Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20160424035525.34E9472E09B@smtpvbsrv1.mitre.org>
Date: Sat, 23 Apr 2016 23:55:25 -0400 (EDT)
From: cve-assign@...re.org
To: matthias@...lons.info
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

>> http://www.ubuntu.com/usn/usn-2952-1/

> - -  Buffer over-write in finfo_open with malformed magic file
> https://bugs.php.net/bug.php?id=71527
> http://bugs.gw.com/view.php?id=522
> https://github.com/file/file/commit/6713ca45e7757297381f4b4cdb9cf5e624a9ad36
> http://git.php.net/?p=php-src.git;a=commit;h=fe13566c93f118a15a96320a546c7878fd0cfc5e

>> It was discovered that the PHP Fileinfo component incorrectly handled
>> certain magic files. An attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2015-8865 for this issue affecting file before 5.23 (see the
http://bugs.gw.com/view.php?id=522#c1237 comment). The security
relevance depends, in part, on "If a compiled magic file is found
alongside a file or directory, it will be used instead" in the
https://github.com/file/file/blob/master/doc/file.man man page.


> - - Integer overflow in php_raw_url_encode
> https://bugs.php.net/bug.php?id=71798
> https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c1661db6ba2c451

>> It was discovered that the PHP rawurlencode() function incorrectly handled
>> large strings. A remote attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service.

Use CVE-2016-4070.

Note that the 71798 [2016-03-27 21:25 UTC] comment says "Not sure if
this qualifies as security issue (probably not)."


> - - php_snmp_error() Format String Vulnerability
> https://bugs.php.net/bug.php?id=71704
> https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8

>> It was discovered that the PHP php_snmp_error() function incorrectly
>> handled string formatting. A remote attacker could use this issue to cause
>> PHP to crash, resulting in a denial of service, or possibly execute
>> arbitrary code.

Use CVE-2016-4071.


> - - Invalid memory write in phar on filename containing \0 inside name
> https://bugs.php.net/bug.php?id=71860
> https://gist.github.com/smalyshev/80b5c2909832872f2ba2
> https://git.php.net/?p=php-src.git;a=commit;h=1e9b175204e3286d64dfd6c9f09151c31b5e099a

>> It was discovered that the PHP phar extension incorrectly handled certain
>> filenames in archives. A remote attacker could use this issue to cause PHP
>> to crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2016-4072.


> - - AddressSanitizer: negative-size-param (-1) in mbfl_strcut
> https://bugs.php.net/bug.php?id=71906
> https://gist.github.com/smalyshev/d8355c96a657cc5dba70
> https://git.php.net/?p=php-src.git;a=commit;h=64f42c73efc58e88671ad76b6b6bc8e2b62713e1

>> It was discovered that the PHP mb_strcut() function incorrectly handled
>> string formatting. A remote attacker could use this issue to cause PHP to
>> crash, resulting in a denial of service, or possibly execute arbitrary
>> code.

Use CVE-2016-4073.


>> http://www.openwall.com/lists/oss-security/2016/04/21/8

> 1- libxml_disable_entity_loader setting is shared between threads
> 
> https://bugs.php.net/bug.php?id=64938
> https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
> http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9

>> It was discovered that the PHP libxml_disable_entity_loader() setting was
>> shared between threads. When running under PHP-FPM, this could result in
>> XML external entity injection and entity expansion issues.

Use CVE-2015-8866.

Note that the related
http://framework.zend.com/security/advisory/ZF2015-06 issue was
already assigned CVE-2015-5161.


> 2- openssl_random_pseudo_bytes() is not cryptographically secure
> 
> https://bugs.php.net/bug.php?id=70014
> https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203
> http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827

>> It was discovered that the PHP openssl_random_pseudo_bytes() function did
>> not return cryptographically strong pseudo-random bytes.

>>> Fix bug #70014 - use RAND_bytes instead of deprecated RAND_pseudo_bytes

Use CVE-2015-8867.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXHEKSAAoJEHb/MwWLVhi2HHwP/RHXiG+18j0extiWJbw2cWTx
nWe5+2WsBPJlpmuUpe/P62KGmbpIIzsrceYtm6GGam8Az4XH2R9JGK6oFBOPoVzl
t40kRgQWHB2yROHUylS8hbdspsUU4gKqZxzphqqAS7LHfOEfX2nNgbYuHYBtI1WF
g5yY0RimAkKqe7mPsamms7eKlk0+jKVkE6tgxA/I3RmeuEzwEtJ9uJwpWze3HZTa
aMGFt0bCuPdlVMEGtE+son4NDP8D2V7CFarJMEl1U6OLpxGjQATVn550YOcy50Lf
MCjOpJ2LPkLA80ZLVn+fKkkAPQG99U5axPnMWcTxCiC1I374WHqKY0vjqrpKivrq
VXsqPixF/jUxghFMYKKb/xg+GCr4oId13KrWVXpKDAwoxwYNHC/c9UgNwgPRdjeg
sNSpJP46UH1vvC8GD3wBnd6IE8rPc3Zc/zEHSCe0F4Za2w5HmaT5cxkz97mPVzF6
jEQemPGfZjQDgNQyGtHhMCqxUUJ7bTXo3vg9NkpUHl1Wpg8C+YFIb8lwtBRR/5qc
Rf0/+ho7fPYi4u1IClYMp+zBA9SJHD+XzK6gFTHjTq/XFYJEJkxDZQGQ9JmroABg
GIK+zQDyn7SSRblpZyBmkzBUjToa/zvYwh0n9GfXPEWZc/px9eDPJsu0v+d7j1Tt
vmqTwo44mo+NdkNIyBTA
=bA5Y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.