SB2019011006 - Multiple vulnerabilities in PHP

Security Bulletin ID SB2019011006

Severity

High

Patch available

YES

Number of vulnerabilities 20

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2018-19395)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to `serialize` will try to get all properties of the class by `zend_get_properties_for` when trying to `serialize` a class. A remote attacker can make `com` and `com_safearray_proxy` return NULL in `com_properties_get` so it will crash on `zend_array_count` and cause serializing or unserializing COM objects to crash.

2) Out-of-bounds read (CVE-ID: CVE-2019-9024)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to out-of-bounds read during a second base64 implementation in ext/xmlrpc/libxmlrpc/base64.c in the PHP code. A remote attacker can supply a bad base64 input, trigger buffer over-read and cause the service to crash.

3) Heap out-of-bounds read (CVE-ID: CVE-2019-9020)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap out-of-bounds read when php is compiled with address sanitizer and USE_ZEND_ALLOC=0 is set. A remote attacker can supply a specially crafted input to the function xmlrpc_decode() , trigger heap buffer over-read and cause the service to crash.

4) Heap-based buffer overflow (CVE-ID: CVE-2019-9021)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow in phar_detect_phar_fname_ext. A remote attacker can supply a specially crafted input, trigger memory corruption and cause the service to crash.

5) Assertion failure (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to CFG assertion failure on multiple finalizing switch frees in one block. A remote attacker can supply a specially crafted input and cause the service to crash.

6) Heap-based buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow in utf32be_mbc_to_code. A remote attacker can pass unterminated multibyte to the regex match, trigger memory corruption and cause the service to crash.

7) Buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to buffer overflow in fetch_token when using enclen on an incomplete multibyte character. A remote attacker
can make a pointer return after the end of the buffer and cause the service to crash.

8) Heap-based buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in expand_case_fold_string the len field is calculated off enclen, and is then used in onig_node_new_str which is passed to xmemcpy later down the line due to incorrect length in expand_case_fold_string. A remote attacker can trigger heap-based buffer overflow and cause the service to crash.

9) Heap-based buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an incomplete multibyte char at end of $pattern in mb_split and mb_ereg. A remote attacker can trigger heap-based buffer overflow in multibyte match_at and cause the service to crash.

10) Heap-based buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an incomplete multibyte strings in $pattern in mb regex functions such as mb_ereg, mb_split. A remote attacker can trigger heap-based buffer overflow in mb regex functions - compile_string_node and cause the service to crash.

11) Buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an incomplete multibyte strings in the $pattern of mb_ regex functions, such as mb_split, mb_ereg. A remote attacker can trigger buffer overflow on mb regex functions - fetch_token and cause the service to crash.

12) NULL pointer dereference (CVE-ID: CVE-2018-19935)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error in imap_mail if message args is null. A remote attacker can trigger NULL pointer dereference in imap_mail and cause the service to crash.

13) Error handling (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the imagecreatefromjpeg function improperly handles errors when passing a corrupt jpeg image. A remote attacker can supply a specially crafted jpeg image and cause the service to crash.

14) Out-of-bounds write (CVE-ID: CVE-2019-6977)

The vulnerability allows a remote attacker to execute arbitrary on the target system.

The weakness exists due to out-of-bounds write in imagecolormatch. A remote attacker can write up to 1200 bytes over the boundaries of a buffer allocated in the imagecolormatch function, which then calls gdImageColorMatch() and execute arbitrary code with elevated privileges.

15) Integer underflow (CVE-ID: CVE-2016-10166)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack and potentially compromise vulnerable system.

The vulnerability exists due to integer underflow when decrementing the "u" variable in _gdContributionsAlloc() function in gd_interpolation.c. A remote attacker create a specially crafted image file, trigger memory corruption and crash the affected application or execute arbitrary code on the target system.

16) Segmentation fault (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to segfault when using SoapClient with null options. A remote attacker can trigger segmentation fault and cause the service to crash.

17) Segmentation fault (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to SodiumException segfaults. A remote attacker can trigger segmentation fault and cause the service to crash.

18) Segmentation fault (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the function spl_autoload converts class name to lower case and later tries to free this string. A remote attacker can trigger spl_autoload segfault and cause the service to crash.

19) Infinite loop (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to infinite loop in preg_replace_callbac. A remote attacker can trigger infinite loop and cause the service to crash.

20) Buffer overflow (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to boundary error when using mb regex functions such as mb_ereg and mb_split, with a pattern containing (?i) and a string ending with an incomplete multibyte character. A remote attacker can trigger buffer overflow in multibyte case folding - unicode and cause the service to crash.

Remediation

Install update from vendor's website.

SB2019011006 - Multiple vulnerabilities in PHP

Breakdown by Severity

Description

Remediation

References