SB2016072202 - Multiple vulnerabilities in PHP

Security Bulletin ID SB2016072202

Severity

High

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) A read/write access error in gdImageTrueColorToPaletteBody() (CVE-ID: CVE-2016-5114)

The vulnerability allows a remote attacker to disclose potentially sensitive information.

The vulnerability exists due to gdImageTrueColorToPaletteBody() function doesn't check for negative transparent colors while converting the image. A remote unauthenticated attacker can cause a read/write access error in gdImageTrueColorToPaletteBody().

Successful exploitation of this vulnerability may lead to arbitrary NULL-byte write and disclosure of potentially sensitive data.

2) An out-of-bounds access erorr in imagegif/output (CVE-ID: CVE-2016-5095)

The vulnerability allows a remote attacker to cause information disclosure.

The vulnerability exists due to error in imagegif/output function in gd_gif_out.c file that causes out-of-bounds read of the masks array when ctx->cur_bits becomes a negative number. A remote unauthenticated attacker can cause an out-of-bounds access erorr in imagegif/output.

Successful exploitation of this vulnerability may result in information disclosure.

3) A use-after-free error in MBString (CVE-ID: CVE-2016-3132)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a use-after-free memory error in MBString. A remote unauthenticated attacker can execute arbitrary code execution on the target system.

Successful exploitation of this vulnerability may result in complete compromise of the vulnerable system.

4) An out-of-bounds read error in mb_ereg_replace - mbc_to_code (CVE-ID: CVE-2015-8935)

The vulnerability allows a remote attacker to disclose potentially sensitive information.

The vulnerability exists due to mbc_to_code function performs oob access, if pattern is shorter than 6 characters. A remote unauthenticated attacker can cause an out-of-bounds read error in mb_ereg_replace - mbc_to_code.

Successful exploitation of this vulnerability may result in memory coruption and disclosure of memory contents.

5) Heap overflow in simplestring_addn() (CVE-ID: CVE-2016-6296)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap-based buffer overflow in simplestring_addn() function ('simplestring.c') within the XMLRPC component. A remote unauthenticated attacker can cause a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Integer overflow in php_stream_zip_opener() (CVE-ID: CVE-2016-6297)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the php_stream_zip_opener() funciton, which fails to check the path_len argument. A remote unauthenticated attacker can cause integer overflow in php_stream_zip_opener() and currupt memory.

Successful exploitation of this vulnerability may lead to remote code execution.

7) Heap-based buffer overflow in proc_open() (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists in the "_php_array_to_envp()" function within the "ext\standard\proc_open.c" file. A remote unauthenticated attacker can cause a heap-based buffer overflow in proc_open() while processing the '$env' parameter in the PCRE component.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

8) A cast error in mdecrypt_generic() (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a cast error within the mdecrypt_generic() function. A remote unauthenticated attacker can cause a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

9) Buffer overflow in ps_files_cleanup_dir() (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a buffer overflow in ps_files_cleanup_dir() function. A remote unauthenticated attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) An out-of-bounds read in locale_accept_from_http() (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose potentially sensitive information.

The vulnerability exists due to an out-of-bounds read in locale_accept_from_http() function. A remote unauthenticated attacker can read system memory outside the allocated buffer.

Successful exploitation of this vulnerability may result in sensitive information disclosure.

11) Integer overflow in _gdContributionsAlloc() (CVE-ID: CVE-2016-6207)

The vulnerability allows a remote attacker to cause an integer overflow.

The vulnerability exists due to integer overflow in "_gdContributionsAlloc()" function. This vulnerability can be exploited to cause an out-of-bounds memory write access.

Successful exploitation of this vulnerability may result in denial of service.

12) NULL pointer dereference in exif_process_user_comment() (CVE-ID: CVE-2016-6292)

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to a NULL pointer dereference error in the "exif_process_user_comment()" function. A remote unauthenticated attacker can cause a denial of servoice when trying to encode JIS string.

Successful exploitation of this vulnerability may result in a crash of a worker process.

13) An out-of-bounds read in exif_process_IFD_in_MAKERNOTE() (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose potentially sensitive information.

The vulnerability exists due to an out-of-bounds read error in exif_process_IFD_in_MAKERNOTE() function. A remote unauthenticated attacker can gain access to potentially sensitive data.

Successful exploitation of this vulnerability may lead to information leak or memory corruption.

14) A heap-based overflow in curl (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a heap-based buffer overflow in curl library. A remote unauthenticated attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

15) Out-of-bounds write in bzread() (CVE-ID: CVE-2016-5399)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to incorrect error handling in bzread() function. A remote unauthenticated attacker can cause buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

16) Type confusion error in php_bz2_filter_create() (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in php_bz2_filter_create() function. A remote unauthenticated attacker can execute arbitrary code o the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

17) Use-after-free error in unserialize() (CVE-ID: CVE-2016-6290)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an use-after-free erorr in unserialize() function. A remote unauthenticated attacker can cause memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

18) Integer overflow in virtual_file_ex() (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in path_length variable in virtual_file_ex() function. A remote unauthenticated attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

19) Integer overflow in ZVAL processing (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing string-typed ZVAL. A remote unauthenticated attacker can cause an integer overflow during ZVAL processing.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

20) Buffer overflow in php_url_parse_ex() (CVE-ID: N/A)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a buffer overflow error in php_url_parse_ex() function. A remote attacker can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

SB2016072202 - Multiple vulnerabilities in PHP

Breakdown by Severity

Description

Remediation

References