|
|
Date: Sat, 23 Apr 2016 23:55:25 -0400 (EDT) From: cve-assign@...re.org To: matthias@...lons.info Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> http://www.ubuntu.com/usn/usn-2952-1/ > - - Buffer over-write in finfo_open with malformed magic file > https://bugs.php.net/bug.php?id=71527 > http://bugs.gw.com/view.php?id=522 > https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36 > http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e >> It was discovered that the PHP Fileinfo component incorrectly handled >> certain magic files. An attacker could use this issue to cause PHP to >> crash, resulting in a denial of service, or possibly execute arbitrary >> code. Use CVE-2015-8865 for this issue affecting file before 5.23 (see the http://bugs.gw.com/view.php?id=522#c1237 comment). The security relevance depends, in part, on "If a compiled magic file is found alongside a file or directory, it will be used instead" in the https://github.com/file/file/blob/master/doc/file.man man page. > - - Integer overflow in php_raw_url_encode > https://bugs.php.net/bug.php?id=71798 > https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451 >> It was discovered that the PHP rawurlencode() function incorrectly handled >> large strings. A remote attacker could use this issue to cause PHP to >> crash, resulting in a denial of service. Use CVE-2016-4070. Note that the 71798 [2016-03-27 21:25 UTC] comment says "Not sure if this qualifies as security issue (probably not)." > - - php_snmp_error() Format String Vulnerability > https://bugs.php.net/bug.php?id=71704 > https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8 >> It was discovered that the PHP php_snmp_error() function incorrectly >> handled string formatting. A remote attacker could use this issue to cause >> PHP to crash, resulting in a denial of service, or possibly execute >> arbitrary code. Use CVE-2016-4071. > - - Invalid memory write in phar on filename containing \0 inside name > https://bugs.php.net/bug.php?id=71860 > https://gist.github.com/smalyshev/80b5c2909832872f2ba2 > https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a >> It was discovered that the PHP phar extension incorrectly handled certain >> filenames in archives. A remote attacker could use this issue to cause PHP >> to crash, resulting in a denial of service, or possibly execute arbitrary >> code. Use CVE-2016-4072. > - - AddressSanitizer: negative-size-param (-1) in mbfl_strcut > https://bugs.php.net/bug.php?id=71906 > https://gist.github.com/smalyshev/d8355c96a657cc5dba70 > https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1 >> It was discovered that the PHP mb_strcut() function incorrectly handled >> string formatting. A remote attacker could use this issue to cause PHP to >> crash, resulting in a denial of service, or possibly execute arbitrary >> code. Use CVE-2016-4073. >> http://www.openwall.com/lists/oss-security/2016/04/21/8 > 1- libxml_disable_entity_loader setting is shared between threads > > https://bugs.php.net/bug.php?id=64938 > https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 > http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 >> It was discovered that the PHP libxml_disable_entity_loader() setting was >> shared between threads. When running under PHP-FPM, this could result in >> XML external entity injection and entity expansion issues. Use CVE-2015-8866. Note that the related http://framework.zend.com/security/advisory/ZF2015-06 issue was already assigned CVE-2015-5161. > 2- openssl_random_pseudo_bytes() is not cryptographically secure > > https://bugs.php.net/bug.php?id=70014 > https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 > http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 >> It was discovered that the PHP openssl_random_pseudo_bytes() function did >> not return cryptographically strong pseudo-random bytes. >>> Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes Use CVE-2015-8867. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXHEKSAAoJEHb/MwWLVhi2HHwP/RHXiG+18j0extiWJbw2cWTx nWe5+2WsBPJlpmuUpe/P62KGmbpIIzsrceYtm6GGam8Az4XH2R9JGK6oFBOPoVzl t40kRgQWHB2yROHUylS8hbdspsUU4gKqZxzphqqAS7LHfOEfX2nNgbYuHYBtI1WF g5yY0RimAkKqe7mPsamms7eKlk0+jKVkE6tgxA/I3RmeuEzwEtJ9uJwpWze3HZTa aMGFt0bCuPdlVMEGtE+son4NDP8D2V7CFarJMEl1U6OLpxGjQATVn550YOcy50Lf MCjOpJ2LPkLA80ZLVn+fKkkAPQG99U5axPnMWcTxCiC1I374WHqKY0vjqrpKivrq VXsqPixF/jUxghFMYKKb/xg+GCr4oId13KrWVXpKDAwoxwYNHC/c9UgNwgPRdjeg sNSpJP46UH1vvC8GD3wBnd6IE8rPc3Zc/zEHSCe0F4Za2w5HmaT5cxkz97mPVzF6 jEQemPGfZjQDgNQyGtHhMCqxUUJ7bTXo3vg9NkpUHl1Wpg8C+YFIb8lwtBRR/5qc Rf0/+ho7fPYi4u1IClYMp+zBA9SJHD+XzK6gFTHjTq/XFYJEJkxDZQGQ9JmroABg GIK+zQDyn7SSRblpZyBmkzBUjToa/zvYwh0n9GfXPEWZc/px9eDPJsu0v+d7j1Tt vmqTwo44mo+NdkNIyBTA =bA5Y -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.