PHP before 5.5.30 and 5.6.x before 5.6.14 allows remote
        attackers to cause a denial of service (NULL pointer
        dereference and application crash) via a .phar file
        with a crafted TAR archive entry in which the Link
        indicator references a file that does not
        exist.(CVE-2015-7803)
    
      - The phar_parse_zipfile function in zip.c in the PHAR
        extension in PHP before 5.5.33 and 5.6.x before 5.6.19
        allows remote attackers to obtain sensitive information
        from process memory or cause a denial of service
        (out-of-bounds read and application crash) by placing a
        PK\x05\x06 signature at an invalid
        location.(CVE-2016-3142)
    
      - The php_url_parse_ex function in ext/standard/url.c in
        PHP before 5.5.38 allows remote attackers to cause a
        denial of service (buffer over-read) or possibly have
        unspecified other impact via vectors involving the
        smart_str data type.(CVE-2016-6288)
    
      - The php_wddx_push_element function in ext/wddx/wddx.c
        in PHP before 5.6.26 and 7.x before 7.0.11 allows
        remote attackers to cause a denial of service (invalid
        pointer access and out-of-bounds read) or possibly have
        unspecified other impact via an incorrect boolean
        element in a wddxPacket XML document, leading to
        mishandling in a wddx_deserialize call.(CVE-2016-7418)
    
      - The php_wddx_push_element function in ext/wddx/wddx.c
        in PHP before 5.6.29 and 7.x before 7.0.14 allows
        remote attackers to cause a denial of service
        (out-of-bounds read and memory corruption) or possibly
        have unspecified other impact via an empty boolean
        element in a wddxPacket XML document.(CVE-2016-9935)
    
      - The sapi_header_op function in main/SAPI.c in PHP
        before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before
        5.6.6 supports deprecated line folding without
        considering browser compatibility, which allows remote
        attackers to conduct cross-site scripting (XSS) attacks
        against Internet Explorer by leveraging (1) %0A%20 or
        (2) %0D%0A%20 mishandling in the header
        function.(CVE-2015-8935)
    
      - The SplObjectStorage unserialize implementation in
        ext/spl/spl_observer.c in PHP before 7.0.12 does not
        verify that a key is an object, which allows remote
        attackers to execute arbitrary code or cause a denial
        of service (uninitialized memory access) via crafted
        serialized data.(CVE-2016-7480)
    
      - The xml_parse_into_struct function in ext/xml/xml.c in
        PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
        7.0.6 allows remote attackers to cause a denial of
        service (buffer under-read and segmentation fault) or
        possibly have unspecified other impact via crafted XML
        data in the second argument, leading to a parser level
        of zero.(CVE-2016-4539)
    
      - The ZIP signature-verification feature in PHP before
        5.6.26 and 7.x before 7.0.11 does not ensure that the
        uncompressed_filesize field is large enough, which
        allows remote attackers to cause a denial of service
        (out-of-bounds memory access) or possibly have
        unspecified other impact via a crafted PHAR archive,
        related to ext/phar/util.c and
        ext/phar/zip.c.(CVE-2016-7414)
    
      - Use-after-free vulnerability in the SPL unserialize
        implementation in ext/spl/spl_array.c in PHP before
        5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12
        allows remote attackers to execute arbitrary code via
        crafted serialized data that triggers misuse of an
        array field.(CVE-2015-6832)
    
      - Use-after-free vulnerability in the spl_ptr_heap_insert
        function in ext/spl/spl_heap.c in PHP before 5.5.27 and
        5.6.x before 5.6.11 allows remote attackers to execute
        arbitrary code by triggering a failed
        SplMinHeap::compare operation.(CVE-2015-4116)
    
      - Use-after-free vulnerability in wddx.c in the WDDX
        extension in PHP before 5.5.33 and 5.6.x before 5.6.19
        allows remote attackers to cause a denial of service
        (memory corruption and application crash) or possibly
        have unspecified other impact by triggering a
        wddx_deserialize call on XML data containing a crafted
        var element.(CVE-2016-3141)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2649
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cd44f4b5");
      script_set_attribute(attribute:"solution", value:
    "Update the affected php packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["php-5.4.16-42.h51",
            "php-cli-5.4.16-42.h51",
            "php-common-5.4.16-42.h51",
            "php-gd-5.4.16-42.h51",
            "php-ldap-5.4.16-42.h51",
            "php-mysql-5.4.16-42.h51",
            "php-odbc-5.4.16-42.h51",
            "php-pdo-5.4.16-42.h51",
            "php-pgsql-5.4.16-42.h51",
            "php-process-5.4.16-42.h51",
            "php-recode-5.4.16-42.h51",
            "php-soap-5.4.16-42.h51",
            "php-xml-5.4.16-42.h51",
            "php-xmlrpc-5.4.16-42.h51"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2221.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - Stack-based buffer overflow in ext/phar/tar.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted TAR archive.(CVE-2016-2554) - A flaw was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.(CVE-2015-6831) - The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.(CVE-2015-8935) - The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.(CVE-2015-8867) - Use-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.(CVE-2015-6832) - Directory traversal vulnerability in the PharData class in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to write to arbitrary files via a .. (dot dot) in a ZIP archive entry that is mishandled during an extractTo call.(CVE-2015-6833) - Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.(CVE-2014-9767) - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.(CVE-2016-7414) - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.(CVE-2016-9934) - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.(CVE-2016-9935) - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.(CVE-2017-11143) - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a large output string from the htmlspecialchars function.(CVE-2016-5094) - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before 5.6.22, and 7.x before 7.0.7 does not ensure the presence of a
    last seen2020-05-08
    modified2019-11-08
    plugin id130683
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130683
    titleEulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130683);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2014-9767",
        "CVE-2015-6831",
        "CVE-2015-6832",
        "CVE-2015-6833",
        "CVE-2015-8867",
        "CVE-2015-8879",
        "CVE-2015-8935",
        "CVE-2016-10161",
        "CVE-2016-2554",
        "CVE-2016-3141",
        "CVE-2016-3142",
        "CVE-2016-3185",
        "CVE-2016-4070",
        "CVE-2016-4539",
        "CVE-2016-4540",
        "CVE-2016-4541",
        "CVE-2016-4542",
        "CVE-2016-4543",
        "CVE-2016-5093",
        "CVE-2016-5094",
        "CVE-2016-7124",
        "CVE-2016-7414",
        "CVE-2016-9934",
        "CVE-2016-9935",
        "CVE-2017-11143",
        "CVE-2017-11144",
        "CVE-2017-11147",
        "CVE-2017-12933",
        "CVE-2017-9226"
      );
    
      script_name(english:"EulerOS 2.0 SP5 : php (EulerOS-SA-2019-2221)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the php packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - ext/standard/var_unserializer.c in PHP before 5.6.25
        and 7.x before 7.0.10 mishandles certain invalid
        objects, which allows remote attackers to cause a
        denial of service or possibly have unspecified other
        impact via crafted serialized data that leads to a (1)
        __destruct call or (2) magic method
        call.(CVE-2016-7124)
    
      - Stack-based buffer overflow in ext/phar/tar.c in PHP
        before 5.5.32, 5.6.x before 5.6.18, and 7.x before
        7.0.3 allows remote attackers to cause a denial of
        service (application crash) or possibly have
        unspecified other impact via a crafted TAR
        archive.(CVE-2016-2554)
    
      - A flaw was discovered in the way PHP performed object
        unserialization. Specially crafted input processed by
        the unserialize() function could cause a PHP
        application to crash or, possibly, execute arbitrary
        code.(CVE-2015-6831)
    
      - The sapi_header_op function in main/SAPI.c in PHP
        before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before
        5.6.6 supports deprecated line folding without
        considering browser compatibility, which allows remote
        attackers to conduct cross-site scripting (XSS) attacks
        against Internet Explorer by leveraging (1) %0A%20 or
        (2) %0D%0A%20 mishandling in the header
        function.(CVE-2015-8935)
    
      - The openssl_random_pseudo_bytes function in
        ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x
        before 5.5.28, and 5.6.x before 5.6.12 incorrectly
        relies on the deprecated RAND_pseudo_bytes function,
        which makes it easier for remote attackers to defeat
        cryptographic protection mechanisms via unspecified
        vectors.(CVE-2015-8867)
    
      - Use-after-free vulnerability in the SPL unserialize
        implementation in ext/spl/spl_array.c in PHP before
        5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12
        allows remote attackers to execute arbitrary code via
        crafted serialized data that triggers misuse of an
        array field.(CVE-2015-6832)
    
      - Directory traversal vulnerability in the PharData class
        in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x
        before 5.6.12 allows remote attackers to write to
        arbitrary files via a .. (dot dot) in a ZIP archive
        entry that is mishandled during an extractTo
        call.(CVE-2015-6833)
    
      - Directory traversal vulnerability in the
        ZipArchive::extractTo function in ext/zip/php_zip.c in
        PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x
        before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before
        3.12.1 allows remote attackers to create arbitrary
        empty directories via a crafted ZIP
        archive.(CVE-2014-9767)
    
      - The ZIP signature-verification feature in PHP before
        5.6.26 and 7.x before 7.0.11 does not ensure that the
        uncompressed_filesize field is large enough, which
        allows remote attackers to cause a denial of service
        (out-of-bounds memory access) or possibly have
        unspecified other impact via a crafted PHAR archive,
        related to ext/phar/util.c and
        ext/phar/zip.c.(CVE-2016-7414)
    
      - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before
        7.0.13 allows remote attackers to cause a denial of
        service (NULL pointer dereference) via crafted
        serialized data in a wddxPacket XML document, as
        demonstrated by a PDORow string.(CVE-2016-9934)
    
      - The php_wddx_push_element function in ext/wddx/wddx.c
        in PHP before 5.6.29 and 7.x before 7.0.14 allows
        remote attackers to cause a denial of service
        (out-of-bounds read and memory corruption) or possibly
        have unspecified other impact via an empty boolean
        element in a wddxPacket XML document.(CVE-2016-9935)
    
      - In PHP before 5.6.31, an invalid free in the WDDX
        deserialization of boolean parameters could be used by
        attackers able to inject XML for deserialization to
        crash the PHP interpreter, related to an invalid free
        for an empty boolean element in
        ext/wddx/wddx.c.(CVE-2017-11143)
    
      - Integer overflow in the php_html_entities function in
        ext/standard/html.c in PHP before 5.5.36 and 5.6.x
        before 5.6.22 allows remote attackers to cause a denial
        of service or possibly have unspecified other impact by
        triggering a large output string from the
        htmlspecialchars function.(CVE-2016-5094)
    
      - The get_icu_value_internal function in
        ext/intl/locale/locale_methods.c in PHP before 5.5.36,
        5.6.x before 5.6.22, and 7.x before 7.0.7 does not
        ensure the presence of a '\0' character, which allows
        remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a crafted locale_get_primary_language
        call.(CVE-2016-5093)
    
      - The grapheme_strpos function in
        ext/intl/grapheme/grapheme_string.c in PHP before
        5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6
        allows remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a negative offset.(CVE-2016-4541)
    
      - The exif_process_IFD_TAG function in ext/exif/exif.c in
        PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
        7.0.6 does not properly construct spprintf arguments,
        which allows remote attackers to cause a denial of
        service (out-of-bounds read) or possibly have
        unspecified other impact via crafted header
        data.(CVE-2016-4542)
    
      - The phar_parse_zipfile function in zip.c in the PHAR
        extension in PHP before 5.5.33 and 5.6.x before 5.6.19
        allows remote attackers to obtain sensitive information
        from process memory or cause a denial of service
        (out-of-bounds read and application crash) by placing a
        PK\x05\x06 signature at an invalid
        location.(CVE-2016-3142)
    
      - ** DISPUTED ** Integer overflow in the
        php_raw_url_encode function in ext/standard/url.c in
        PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before
        7.0.5 allows remote attackers to cause a denial of
        service (application crash) via a long string to the
        rawurlencode function. NOTE: the vendor says 'Not sure
        if this qualifies as security issue (probably
        not).'(CVE-2016-4070)
    
      - The xml_parse_into_struct function in ext/xml/xml.c in
        PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
        7.0.6 allows remote attackers to cause a denial of
        service (buffer under-read and segmentation fault) or
        possibly have unspecified other impact via crafted XML
        data in the second argument, leading to a parser level
        of zero.(CVE-2016-4539)
    
      - The grapheme_stripos function in
        ext/intl/grapheme/grapheme_string.c in PHP before
        5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6
        allows remote attackers to cause a denial of service
        (out-of-bounds read) or possibly have unspecified other
        impact via a negative offset.(CVE-2016-4540)
    
      - Use-after-free vulnerability in wddx.c in the WDDX
        extension in PHP before 5.5.33 and 5.6.x before 5.6.19
        allows remote attackers to cause a denial of service
        (memory corruption and application crash) or possibly
        have unspecified other impact by triggering a
        wddx_deserialize call on XML data containing a crafted
        var element.(CVE-2016-3141)
    
      - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR
        archive handler could be used by attackers supplying
        malicious archive files to crash the PHP interpreter or
        potentially disclose information due to a buffer
        over-read in the phar_parse_pharfile function in
        ext/phar/phar.c.(CVE-2017-11147)
    
      - The exif_process_IFD_in_JPEG function in
        ext/exif/exif.c in PHP before 5.5.35, 5.6.x before
        5.6.21, and 7.x before 7.0.6 does not validate IFD
        sizes, which allows remote attackers to cause a denial
        of service (out-of-bounds read) or possibly have
        unspecified other impact via crafted header
        data.(CVE-2016-4543)
    
      - The odbc_bindcols function in ext/odbc/php_odbc.c in
        PHP before 5.6.12 mishandles driver behavior for
        SQL_WVARCHAR columns, which allows remote attackers to
        cause a denial of service (application crash) in
        opportunistic circumstances by leveraging use of the
        odbc_fetch_array function to access a certain type of
        Microsoft SQL Server table.(CVE-2015-8879)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A heap out-of-bounds write or read
        occurs in next_state_val() during regular expression
        compilation. Octal numbers larger than 0xff are not
        handled correctly in fetch_token() and
        fetch_token_in_cc(). A malformed regular expression
        containing an octal number in the form of '\700' would
        produce an invalid code point value larger than 0xff in
        next_state_val(), resulting in an out-of-bounds write
        memory corruption.(CVE-2017-9226)
    
      - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x
        before 7.1.7, the openssl extension PEM sealing code
        did not check the return value of the OpenSSL sealing
        function, which could lead to a crash of the PHP
        interpreter, related to an interpretation conflict for
        a negative number in ext/openssl/openssl.c, and an
        OpenSSL documentation omission.(CVE-2017-11144)
    
      - The make_http_soap_request function in
        ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before
        5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4
        allows remote attackers to obtain sensitive information
        from process memory or cause a denial of service (type
        confusion and application crash) via crafted serialized
        _cookies data, related to the SoapClient::__call method
        in ext/soap/soap.c.(CVE-2016-3185)
    
      - The object_common1 function in
        ext/standard/var_unserializer.c in PHP before 5.6.30,
        7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows
        remote attackers to cause a denial of service (buffer
        over-read and application crash) via crafted serialized
        data that is mishandled in a finish_nested_data
        call.(CVE-2016-10161)
    
      - The finish_nested_data function in
        ext/standard/var_unserializer.re in PHP before 5.6.31,
        7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to
        a buffer over-read while unserializing untrusted data.
        Exploitation of this issue can have an unspecified
        impact on the integrity of PHP.(CVE-2017-12933)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2221
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce72047f");
      script_set_attribute(attribute:"solution", value:
    "Update the affected php packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-gd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-odbc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pdo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-pgsql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-process");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-recode");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-soap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xml");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:php-xmlrpc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["php-5.4.16-45.h19.eulerosv2r7",
            "php-cli-5.4.16-45.h19.eulerosv2r7",
            "php-common-5.4.16-45.h19.eulerosv2r7",
            "php-gd-5.4.16-45.h19.eulerosv2r7",
            "php-ldap-5.4.16-45.h19.eulerosv2r7",
            "php-mysql-5.4.16-45.h19.eulerosv2r7",
            "php-odbc-5.4.16-45.h19.eulerosv2r7",
            "php-pdo-5.4.16-45.h19.eulerosv2r7",
            "php-pgsql-5.4.16-45.h19.eulerosv2r7",
            "php-process-5.4.16-45.h19.eulerosv2r7",
            "php-recode-5.4.16-45.h19.eulerosv2r7",
            "php-soap-5.4.16-45.h19.eulerosv2r7",
            "php-xml-5.4.16-45.h19.eulerosv2r7",
            "php-xmlrpc-5.4.16-45.h19.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php");
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-188-01.NASL
    descriptionNew php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101316
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101316
    titleSlackware 14.0 / 14.1 / 14.2 / current : php (SSA:2017-188-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2017-188-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101316);
      script_version("$Revision: 3.3 $");
      script_cvs_date("$Date: 2018/01/26 17:50:31 $");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"SSA", value:"2017-188-01");
    
      script_name(english:"Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2017-188-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New php packages are available for Slackware 14.0, 14.1, 14.2, and
    -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2017&m=slackware-security.438658
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b8c719d3"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected php package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:php");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"14.0", pkgname:"php", pkgver:"5.6.31", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"php", pkgver:"5.6.31", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"php", pkgver:"5.6.31", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"php", pkgver:"5.6.31", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"14.2", pkgname:"php", pkgver:"5.6.31", pkgarch:"i586", pkgnum:"1_slack14.2")) flag++;
    if (slackware_check(osver:"14.2", arch:"x86_64", pkgname:"php", pkgver:"5.6.31", pkgarch:"x86_64", pkgnum:"1_slack14.2")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"php", pkgver:"5.6.31", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"php", pkgver:"5.6.31", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-60997F0D14.NASL
    descriptionMultiple security flaws were found on oniguruma currently being shipped on Fedora. This new rpm should fix the issue. Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227 CVE-2017-9229 CVE-2017-9228 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-12
    plugin id100730
    published2017-06-12
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100730
    titleFedora 25 : oniguruma (2017-60997f0d14)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-60997f0d14.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(100730);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-9224", "CVE-2017-9225", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229");
      script_xref(name:"FEDORA", value:"2017-60997f0d14");
    
      script_name(english:"Fedora 25 : oniguruma (2017-60997f0d14)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple security flaws were found on oniguruma currently being
    shipped on Fedora. This new rpm should fix the issue. 
    
    Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227
    CVE-2017-9229 CVE-2017-9228
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-60997f0d14"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected oniguruma package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:oniguruma");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/24");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"oniguruma-6.1.3-2.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "oniguruma");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2403.NASL
    descriptionAccording to the versions of the ruby packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.(CVE-2017-9224) - An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of
    last seen2020-05-08
    modified2019-12-10
    plugin id131895
    published2019-12-10
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131895
    titleEulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-2403)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131895);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2017-9224",
        "CVE-2017-9226",
        "CVE-2017-9227",
        "CVE-2017-9228"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : ruby (EulerOS-SA-2019-2403)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ruby packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A stack out-of-bounds read occurs in
        match_at() during regular expression searching. A
        logical error involving order of validation and access
        in match_at() could result in an out-of-bounds read
        from a stack buffer.(CVE-2017-9224)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A heap out-of-bounds write or read
        occurs in next_state_val() during regular expression
        compilation. Octal numbers larger than 0xff are not
        handled correctly in fetch_token() and
        fetch_token_in_cc(). A malformed regular expression
        containing an octal number in the form of '\700' would
        produce an invalid code point value larger than 0xff in
        next_state_val(), resulting in an out-of-bounds write
        memory corruption.(CVE-2017-9226)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A stack out-of-bounds read occurs in
        mbc_enc_len() during regular expression searching.
        Invalid handling of reg->dmin in forward_search_range()
        could result in an invalid pointer dereference, as an
        out-of-bounds read from a stack buffer.(CVE-2017-9227)
    
      - An issue was discovered in Oniguruma 6.2.0, as used in
        Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP
        through 7.1.5. A heap out-of-bounds write occurs in
        bitset_set_range() during regular expression
        compilation due to an uninitialized variable from an
        incorrect state transition. An incorrect state
        transition in parse_char_class() could create an
        execution path that leaves a critical local variable
        uninitialized until it's used as an index, resulting in
        an out-of-bounds write memory
        corruption.(CVE-2017-9228)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2403
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?bde7aae9");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ruby packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-irb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ruby-libs");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ruby-2.0.0.648-33.h16",
            "ruby-irb-2.0.0.648-33.h16",
            "ruby-libs-2.0.0.648-33.h16"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B396CF6C62E611E79DEFB499BAEBFEAF.NASL
    descriptionthe PHP project reports : - A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer (CVE-2017-9224). - A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. Octal numbers larger than 0xff are not handled correctly in fetch_token() and fetch_token_in_cc(). A malformed regular expression containing an octal number in the form of
    last seen2020-06-01
    modified2020-06-02
    plugin id101332
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101332
    titleFreeBSD : oniguruma -- multiple vulnerabilities (b396cf6c-62e6-11e7-9def-b499baebfeaf)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-764.NASL
    descriptionThis update for php5 fixes the following security issues : - CVE-2016-6294: The locale_accept_from_http function in ext/intl/locale/locale_methods.c did not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allowed remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument (bsc#1035111). - CVE-2017-9227: A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. (bsc#1040883) - CVE-2017-9226: A heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. (bsc#1040889) - CVE-2017-9224: A stack out-of-bounds read occurs in match_at() during regular expression searching. (bsc#1040891) This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2017-07-05
    plugin id101219
    published2017-07-05
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101219
    titleopenSUSE Security Update : php5 (openSUSE-2017-764)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1717-1.NASL
    descriptionThis update for php7 fixes the following security issues : - CVE-2017-9224: stack out-of-bounds read occurs in match_at() could lead to Denial of service (bsc#1040891) - CVE-2017-9226: heap out-of-bounds write orread occurs in next_state_val() could lead to Denial of service(bsc#1040889) - CVE-2017-9227: stack out-of-bounds read in mbc_enc_len() could lead to Denial of service (bsc#1040883) - CVE-2017-6441: The _zval_get_long_func_ex in Zend/zend_operators.c in PHP allowed attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of
    last seen2020-03-24
    modified2019-01-02
    plugin id120000
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120000
    titleSUSE SLES12 Security Update : php7 (SUSE-SU-2017:1717-1)
  • NASL familyCGI abuses
    NASL idPHP_7_1_7.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.7. It is, therefore, affected by the following vulnerabilities : - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-04-30
    modified2017-07-13
    plugin id101527
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101527
    titlePHP 7.1.x < 7.1.7 Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2438.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi )abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension
    last seen2020-05-08
    modified2019-12-04
    plugin id131592
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131592
    titleEulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3382-1.NASL
    descriptionIt was discovered that the PHP opcache created keys for files it cached based on their filepath. A local attacker could possibly use this issue in a shared hosting environment to obtain sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2015-8994) It was discovered that the PHP URL parser incorrectly handled certain URI components. A remote attacker could possibly use this issue to bypass hostname-specific URL checks. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-10397) It was discovered that PHP incorrectly handled certain boolean parameters when unserializing data. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-11143) Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP incorrectly handled the OpenSSL sealing function. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11144) Wei Lei and Liu Yang discovered that the PHP date extension incorrectly handled memory. A remote attacker could possibly use this issue to disclose sensitive information from the server. (CVE-2017-11145) It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or disclose sensitive information. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-11147) It was discovered that PHP incorrectly handled locale length. A remote attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11362) Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing ini files. An attacker could possibly use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2017-11628) It was discovered that PHP mbstring incorrectly handled certain regular expressions. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102416
    published2017-08-11
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102416
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : php5, php7.0 vulnerabilities (USN-3382-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-E2D6D0067F.NASL
    descriptionMultiple security flaws were found on oniguruma currently being shipped on Fedora. This new rpm should fix the issue. Fixed CVEs: CVE-2017-9226 CVE-2017-9224 CVE-2017-9227 CVE-2017-9229 CVE-2017-9228 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-06-13
    plugin id100748
    published2017-06-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100748
    titleFedora 24 : oniguruma (2017-e2d6d0067f)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B674DC22AD.NASL
    description**PHP version 7.0.21** (06 Jul 2017) **Core:** - Fixed bug php#74738 (Multiple [PATH=] and [HOST=] sections not properly parsed). (Manuel Mausz) - Fixed bug php#74658 (Undefined constants in array properties result in broken properties). (Laruence) - Fixed misparsing of abstract unix domain socket names. (Sara) - Fixed bug php#74101, bug php#74614 (Unserialize Heap Use-After-Free (READ: 1) in zval_get_type). (Nikita) - Fixed bug php#74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (Nikita) - Fixed bug php#74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability). (Stas) - Fixed bug php#74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()). (Derick) **DOM:** - Fixed bug php#69373 (References to deleted XPath query results). (ttoohey) **Intl:** - Fixed bug php#73473 (Stack Buffer Overflow in msgfmt_parse_message). (libnex) - Fixed bug php#74705 (Wrong reflection on Collator::getSortKey and collator_get_sort_key). (Tyson Andre, Remi) - Fixed bug php#73634 (grapheme_strpos illegal memory access). (Stas) **Mbstring:** - Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA) **Opcache:** - Fixed bug php#74663 (Segfault with opcache.memory_protect and validate_timestamp). (Laruence) **OpenSSL:** - Fixed bug php#74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()). (Stas) **Reflection:** - Fixed bug php#74673 (Segfault when cast Reflection object to string with undefined constant). (Laruence) **SPL:** - Fixed bug php#74478 (null coalescing operator failing with SplFixedArray). (jhdxr) **Standard:** - Fixed bug php#74708 (Invalid Reflection signatures for random_bytes and random_int). (Tyson Andre, Remi) - Fixed bug php#73648 (Heap buffer overflow in substr). (Stas) **FTP:** - Fixed bug php#74598 (ftp:// wrapper ignores context arg). (Sara) **PHAR:** - Fixed bug php#74386 (Phar::__construct reflection incorrect). (villfa) **SOAP** - Fixed bug php#74679 (Incorrect conversion array with WSDL_CACHE_MEMORY). (Dmitry) **Streams:** - Fixed bug php#74556 (stream_socket_get_name() returns
    last seen2020-06-05
    modified2017-07-14
    plugin id101538
    published2017-07-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101538
    titleFedora 25 : php (2017-b674dc22ad)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-5ADE380AB2.NASL
    description**PHP version 5.6.31** (06 Jul 2017) **Core:** - Fixed bug php#73807 (Performance problem with processing post request over 2000000 chars). (Nikita) - Fixed bug php#74111 (Heap buffer overread (READ: 1) finish_nested_data from unserialize). (Nikita) - Fixed bug php#74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability). (Stas) - Fixed bug php#74819 (wddx_deserialize() heap out-of-bound read via php_parse_date()). (Derick) **mbstring:** - Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227, CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA) **OpenSSL:** - Fixed bug php#74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()). (Stas) **WDDX:** - Fixed bug php#74145 (wddx parsing empty boolean tag leads to SIGSEGV). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-21
    plugin id101864
    published2017-07-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101864
    titleFedora 24 : php (2017-5ade380ab2)
  • NASL familyMisc.
    NASL idSECURITYCENTER_PHP_5_6_31.NASL
    descriptionThe Tenable SecurityCenter application installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities in the bundled version of PHP : - An out-of-bounds read error exists in the PCRE library in the compile_bracket_matchingpath() function within file pcre_jit_compile.c. An unauthenticated, remote attacker can exploit this, via a specially crafted regular expression, to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-6004) - An out-of-bounds read error exists in the GD Graphics Library (LibGD) in the gdImageCreateFromGifCtx() function within file gd_gif_in.c when handling a specially crafted GIF file. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-7890) - An out-of-bounds read error exists in Oniguruma in the match_at() function within file regexec.c. An unauthenticated, remote attacker can exploit this to disclose sensitive memory contents or crash a process linked to the library. (CVE-2017-9224) - An out-of-bounds write error exists in Oniguruma in the next_state_val() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9226) - An out-of-bounds read error exists in Oniguruma in the mbc_enc_len() function within file utf8.c. An unauthenticated, remote attacker can exploit this to disclose memory contents or crash a process linked to the library. (CVE-2017-9227) - An out-of-bounds write error exists in Oniguruma in the bitset_set_range() function during regular expression compilation. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2017-9228) - An invalid pointer deference flaw exists in Oniguruma in the left_adjust_char_head() function within file regexec.c during regular expression compilation. An unauthenticated, remote attacker can exploit this to crash a process linked to the library, resulting in a denial of service condition. (CVE-2017-9229) - A denial of service condition exists in PHP when handling overlarge POST requests. An unauthenticated, remote attacker can exploit this to exhaust available CPU resources. (CVE-2017-11142) - An extended invalid free error exists in PHP in the php_wddx_push_element() function within file ext/wddx/wddx.c when parsing empty boolean tags. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2017-11143) - A flaw exists in OpenSSL in the EVP_SealInit() function within file crypto/evp/p_seal.c due to returning an undocumented value of
    last seen2020-06-01
    modified2020-06-02
    plugin id103121
    published2017-09-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103121
    titleTenable SecurityCenter PHP < 5.6.31 Multiple Vulnerabilities (TNS-2017-12

Redhat

advisories
rhsa
idRHSA-2018:1296
rpms
  • rh-php70-php-0:7.0.27-1.el6
  • rh-php70-php-0:7.0.27-1.el7
  • rh-php70-php-bcmath-0:7.0.27-1.el6
  • rh-php70-php-bcmath-0:7.0.27-1.el7
  • rh-php70-php-cli-0:7.0.27-1.el6
  • rh-php70-php-cli-0:7.0.27-1.el7
  • rh-php70-php-common-0:7.0.27-1.el6
  • rh-php70-php-common-0:7.0.27-1.el7
  • rh-php70-php-dba-0:7.0.27-1.el6
  • rh-php70-php-dba-0:7.0.27-1.el7
  • rh-php70-php-dbg-0:7.0.27-1.el6
  • rh-php70-php-dbg-0:7.0.27-1.el7
  • rh-php70-php-debuginfo-0:7.0.27-1.el6
  • rh-php70-php-debuginfo-0:7.0.27-1.el7
  • rh-php70-php-devel-0:7.0.27-1.el6
  • rh-php70-php-devel-0:7.0.27-1.el7
  • rh-php70-php-embedded-0:7.0.27-1.el6
  • rh-php70-php-embedded-0:7.0.27-1.el7
  • rh-php70-php-enchant-0:7.0.27-1.el6
  • rh-php70-php-enchant-0:7.0.27-1.el7
  • rh-php70-php-fpm-0:7.0.27-1.el6
  • rh-php70-php-fpm-0:7.0.27-1.el7
  • rh-php70-php-gd-0:7.0.27-1.el6
  • rh-php70-php-gd-0:7.0.27-1.el7
  • rh-php70-php-gmp-0:7.0.27-1.el6
  • rh-php70-php-gmp-0:7.0.27-1.el7
  • rh-php70-php-imap-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el6
  • rh-php70-php-intl-0:7.0.27-1.el7
  • rh-php70-php-json-0:7.0.27-1.el6
  • rh-php70-php-json-0:7.0.27-1.el7
  • rh-php70-php-ldap-0:7.0.27-1.el6
  • rh-php70-php-ldap-0:7.0.27-1.el7
  • rh-php70-php-mbstring-0:7.0.27-1.el6
  • rh-php70-php-mbstring-0:7.0.27-1.el7
  • rh-php70-php-mysqlnd-0:7.0.27-1.el6
  • rh-php70-php-mysqlnd-0:7.0.27-1.el7
  • rh-php70-php-odbc-0:7.0.27-1.el6
  • rh-php70-php-odbc-0:7.0.27-1.el7
  • rh-php70-php-opcache-0:7.0.27-1.el6
  • rh-php70-php-opcache-0:7.0.27-1.el7
  • rh-php70-php-pdo-0:7.0.27-1.el6
  • rh-php70-php-pdo-0:7.0.27-1.el7
  • rh-php70-php-pgsql-0:7.0.27-1.el6
  • rh-php70-php-pgsql-0:7.0.27-1.el7
  • rh-php70-php-process-0:7.0.27-1.el6
  • rh-php70-php-process-0:7.0.27-1.el7
  • rh-php70-php-pspell-0:7.0.27-1.el6
  • rh-php70-php-pspell-0:7.0.27-1.el7
  • rh-php70-php-recode-0:7.0.27-1.el6
  • rh-php70-php-recode-0:7.0.27-1.el7
  • rh-php70-php-snmp-0:7.0.27-1.el6
  • rh-php70-php-snmp-0:7.0.27-1.el7
  • rh-php70-php-soap-0:7.0.27-1.el6
  • rh-php70-php-soap-0:7.0.27-1.el7
  • rh-php70-php-tidy-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el6
  • rh-php70-php-xml-0:7.0.27-1.el7
  • rh-php70-php-xmlrpc-0:7.0.27-1.el6
  • rh-php70-php-xmlrpc-0:7.0.27-1.el7
  • rh-php70-php-zip-0:7.0.27-1.el6
  • rh-php70-php-zip-0:7.0.27-1.el7