Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 23 Apr 2016 23:55:25 -0400 (EDT)
From: cve-assign@...re.org
To: matthias@...lons.info
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> http://www.ubuntu.com/usn/usn-2952-1/

> - -  Buffer over-write in finfo_open with malformed magic file
> https://bugs.php.net/bug.php?id=71527
> http://bugs.gw.com/view.php?id=522
> https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
> http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e

>> It was discovered that the PHP Fileinfo component incorrectly handled
>> certain magic files. An attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2015-8865 for this issue affecting file before 5.23 (see the
http://bugs.gw.com/view.php?id=522#c1237 comment). The security
relevance depends, in part, on "If a compiled magic file is found
alongside a file or directory, it will be used instead" in the
https://github.com/file/file/blob/master/doc/file.man man page.


> - - Integer overflow in php_raw_url_encode
> https://bugs.php.net/bug.php?id=71798
> https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451

>> It was discovered that the PHP rawurlencode() function incorrectly handled
>> large strings. A remote attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service.

Use CVE-2016-4070.

Note that the 71798 [2016-03-27 21:25 UTC] comment says "Not sure if
this qualifies as security issue (probably not)."


> - - php_snmp_error() Format String Vulnerability
> https://bugs.php.net/bug.php?id=71704
> https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8

>> It was discovered that the PHP php_snmp_error() function incorrectly
>> handled string formatting. A remote attacker could use this issue to cause
>> PHP to crash, resulting in a denial of service, or possibly execute
>> arbitrary code.

Use CVE-2016-4071.


> - - Invalid memory write in phar on filename containing \0 inside name
> https://bugs.php.net/bug.php?id=71860
> https://gist.github.com/smalyshev/80b5c2909832872f2ba2
> https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a

>> It was discovered that the PHP phar extension incorrectly handled certain
>> filenames in archives. A remote attacker could use this issue to cause PHP
>> to crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2016-4072.


> - - AddressSanitizer: negative-size-param (-1) in mbfl_strcut
> https://bugs.php.net/bug.php?id=71906
> https://gist.github.com/smalyshev/d8355c96a657cc5dba70
> https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1

>> It was discovered that the PHP mb_strcut() function incorrectly handled
>> string formatting. A remote attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2016-4073.


>> http://www.openwall.com/lists/oss-security/2016/04/21/8

> 1- libxml_disable_entity_loader setting is shared between threads
> 
> https://bugs.php.net/bug.php?id=64938
> https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
> http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

>> It was discovered that the PHP libxml_disable_entity_loader() setting was
>> shared between threads. When running under PHP-FPM, this could result in
>> XML external entity injection and entity expansion issues.

Use CVE-2015-8866.

Note that the related
http://framework.zend.com/security/advisory/ZF2015-06 issue was
already assigned CVE-2015-5161.


> 2- openssl_random_pseudo_bytes() is not cryptographically secure
> 
> https://bugs.php.net/bug.php?id=70014
> https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203
> http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827

>> It was discovered that the PHP openssl_random_pseudo_bytes() function did
>> not return cryptographically strong pseudo-random bytes.

>>> Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes

Use CVE-2015-8867.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXHEKSAAoJEHb/MwWLVhi2HHwP/RHXiG+18j0extiWJbw2cWTx
nWe5+2WsBPJlpmuUpe/P62KGmbpIIzsrceYtm6GGam8Az4XH2R9JGK6oFBOPoVzl
t40kRgQWHB2yROHUylS8hbdspsUU4gKqZxzphqqAS7LHfOEfX2nNgbYuHYBtI1WF
g5yY0RimAkKqe7mPsamms7eKlk0+jKVkE6tgxA/I3RmeuEzwEtJ9uJwpWze3HZTa
aMGFt0bCuPdlVMEGtE+son4NDP8D2V7CFarJMEl1U6OLpxGjQATVn550YOcy50Lf
MCjOpJ2LPkLA80ZLVn+fKkkAPQG99U5axPnMWcTxCiC1I374WHqKY0vjqrpKivrq
VXsqPixF/jUxghFMYKKb/xg+GCr4oId13KrWVXpKDAwoxwYNHC/c9UgNwgPRdjeg
sNSpJP46UH1vvC8GD3wBnd6IE8rPc3Zc/zEHSCe0F4Za2w5HmaT5cxkz97mPVzF6
jEQemPGfZjQDgNQyGtHhMCqxUUJ7bTXo3vg9NkpUHl1Wpg8C+YFIb8lwtBRR/5qc
Rf0/+ho7fPYi4u1IClYMp+zBA9SJHD+XzK6gFTHjTq/XFYJEJkxDZQGQ9JmroABg
GIK+zQDyn7SSRblpZyBmkzBUjToa/zvYwh0n9GfXPEWZc/px9eDPJsu0v+d7j1Tt
vmqTwo44mo+NdkNIyBTA
=bA5Y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ