Vulnerabilities > CVE-2018-10549 - Out-of-bounds Read vulnerability in PHP
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Misc. NASL id SECURITYCENTER_5_7_1_TNS_2018_12.NASL description According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.7.1. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 117672 published 2018-09-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117672 title Tenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-136-02.NASL description New php packages are available for Slackware 14.0, 14.1, and 14.2 to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 109871 published 2018-05-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109871 title Slackware 14.0 / 14.1 / 14.2 : php (SSA:2018-136-02) NASL family CGI abuses NASL id PHP_5_6_36.NASL description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.36. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109576 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109576 title PHP 5.6.x < 5.6.36 Multiple Vulnerabilities NASL family CGI abuses NASL id PHP_7_0_30.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.30. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109577 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109577 title PHP 7.0.x < 7.0.30 Multiple Vulnerabilities NASL family CGI abuses NASL id PHP_7_2_5.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.5. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109579 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109579 title PHP 7.2.x < 7.2.5 Stack Buffer Overflow NASL family Fedora Local Security Checks NASL id FEDORA_2018-EE6707D519.NASL description **PHP version 7.2.5** (26 Apr 2018) **Core:** - Fixed bug php#75722 (Convert valgrind detection to configure option). (Michael Heimpold) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **ODBC:** - Fixed bug php#76088 (ODBC functions are not available by default on Windows). (cmb) **Opcache:** - Fixed bug php#76094 (Access violation when using opcache). (Laruence) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#74139 (mail.add_x_header default inconsistent with docs). (cmb) - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120886 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120886 title Fedora 28 : php (2018-ee6707d519) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1397.NASL description Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : CVE-2018-7584 A stack-buffer-overflow while parsing HTTP response results in copying a large string and possible memory corruption and/or denial of service CVE-2018-10545 Dumpable FPM child processes allow bypassing opcache access controls resulting in potential information disclosure where one user can obtain information about another user last seen 2020-06-01 modified 2020-06-02 plugin id 110697 published 2018-06-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110697 title Debian DLA-1397-1 : php5 security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1019.NASL description NULL pointer dereference due to mishandling of ldap_get_dn return value allows denial-of-service by malicious LDAP server or man-in-the-middle attacker An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value.(CVE-2018-10548) Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences.(CVE-2018-10546) Reflected XSS vulnerability on PHAR 403 and 404 error pages An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712 .(CVE-2018-10547) Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final last seen 2020-06-01 modified 2020-06-02 plugin id 109701 published 2018-05-11 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109701 title Amazon Linux AMI : php56 / php70,php71 (ALAS-2018-1019) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201812-01.NASL description The remote host is affected by the vulnerability described in GLSA-201812-01 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the referenced CVE identifiers for details. Impact : An attacker could cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 119320 published 2018-12-03 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119320 title GLSA-201812-01 : PHP: Multiple vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4240.NASL description Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : - CVE-2018-7584 Buffer underread in parsing HTTP responses - CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls - CVE-2018-10546 Denial of service via infinite loop in convert.iconv stream filter - CVE-2018-10547 The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete - CVE-2018-10548 Denial of service via malformed LDAP server responses - CVE-2018-10549 Out-of-bounds read when parsing malformed JPEG files last seen 2020-06-01 modified 2020-06-02 plugin id 110928 published 2018-07-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110928 title Debian DSA-4240-1 : php7.0 - security update NASL family Fedora Local Security Checks NASL id FEDORA_2018-6071A600E8.NASL description **PHP version 7.1.17** (26 Apr 2018) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-04 plugin id 109560 published 2018-05-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109560 title Fedora 26 : php (2018-6071a600e8) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3646-1.NASL description It was discovered that PHP incorrectly handled opcache access controls when configured to use PHP-FPM. A local user could possibly use this issue to obtain sensitive information from another user last seen 2020-06-01 modified 2020-06-02 plugin id 109812 published 2018-05-15 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109812 title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : php5, php7.0, php7.1, php7.2 vulnerabilities (USN-3646-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-04F6056C42.NASL description **PHP version 7.1.17** (26 Apr 2018) **Date:** - Fixed bug php#76131 (mismatch arginfo for date_create). (carusogabriel) **Exif:** - Fixed bug php#76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value). (Stas) **FPM:** - Fixed bug php#68440 (ERROR: failed to reload: execvp() failed: Argument list too long). (Jacob Hipps) - Fixed incorrect write to getenv result in FPM reload. (Jakub Zelenka) **GD:** - Fixed bug php#52070 (imagedashedline() - dashed line sometimes is not visible). (cmb) **iconv:** - Fixed bug php#76249 (stream filter convert.iconv leads to infinite loop on invalid sequence). (Stas) **intl:** - Fixed bug php#76153 (Intl compilation fails with icu4c 61.1). (Anatol) **ldap:** - Fixed bug php#76248 (Malicious LDAP-Server Response causes Crash). (Stas) **mbstring:** - Fixed bug php#75944 (Wrong cp1251 detection). (dmk001) - Fixed bug php#76113 (mbstring does not build with Oniguruma 6.8.1). (chrullrich, cmb) **Phar:** - Fixed bug php#76129 (fix for CVE-2018-5712 may not be complete). (Stas) **phpdbg:** - Fixed bug php#76143 (Memory corruption: arbitrary NUL overwrite). (Laruence) **SPL:** - Fixed bug php#76131 (mismatch arginfo for splarray constructor). (carusogabriel) **standard:** - Fixed bug php#75996 (incorrect url in header for mt_rand). (tatarbj) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-04 plugin id 109559 published 2018-05-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109559 title Fedora 27 : php (2018-04f6056c42) NASL family CGI abuses NASL id PHP_7_1_17.NASL description According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.17. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 109578 published 2018-05-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109578 title PHP 7.1.x < 7.1.17 Multiple Vulnerabilities
Redhat
advisories |
| ||||
rpms |
|
References
- http://php.net/ChangeLog-5.php
- http://php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/104019
- http://www.securitytracker.com/id/1040807
- https://access.redhat.com/errata/RHSA-2019:2519
- https://bugs.php.net/bug.php?id=76130
- https://lists.debian.org/debian-lts-announce/2018/06/msg00005.html
- https://security.gentoo.org/glsa/201812-01
- https://security.netapp.com/advisory/ntap-20180607-0003/
- https://usn.ubuntu.com/3646-1/
- https://www.debian.org/security/2018/dsa-4240
- https://www.synology.com/support/security/Synology_SA_18_20
- https://www.tenable.com/security/tns-2018-12