Vulnerabilities > CVE-2019-11047 - Out-of-bounds Read vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
LOW Summary
When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Php
| 101 |
| OS | 2 | |
| OS | 3 | |
| OS | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0522-1.NASL description This update for php5 fixes the following issues : Security issues fixed : CVE-2019-11041: Fixed heap buffer over-read in exif_scan_thumbnail() (bsc#1146360). CVE-2019-11042: Fixed heap buffer over-read in exif_process_user_comment() (bsc#1145095). CVE-2019-11043: Fixed possible remote code execution via env_path_info underflow in fpm_main.c (bsc#1154999). CVE-2019-11045: Fixed an issue with the PHP DirectoryIterator class that accepts filenames with embedded \0 bytes (bsc#1159923). CVE-2019-11046: Fixed an out-of-bounds read in bc_shift_addsub (bsc#1159924). CVE-2019-11047: Fixed an information disclosure in exif_read_data (bsc#1159922). CVE-2019-11050: Fixed a buffer over-read in the EXIF extension (bsc#1159927). CVE-2020-7059: Fixed an out-of-bounds read in php_strip_tags_ex (bsc#1162629). CVE-2020-7060: Fixed a global buffer-overflow in mbfl_filt_conv_big5_wchar (bsc#1162632). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-03-02 plugin id 134199 published 2020-03-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134199 title SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:0522-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(134199); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09"); script_cve_id("CVE-2019-11041", "CVE-2019-11042", "CVE-2019-11043", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11050", "CVE-2020-7059", "CVE-2020-7060"); script_name(english:"SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php5 fixes the following issues : Security issues fixed : CVE-2019-11041: Fixed heap buffer over-read in exif_scan_thumbnail() (bsc#1146360). CVE-2019-11042: Fixed heap buffer over-read in exif_process_user_comment() (bsc#1145095). CVE-2019-11043: Fixed possible remote code execution via env_path_info underflow in fpm_main.c (bsc#1154999). CVE-2019-11045: Fixed an issue with the PHP DirectoryIterator class that accepts filenames with embedded \0 bytes (bsc#1159923). CVE-2019-11046: Fixed an out-of-bounds read in bc_shift_addsub (bsc#1159924). CVE-2019-11047: Fixed an information disclosure in exif_read_data (bsc#1159922). CVE-2019-11050: Fixed a buffer over-read in the EXIF extension (bsc#1159927). CVE-2020-7059: Fixed an out-of-bounds read in php_strip_tags_ex (bsc#1162629). CVE-2020-7060: Fixed a global buffer-overflow in mbfl_filt_conv_big5_wchar (bsc#1162632). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1145095" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1154999" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159923" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159924" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159927" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1161982" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1162629" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1162632" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11041/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11042/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11043/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11045/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11046/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11047/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11050/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-7059/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-7060/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20200522-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7e9a53cf" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-522=1 SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-522=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debugsource-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-debuginfo-5.5.14-109.68.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0352-1.NASL description This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133546 published 2020-02-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133546 title SUSE SLES12 Security Update : php7 (SUSE-SU-2020:0352-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:0352-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(133546); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11050"); script_name(english:"SUSE SLES12 Security Update : php7 (SUSE-SU-2020:0352-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159923" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159924" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159927" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11045/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11046/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11047/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11050/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20200352-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d38c59e" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP5 : zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-352=1 SUSE Linux Enterprise Software Development Kit 12-SP4 : zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-352=1 SUSE Linux Enterprise Module for Web Scripting 12 : zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-352=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11050"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php7-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php7-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php7-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bcmath-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bcmath-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bz2-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bz2-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-calendar-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-calendar-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ctype-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ctype-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-curl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-curl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dba-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dba-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-debugsource-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dom-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dom-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-enchant-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-enchant-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-exif-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-exif-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fastcgi-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fastcgi-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fileinfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fileinfo-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fpm-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fpm-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ftp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ftp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gd-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gd-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gettext-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gettext-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gmp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gmp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-iconv-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-iconv-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-imap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-imap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-intl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-intl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-json-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-json-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ldap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ldap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mbstring-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mbstring-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mcrypt-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mcrypt-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mysql-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mysql-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-odbc-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-odbc-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-opcache-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-opcache-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-openssl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-openssl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pcntl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pcntl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pdo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pdo-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pgsql-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pgsql-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-phar-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-phar-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-posix-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-posix-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pspell-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pspell-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-shmop-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-shmop-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-snmp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-snmp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-soap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-soap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sockets-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sockets-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sqlite-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sqlite-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvmsg-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvmsg-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvsem-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvsem-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvshm-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvshm-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-tokenizer-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-tokenizer-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-wddx-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-wddx-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlreader-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlreader-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlrpc-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlrpc-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlwriter-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlwriter-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xsl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xsl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zip-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zip-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zlib-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zlib-debuginfo-7.0.7-50.91.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php7"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1339.NASL description In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-06-01 modified 2020-06-02 plugin id 133558 published 2020-02-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133558 title Amazon Linux AMI : php72 / php73 (ALAS-2020-1339) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2020-1339. # include("compat.inc"); if (description) { script_id(133558); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"ALAS", value:"2020-1339"); script_name(english:"Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations. (CVE-2019-11046)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2020-1339.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update php72' to update your system. Run 'yum update php73' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php72-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-bcmath-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-cli-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-common-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dba-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dbg-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-debuginfo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-devel-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-embedded-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-enchant-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-fpm-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-imap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-intl-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-json-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-ldap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mbstring-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mysqlnd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-odbc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-opcache-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-dblib-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pgsql-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-process-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pspell-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-recode-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-snmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-soap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-tidy-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xml-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xmlrpc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-bcmath-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-cli-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-common-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dba-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dbg-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-debuginfo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-devel-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-embedded-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-enchant-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-fpm-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-imap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-intl-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-json-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-ldap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mbstring-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mysqlnd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-odbc-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-opcache-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-dblib-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pgsql-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-process-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pspell-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-recode-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-snmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-soap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-tidy-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xml-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xmlrpc-7.3.13-1.22.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php72 / php72-bcmath / php72-cli / php72-common / php72-dba / etc"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1542.NASL description According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - A flaw was found in HAProxy before 2.0.6. In legacy mode, messages featuring a transfer-encoding header missing the last seen 2020-05-08 modified 2020-05-01 plugin id 136245 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136245 title EulerOS Virtualization for ARM 64 3.0.2.0 : php (EulerOS-SA-2020-1542) NASL family Fedora Local Security Checks NASL id FEDORA_2019-437D94E271.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132644 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132644 title Fedora 30 : php (2019-437d94e271) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1124.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.(CVE-2016-7412) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2016-10397) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension last seen 2020-05-06 modified 2020-02-24 plugin id 133925 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133925 title EulerOS 2.0 SP5 : php (EulerOS-SA-2020-1124) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4628.NASL description Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. last seen 2020-03-17 modified 2020-02-20 plugin id 133815 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133815 title Debian DSA-4628-1 : php7.0 - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0267-1.NASL description This update for php72 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133396 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133396 title SUSE SLES12 Security Update : php72 (SUSE-SU-2020:0267-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4626.NASL description Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. last seen 2020-03-17 modified 2020-02-18 plugin id 133733 published 2020-02-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133733 title Debian DSA-4626-1 : php7.3 - security update NASL family CGI abuses NASL id PHP_7_2_26.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047) last seen 2020-06-01 modified 2020-06-02 plugin id 132770 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132770 title PHP 7.2.x < 7.2.26 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2019-A54A622670.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132655 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132655 title Fedora 31 : php (2019-a54a622670) NASL family CGI abuses NASL id PHP_7_4_1.NASL description According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 CVE-2019-11050) - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 132769 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132769 title PHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2050.NASL description Several security bugs have been identified and fixed in php5, a server-side, HTML-embedded scripting language. The affected components include the exif module and handling of filenames with \0 embedded. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 132422 published 2019-12-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132422 title Debian DLA-2050-1 : php5 security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-80.NASL description This update for php7 fixes the following issues : - CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). - CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). - CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 133133 published 2020-01-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133133 title openSUSE Security Update : php7 (openSUSE-2020-80) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4239-1.NASL description It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2019-11046) It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2019-11047, CVE-2019-11050). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132953 published 2020-01-16 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132953 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : php5, php7.0, php7.2, php7.3 vulnerabilities (USN-4239-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0101-1.NASL description This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132927 published 2020-01-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132927 title SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:0101-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1350.NASL description According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11050) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-04-07 modified 2020-04-02 plugin id 135137 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135137 title EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1350) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1172.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.(CVE-2019-19204) - Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.(CVE-2019-16163) - Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246) - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.(CVE-2019-11045) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-05-03 modified 2020-02-25 plugin id 134006 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134006 title EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1172)
References
- https://bugs.php.net/bug.php?id=78910
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://seclists.org/bugtraq/2020/Feb/31
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.tenable.com/security/tns-2021-14
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/