SB2019042317 - OpenSUSE Linux update for php5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019042317

SB2019042317 - OpenSUSE Linux update for php5

Published: April 23, 2019 Updated: April 23, 2019

Security Bulletin ID SB2019042317
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 17% Medium 67% Low 17%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper access control (CVE-ID: CVE-2018-20783)

The vulnerability allows an adjacent attacker to bypass authentication on the target system.

The vulnerability exists due to improper access control. An adjacent attacker can force-pair the device without human interaction.


2) Out-of-bounds read (CVE-ID: CVE-2019-9020)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the xml_elem_parse_buf() in ext/xmlrpc/libxmlrpc/xml_element.c when reading XML data via the xmlrpc_decode() PHP function. A remote attacker can create a specially crafted XML file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.


3) Out-of-bounds read (CVE-ID: CVE-2019-9021)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the phar_detect_phar_fname_ext() function in ext/phar/phar.c (PHAR extension) when reading PHAR archives. A remote attacker can create a specially crafted PHAR archive, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system.


4) Out-of-bounds read (CVE-ID: CVE-2019-9023)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a multiple boundary condition within the ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c files when parsing multibyte data in regular expressions. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and read contents of memory on the system.


5) Out-of-bounds read (CVE-ID: CVE-2019-9024)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the base64_decode_xmlrpc() function in ext/xmlrpc/libxmlrpc/base64.c when parsing untrusted input via the xmlrpc_decode() PHP function. A remote attacker can setup a malicious XMLRPC server, trick the application into connecting to it, trigger out-of-bounds read error and read contents of memory on the system.


6) Buffer overflow (CVE-ID: CVE-2019-9641)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF.


Remediation

Install update from vendor's website.

References