ID CVE-2016-5767
Summary Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library (aka libgd) before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted image dimensions.
References
Vulnerable Configurations
  • libgd 2.0.33
    cpe:2.3:a:libgd:libgd:2.0.33
  • PHP 5.5.36
    cpe:2.3:a:php:php:5.5.36
  • PHP 5.6.0 alpha1
    cpe:2.3:a:php:php:5.6.0:alpha1
  • PHP 5.6.0 alpha2
    cpe:2.3:a:php:php:5.6.0:alpha2
  • PHP 5.6.0 alpha3
    cpe:2.3:a:php:php:5.6.0:alpha3
  • PHP 5.6.0 alpha4
    cpe:2.3:a:php:php:5.6.0:alpha4
  • PHP 5.6.0 alpha5
    cpe:2.3:a:php:php:5.6.0:alpha5
  • PHP 5.6.0 beta1
    cpe:2.3:a:php:php:5.6.0:beta1
  • PHP 5.6.0 beta2
    cpe:2.3:a:php:php:5.6.0:beta2
  • PHP 5.6.0 beta3
    cpe:2.3:a:php:php:5.6.0:beta3
  • PHP 5.6.0 beta4
    cpe:2.3:a:php:php:5.6.0:beta4
  • PHP PHP 5.6.1
    cpe:2.3:a:php:php:5.6.1
  • PHP 5.6.2
    cpe:2.3:a:php:php:5.6.2
  • PHP 5.6.3
    cpe:2.3:a:php:php:5.6.3
  • PHP 5.6.4
    cpe:2.3:a:php:php:5.6.4
  • PHP 5.6.5
    cpe:2.3:a:php:php:5.6.5
  • PHP 5.6.6
    cpe:2.3:a:php:php:5.6.6
  • PHP 5.6.7
    cpe:2.3:a:php:php:5.6.7
  • PHP PHP 5.6.8
    cpe:2.3:a:php:php:5.6.8
  • PHP PHP 5.6.9
    cpe:2.3:a:php:php:5.6.9
  • PHP PHP 5.6.10
    cpe:2.3:a:php:php:5.6.10
  • PHP PHP 5.6.11
    cpe:2.3:a:php:php:5.6.11
  • PHP PHP 5.6.12
    cpe:2.3:a:php:php:5.6.12
  • PHP PHP 5.6.13
    cpe:2.3:a:php:php:5.6.13
  • PHP 5.6.14
    cpe:2.3:a:php:php:5.6.14
  • PHP 5.6.15
    cpe:2.3:a:php:php:5.6.15
  • PHP 5.6.16
    cpe:2.3:a:php:php:5.6.16
  • PHP 5.6.17
    cpe:2.3:a:php:php:5.6.17
  • PHP 5.6.18
    cpe:2.3:a:php:php:5.6.18
  • PHP 5.6.19
    cpe:2.3:a:php:php:5.6.19
  • PHP 5.6.20
    cpe:2.3:a:php:php:5.6.20
  • PHP 5.6.21
    cpe:2.3:a:php:php:5.6.21
  • PHP 5.6.22
    cpe:2.3:a:php:php:5.6.22
  • PHP 7.0.0
    cpe:2.3:a:php:php:7.0.0
  • PHP 7.0.1
    cpe:2.3:a:php:php:7.0.1
  • PHP 7.0.2
    cpe:2.3:a:php:php:7.0.2
  • PHP 7.0.3
    cpe:2.3:a:php:php:7.0.3
  • PHP 7.0.4
    cpe:2.3:a:php:php:7.0.4
  • PHP 7.0.5
    cpe:2.3:a:php:php:7.0.5
  • PHP 7.0.6
    cpe:2.3:a:php:php:7.0.6
  • PHP 7.0.7
    cpe:2.3:a:php:php:7.0.7
CVSS
Base: 6.8 (as of 27-01-2017 - 10:33)
Impact:
Exploitability:
CWE CWE-190
CAPEC
  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-844.NASL
    description Shotwell was updated to fix the following issues : - boo#958382: Shotwell did not perform TLS certificate verification when publishing photos to external services
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 90108
    published 2016-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90108
    title openSUSE Security Update : shotwell (openSUSE-2016-844)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-34A6B65583.NASL
    description 23 Jun 2016, **PHP 5.6.23** **Core:** - Fixed bug php#72275 (Integer Overflow in json_encode()/json_decode()/json_utf8_to_utf16()). (Stas) - Fixed bug php#72400 (Integer Overflow in addcslashes/addslashes). (Stas) - Fixed bug php#72403 (Integer Overflow in Length of String-typed ZVAL). (Stas) **GD:** - Fixed bug php#72298 (pass2_no_dither out-of-bounds access). (Stas) - Fixed bug php#72337 (invalid dimensions can lead to crash) (Pierre) - Fixed bug php#72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre) - Fixed bug php#72407 (NULL pointer Dereference at _gdScaleVert). (Stas) - Fixed bug php#72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (Pierre) **Intl:** - Fixed bug php#70484 (selectordinal doesn't work with named parameters). (Anatol) **mbstring:** - Fixed bug php#72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas) **mcrypt:** - Fixed bug php#72455 (Heap Overflow due to integer overflows). (Stas) **Phar:** - Fixed bug php#72321 (invalid free in phar_extract_file()). (hji at dyntopia dot com) **SPL:** - Fixed bug php#72262 (int/size_t confusion in SplFileObject::fread). (Stas) - Fixed bug php#72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry) **OpenSSL:** - Fixed bug php#72140 (segfault after calling ERR_free_strings()). (Jakub Zelenka) **WDDX:** - Fixed bug php#72340 (Double Free Courruption in wddx_deserialize). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 92239
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92239
    title Fedora 23 : php (2016-34a6b65583)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-A4D48D6FD6.NASL
    description **Version 2.2.2** Security related fixes : - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (CVE-2016-5767) - Stack overflow with gdImageFillToBorder (CVE-2015-8874) - Integer Overflow in _gd2GetHeader() resulting in heap overflow (CVE-2016-5766) - NULL pointer Dereference at _gdScaleVert - Integer Overflow in gdImagePaletteToTrueColor() in heap overflow Numerous other fixes have been applied. The scale and rotation functions have been greatly improved as well. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 92275
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92275
    title Fedora 24 : gd (2016-a4d48d6fd6)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-EC372BDDB9.NASL
    description 23 Jun 2016, **PHP 5.6.23** **Core:** - Fixed bug php#72275 (Integer Overflow in json_encode()/json_decode()/json_utf8_to_utf16()). (Stas) - Fixed bug php#72400 (Integer Overflow in addcslashes/addslashes). (Stas) - Fixed bug php#72403 (Integer Overflow in Length of String-typed ZVAL). (Stas) **GD:** - Fixed bug php#72298 (pass2_no_dither out-of-bounds access). (Stas) - Fixed bug php#72337 (invalid dimensions can lead to crash) (Pierre) - Fixed bug php#72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre) - Fixed bug php#72407 (NULL pointer Dereference at _gdScaleVert). (Stas) - Fixed bug php#72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (Pierre) **Intl:** - Fixed bug php#70484 (selectordinal doesn't work with named parameters). (Anatol) **mbstring:** - Fixed bug php#72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas) **mcrypt:** - Fixed bug php#72455 (Heap Overflow due to integer overflows). (Stas) **Phar:** - Fixed bug php#72321 (invalid free in phar_extract_file()). (hji at dyntopia dot com) **SPL:** - Fixed bug php#72262 (int/size_t confusion in SplFileObject::fread). (Stas) - Fixed bug php#72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry) **OpenSSL:** - Fixed bug php#72140 (segfault after calling ERR_free_strings()). (Jakub Zelenka) **WDDX:** - Fixed bug php#72340 (Double Free Courruption in wddx_deserialize). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 92300
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92300
    title Fedora 24 : php (2016-ec372bddb9)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-921.NASL
    description This update for php5 fixes the following issues : - It is possible to launch a web server with 'php -S localhost:8080' It used to be possible to set an arbitrary $HTTP_PROXY environment variable for request handlers -- like CGI scripts -- by including a specially crafted HTTP header in the request (CVE-2016-5385). As a result, these server components would potentially direct all their outgoing HTTP traffic through a malicious proxy server. This patch fixes the issue: the updated php server ignores such HTTP headers and never sets $HTTP_PROXY for sub-processes. (bnc#988486) - There was multiple cases where a remote attacker could trigger a double free and, given specific PHP code using callbacks, trigger code execution vectors. (bnc#986246,bnc#986244,CVE-2016-5768,CVE-2016-5772) - It was possible to inject header or content information (XSS) when a user was using internet explorer as the browser. (bnc#986004, CVE-2015-8935) - In several cases it was possible for a integer overflow to trigger an excessive memory allocation (bnc#986392, bnc#986388, bnc#986386, bnc#986393, CVE-2016-5770, CVE-2016-5769, CVE-2016-5766, CVE-2016-5767) - It was possible for an attacker to abuse the garbage collector to free a target array. At this point an attacker could craft a fake zval object and exploit the PHP process by taking over the EIP/RIP. (bnc#986391, CVE-2016-5771) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-02
    modified 2016-10-24
    plugin id 92714
    published 2016-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92714
    title openSUSE Security Update : php5 (openSUSE-2016-921) (httpoxy)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2598.NASL
    description From Red Hat Security Advisory 2016:2598 : An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A flaw was found in the way certain error conditions were handled by bzread() function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. (CVE-2016-5399) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image. (CVE-2016-5766) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer. (CVE-2016-5767) * A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-5399. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-09-02
    modified 2018-07-25
    plugin id 94717
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94717
    title Oracle Linux 7 : php (ELSA-2016-2598)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-99FBDC5C34.NASL
    description 23 Jun 2016, **PHP 5.6.23** **Core:** - Fixed bug php#72275 (Integer Overflow in json_encode()/json_decode()/json_utf8_to_utf16()). (Stas) - Fixed bug php#72400 (Integer Overflow in addcslashes/addslashes). (Stas) - Fixed bug php#72403 (Integer Overflow in Length of String-typed ZVAL). (Stas) **GD:** - Fixed bug php#72298 (pass2_no_dither out-of-bounds access). (Stas) - Fixed bug php#72337 (invalid dimensions can lead to crash) (Pierre) - Fixed bug php#72339 (Integer Overflow in _gd2GetHeader() resulting in heap overflow). (Pierre) - Fixed bug php#72407 (NULL pointer Dereference at _gdScaleVert). (Stas) - Fixed bug php#72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow). (Pierre) **Intl:** - Fixed bug php#70484 (selectordinal doesn't work with named parameters). (Anatol) **mbstring:** - Fixed bug php#72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas) **mcrypt:** - Fixed bug php#72455 (Heap Overflow due to integer overflows). (Stas) **Phar:** - Fixed bug php#72321 (invalid free in phar_extract_file()). (hji at dyntopia dot com) **SPL:** - Fixed bug php#72262 (int/size_t confusion in SplFileObject::fread). (Stas) - Fixed bug php#72433 (Use After Free Vulnerability in PHP's GC algorithm and unserialize). (Dmitry) **OpenSSL:** - Fixed bug php#72140 (segfault after calling ERR_free_strings()). (Jakub Zelenka) **WDDX:** - Fixed bug php#72340 (Double Free Courruption in wddx_deserialize). (Stas) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 92272
    published 2016-07-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92272
    title Fedora 22 : php (2016-99fbdc5c34)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_PHP_ON_SL7_X.NASL
    description Security Fix(es) : - A flaw was found in the way certain error conditions were handled by bzread() function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. (CVE-2016-5399) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image. (CVE-2016-5766) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer. (CVE-2016-5767) - A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) Additional Changes :
    last seen 2018-09-01
    modified 2016-12-15
    plugin id 95854
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95854
    title Scientific Linux Security Update : php on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2598.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A flaw was found in the way certain error conditions were handled by bzread () function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. (CVE-2016-5399) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image. (CVE-2016-5766) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer. (CVE-2016-5767) * A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-5399. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 94561
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94561
    title RHEL 7 : php (RHSA-2016:2598)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-176-01.NASL
    description New php packages are available for Slackware 14.0, 14.1, and -current to fix security issues.
    last seen 2018-09-02
    modified 2016-10-19
    plugin id 91830
    published 2016-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91830
    title Slackware 14.0 / 14.1 / current : php (SSA:2016-176-01)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL03534020.NASL
    description Integer overflow in the gdImageCreate function in gd.c in the GD Graphics Library (aka libgd) before 2.0.34RC1, as used in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8, allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted image dimensions. (CVE-2016-5767)
    last seen 2018-09-09
    modified 2018-09-07
    plugin id 100134
    published 2017-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100134
    title F5 Networks BIG-IP : PHP vulnerability (K03534020)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_66D77C583B1D11E68E82002590263BF5.NASL
    description The PHP Group reports : Please reference CVE/URL list for details
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 91839
    published 2016-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91839
    title FreeBSD : php -- multiple vulnerabilities (66d77c58-3b1d-11e6-8e82-002590263bf5)
  • NASL family CGI abuses
    NASL id PHP_5_5_37.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.5.x prior to 5.5.37. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the GD graphics library in the gdImageFillToBorder() function within file gd.c when handling crafted images that have an overly large negative coordinate. An unauthenticated, remote attacker can exploit this, via a crafted image, to crash processes linked against the library. (CVE-2015-8874) - An integer overflow condition exists in the _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5766) - An integer overflow condition exists in the gdImagePaletteToTrueColor() function within file ext/gd/libgd/gd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5767) - A double-free error exists in the _php_mb_regex_ereg_replace_exec() function within file ext/mbstring/php_mbregex.c when handling a failed callback execution. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5768) - An integer overflow condition exists within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input when handling data values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5769) - An integer overflow condition exists within file ext/spl/spl_directory.c, triggered by an int/size_t type confusion error, that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2016-5770) - A use-after-free error exists in the garbage collection algorithm within file ext/spl/spl_array.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5771) - A double-free error exists in the php_wddx_process_data() function within file ext/wddx/wddx.c when handling specially crafted XML content. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5772) - A use-after-free error exists in the garbage collection algorithm within file ext/zip/php_zip.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5773) - An integer overflow condition exists in the json_decode() and json_utf8_to_utf16() functions within file ext/standard/php_smart_str.h due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 140378) - An out-of-bounds read error exists in the pass2_no_dither() function within file ext/gd/libgd/gd_topal.c that allows an unauthenticated, remote attacker to cause a denial of service condition or disclose memory contents. (VulnDB 140379) - An integer overflow condition exists within file ext/standard/string.c when handling string lengths due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (VulnDB 140380) - A NULL pointer dereference flaw exists in the _gdScaleVert() function within file ext/gd/libgd/gd_interpolation.c that is triggered when handling _gdContributionsCalc return values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (VulnDB 140382) - An integer overflow condition exists in the nl2br() function within file ext/standard/string.c when handling new_length values due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (VulnDB 140385) - An integer overflow condition exists in multiple functions within file ext/standard/string.c when handling string values due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (VulnDB 140386) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-12-10
    modified 2018-12-07
    plugin id 91897
    published 2016-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91897
    title PHP 5.5.x < 5.5.37 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2080-1.NASL
    description php5 was updated to fix the following security issues : - CVE-2016-6297: Stack-based buffer overflow vulnerability in php_stream_zip_opener (bsc#991426). - CVE-2016-6291: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE (bsc#991427). - CVE-2016-6289: Integer overflow leads to buffer overflow in virtual_file_ex (bsc#991428). - CVE-2016-6290: Use after free in unserialize() with Unexpected Session Deserialization (bsc#991429). - CVE-2016-5399: Improper error handling in bzread() (bsc#991430). - CVE-2016-6288: Buffer over-read in php_url_parse_ex (bsc#991433). - CVE-2016-6296: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c (bsc#991437). - CVE-2016-5769: Mcrypt: Heap Overflow due to integer overflows (bsc#986388). - CVE-2015-8935: XSS in header() with Internet Explorer (bsc#986004). - CVE-2016-5772: Double free corruption in wddx_deserialize (bsc#986244). - CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting in heap overflow (bsc#986386). - CVE-2016-5767: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (bsc#986393). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 93293
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93293
    title SUSE SLES11 Security Update : php5 (SUSE-SU-2016:2080-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1063.NASL
    description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in the way certain error conditions were handled by bzread() function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application.(CVE-2016-5399) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image.(CVE-2016-5766) - An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer.(CVE-2016-5767) - A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash.(CVE-2016-5768) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 99825
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99825
    title EulerOS 2.0 SP1 : php (EulerOS-SA-2016-1063)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-728.NASL
    description A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874) An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image. (CVE-2016-5766) An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer. (CVE-2016-5767) A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) The mcrypt_generic() and mdecrypt_generic() functions are prone to integer overflows, resulting in a heap-based overflow. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5769) A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5770) A use-after-free vulnerability that can occur when calling unserialize() on untrusted input was discovered. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application if the application unserializes untrusted input. (CVE-2016-5771 , CVE-2016-5773) A double free can occur in wddx_deserialize() when trying to deserialize malicious XML input from user's request. This flaw could possibly cause a PHP application to crash. (CVE-2016-5772) It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385) (Updated on 2016-08-17: CVE-2016-5385 was fixed in this release but was not previously part of this errata)
    last seen 2018-09-02
    modified 2018-04-18
    plugin id 92663
    published 2016-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92663
    title Amazon Linux AMI : php55 / php56 (ALAS-2016-728) (httpoxy)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2013-1.NASL
    description php53 was updated to fix five security issues. These security issues were fixed : - CVE-2016-5769: mcrypt: Heap Overflow due to integer overflows (bsc#986388). - CVE-2015-8935: XSS in header() with Internet Explorer (bsc#986004). - CVE-2016-5772: Double Free Courruption in wddx_deserialize (bsc#986244). - CVE-2016-5766: Integer Overflow in _gd2GetHeader() resulting in heap overflow (bsc#986386). - CVE-2016-5767: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow (bsc#986393). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 93282
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93282
    title SUSE SLES11 Security Update : php53 (SUSE-SU-2016:2013-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2598.NASL
    description An update for php is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Security Fix(es) : * A flaw was found in the way certain error conditions were handled by bzread () function in PHP. An attacker could use this flaw to upload a specially crafted bz2 archive which, when parsed via the vulnerable function, could cause the application to crash or execute arbitrary code with the permissions of the user running the PHP application. (CVE-2016-5399) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted GD2 image. (CVE-2016-5766) * An integer overflow flaw, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application using gd via a specially crafted image buffer. (CVE-2016-5767) * A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768) Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-5399. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 95344
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95344
    title CentOS 7 : php (CESA-2016:2598)
  • NASL family CGI abuses
    NASL id PHP_5_6_23.NASL
    description According to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.23. It is, therefore, affected by multiple vulnerabilities : - An invalid free flaw exists in the phar_extract_file() function within file ext/phar/phar_object.c that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2016-4473) - An integer overflow condition exists in the _gd2GetHeader() function in file ext/gd/libgd/gd_gd2.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5766) - An integer overflow condition exists in the gdImagePaletteToTrueColor() function within file ext/gd/libgd/gd.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5767) - A double-free error exists in the _php_mb_regex_ereg_replace_exec() function within file ext/mbstring/php_mbregex.c when handling a failed callback execution. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5768) - An integer overflow condition exists within file ext/mcrypt/mcrypt.c due to improper validation of user-supplied input when handling data values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-5769) - An integer overflow condition exists within file ext/spl/spl_directory.c, triggered by an int/size_t type confusion error, that allows an unauthenticated, remote attacker to have an unspecified impact. (CVE-2016-5770) - A use-after-free error exists in the garbage collection algorithm within file ext/spl/spl_array.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5771) - A double-free error exists in the php_wddx_process_data() function within file ext/wddx/wddx.c when handling specially crafted XML content. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5772) - A use-after-free error exists in the garbage collection algorithm within file ext/zip/php_zip.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-5773) - An integer overflow condition exists in the json_decode() and json_utf8_to_utf16() functions within file ext/standard/php_smart_str.h due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (VulnDB 140378) - An out-of-bounds read error exists in the pass2_no_dither() function within file ext/gd/libgd/gd_topal.c that allows an unauthenticated, remote attacker to cause a denial of service condition or disclose memory contents. (VulnDB 140379) - An integer overflow condition exists within file ext/standard/string.c when handling string lengths due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (VulnDB 140380) - A NULL pointer dereference flaw exists in the _gdScaleVert() function within file ext/gd/libgd/gd_interpolation.c that is triggered when handling _gdContributionsCalc return values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (VulnDB 140382) - An integer overflow condition exists in multiple functions within file ext/standard/string.c when handling string values due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (VulnDB 140386) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2018-12-10
    modified 2018-12-07
    plugin id 91898
    published 2016-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91898
    title PHP 5.6.x < 5.6.23 Multiple Vulnerabilities
redhat via4
advisories
  • rhsa
    id RHSA-2016:2598
  • rhsa
    id RHSA-2016:2750
rpms
  • php-0:5.4.16-42.el7
  • php-bcmath-0:5.4.16-42.el7
  • php-cli-0:5.4.16-42.el7
  • php-common-0:5.4.16-42.el7
  • php-dba-0:5.4.16-42.el7
  • php-devel-0:5.4.16-42.el7
  • php-embedded-0:5.4.16-42.el7
  • php-enchant-0:5.4.16-42.el7
  • php-fpm-0:5.4.16-42.el7
  • php-gd-0:5.4.16-42.el7
  • php-intl-0:5.4.16-42.el7
  • php-ldap-0:5.4.16-42.el7
  • php-mbstring-0:5.4.16-42.el7
  • php-mysql-0:5.4.16-42.el7
  • php-mysqlnd-0:5.4.16-42.el7
  • php-odbc-0:5.4.16-42.el7
  • php-pdo-0:5.4.16-42.el7
  • php-pgsql-0:5.4.16-42.el7
  • php-process-0:5.4.16-42.el7
  • php-pspell-0:5.4.16-42.el7
  • php-recode-0:5.4.16-42.el7
  • php-snmp-0:5.4.16-42.el7
  • php-soap-0:5.4.16-42.el7
  • php-xml-0:5.4.16-42.el7
  • php-xmlrpc-0:5.4.16-42.el7
refmap via4
bid 91395
confirm
mlist [oss-security] 20160623 Re: CVE for PHP 5.5.37 issues
suse
  • SUSE-SU-2016:2013
  • openSUSE-SU-2016:1761
  • openSUSE-SU-2016:1922
Last major update 17-01-2017 - 21:59
Published 07-08-2016 - 06:59
Last modified 04-01-2018 - 21:31
Back to Top