SB2015070601 - Ubuntu update for PHP

Description

This security bulletin contains information about 19 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2015-3411)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename.xml attack that bypasses an intended configuration in which client users may read only .xml files.

2) Information disclosure (CVE-ID: CVE-2015-3412)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences. A remote attacker can read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

3) Information disclosure (CVE-ID: CVE-2015-4025)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a x00 character in certain situations. A remote attacker can bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink.

4) Security restrictions bypass (CVE-ID: CVE-2015-4026)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to the pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a x00 character. A remote attacker can bypass intended extension restrictions and execute files with unexpected names via a crafted first argument.

5) Security restrictions bypass (CVE-ID: CVE-2015-4598)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename.html attack that bypasses an intended configuration in which client users may write to only .html files.

6) Integer underflow (CVE-ID: CVE-2015-4021)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the character. A remote attacker can trigger integer underflow and memory corruption)via a crafted entry in a tar archive and cause the service to crash.

7) Integer overflow (CVE-ID: CVE-2015-4022)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9. A remote attacker can trigger heap-based buffer overflow via a long reply to a LIST command and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

8) Integer overflow (CVE-ID: CVE-2015-4643)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 . A remote attacker can trigger heap-based buffer overflow via a long reply to a LIST command and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

9) Resource exhaustion (CVE-ID: CVE-2015-4024)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9. A remote attacker can trigger CPU consumption and cause the service to crash via crafted form data that triggers an improper order-of-growth outcome.

10) Type confusion (CVE-ID: CVE-2015-4147)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array. A remote attacker can trigger memory corruption and execute arbitrary code by providing crafted serialized data with an unexpected data type.

Successful exploitation of the vulnerability may result in system compromise.

11) Type confusion (CVE-ID: CVE-2015-4148)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string. A remote attacker can trigger memory corruption and obtain sensitive information by providing crafted serialized data with an int data type.

12) Type confusion (CVE-ID: CVE-2015-4599)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to obtain sensitive information, cause a denial of service or possibly execute arbitrary code via an unexpected data type.

13) Type confusion (CVE-ID: CVE-2015-4600)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.

14) Type confusion (CVE-ID: CVE-2015-4601)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c in PHP before 5.6.7. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type.

15) Type confusion (CVE-ID: CVE-2015-4602)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type.

16) Type confusion (CVE-ID: CVE-2015-4603)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the exception::getTraceAsString function in Zend/zend_exceptions.c in in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to execute arbitrary code via an unexpected data type.

17) Improper input validation (CVE-ID: CVE-2015-4604)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to an error in mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship. A remote attacker can cause the service to crash or execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

Successful exploitation of the vulnerability may result in system compromise.

18) Improper input validation (CVE-ID: CVE-2015-4605)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to the mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value. A remote attacker can cause the service to crash or execute arbitrary code via a crafted string that is mishandled by a "Python script text executable" rule.

Successful exploitation of the vulnerability may result in system compromise.

19) NULL pointer dereference (CVE-ID: CVE-2015-4644)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names. A remote attacker can trigger NULL pointer dereference and application crash via a crafted name.

Remediation

Install update from vendor's website.

References

• http://www.ubuntu.com/usn/usn-2658-1/