| nessus
via4
|
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2017-1717-1.NASL | | description | This update for php7 fixes the following security issues :
- CVE-2017-9224: stack out-of-bounds read occurs in
match_at() could lead to Denial of service (bsc#1040891)
- CVE-2017-9226: heap out-of-bounds write orread occurs in
next_state_val() could lead to Denial of
service(bsc#1040889)
- CVE-2017-9227: stack out-of-bounds read in mbc_enc_len()
could lead to Denial of service (bsc#1040883)
- CVE-2017-6441: The _zval_get_long_func_ex in
Zend/zend_operators.c in PHP allowed attackers to cause
a denial of service (NULL pointer dereference and
application crash) via crafted use of 'declare(ticks='
in a PHP script (bsc#1032155).
- CVE-2016-6294: The locale_accept_from_http function in
ext/intl/locale/locale_methods.c did not properly
restrict calls to the ICU uloc_acceptLanguageFromHTTP
function, which allowed remote attackers to cause a
denial of service (out-of-bounds read) or possibly have
unspecified other impact via a call with a long argument
(bsc#1035111).
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 120000 | | published | 2019-01-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=120000 | | title | SUSE SLES12 Security Update : php7 (SUSE-SU-2017:1717-1) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-B674DC22AD.NASL | | description | **PHP version 7.0.21** (06 Jul 2017)
**Core:**
- Fixed bug php#74738 (Multiple [PATH=] and [HOST=]
sections not properly parsed). (Manuel Mausz)
- Fixed bug php#74658 (Undefined constants in array
properties result in broken properties). (Laruence)
- Fixed misparsing of abstract unix domain socket names.
(Sara)
- Fixed bug php#74101, bug php#74614 (Unserialize Heap
Use-After-Free (READ: 1) in zval_get_type). (Nikita)
- Fixed bug php#74111 (Heap buffer overread (READ: 1)
finish_nested_data from unserialize). (Nikita)
- Fixed bug php#74603 (PHP INI Parsing Stack Buffer
Overflow Vulnerability). (Stas)
- Fixed bug php#74819 (wddx_deserialize() heap
out-of-bound read via php_parse_date()). (Derick)
**DOM:**
- Fixed bug php#69373 (References to deleted XPath query
results). (ttoohey)
**Intl:**
- Fixed bug php#73473 (Stack Buffer Overflow in
msgfmt_parse_message). (libnex)
- Fixed bug php#74705 (Wrong reflection on
Collator::getSortKey and collator_get_sort_key). (Tyson
Andre, Remi)
- Fixed bug php#73634 (grapheme_strpos illegal memory
access). (Stas)
**Mbstring:**
- Add oniguruma upstream fix (CVE-2017-9224,
CVE-2017-9226, CVE-2017-9227, CVE-2017-9228,
CVE-2017-9229) (Remi, Mamoru TASAKA)
**Opcache:**
- Fixed bug php#74663 (Segfault with
opcache.memory_protect and validate_timestamp).
(Laruence)
**OpenSSL:**
- Fixed bug php#74651 (negative-size-param (-1) in memcpy
in zif_openssl_seal()). (Stas)
**Reflection:**
- Fixed bug php#74673 (Segfault when cast Reflection
object to string with undefined constant). (Laruence)
**SPL:**
- Fixed bug php#74478 (null coalescing operator failing
with SplFixedArray). (jhdxr)
**Standard:**
- Fixed bug php#74708 (Invalid Reflection signatures for
random_bytes and random_int). (Tyson Andre, Remi)
- Fixed bug php#73648 (Heap buffer overflow in substr).
(Stas)
**FTP:**
- Fixed bug php#74598 (ftp:// wrapper ignores context
arg). (Sara)
**PHAR:**
- Fixed bug php#74386 (Phar::__construct reflection
incorrect). (villfa)
**SOAP**
- Fixed bug php#74679 (Incorrect conversion array with
WSDL_CACHE_MEMORY). (Dmitry)
**Streams:**
- Fixed bug php#74556 (stream_socket_get_name() returns
'\0'). (Sara)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-02 | | plugin id | 101538 | | published | 2017-07-14 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101538 | | title | Fedora 25 : php (2017-b674dc22ad) |
| NASL family | SuSE Local Security Checks | | NASL id | OPENSUSE-2017-790.NASL | | description | This update for php7 fixes the following security issues :
- CVE-2017-9224: stack out-of-bounds read occurs in
match_at() could lead to Denial of service (bsc#1040891)
- CVE-2017-9226: heap out-of-bounds write orread occurs in
next_state_val() could lead to Denial of
service(bsc#1040889)
- CVE-2017-9227: stack out-of-bounds read in mbc_enc_len()
could lead to Denial of service (bsc#1040883)
- CVE-2017-6441: The _zval_get_long_func_ex in
Zend/zend_operators.c in PHP allowed attackers to cause
a denial of service (NULL pointer dereference and
application crash) via crafted use of 'declare(ticks='
in a PHP script (bsc#1032155).
- CVE-2016-6294: The locale_accept_from_http function in
ext/intl/locale/locale_methods.c did not properly
restrict calls to the ICU uloc_acceptLanguageFromHTTP
function, which allowed remote attackers to cause a
denial of service (out-of-bounds read) or possibly have
unspecified other impact via a call with a long argument
(bsc#1035111).
This update was imported from the SUSE:SLE-12:Update update project. | | last seen | 2019-01-16 | | modified | 2017-07-07 | | plugin id | 101287 | | published | 2017-07-07 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101287 | | title | openSUSE Security Update : php7 (openSUSE-2017-790) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2017-871.NASL | | description | Out-of-bounds heap write in bitset_set_range()
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption. (CVE-2017-9228)
Invalid pointer dereference in left_adjust_char_head()
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in forward_search_range()
could result in an invalid pointer dereference, normally as an
immediate denial-of-service condition. (CVE-2017-9229)
Heap buffer overflow in next_state_val() during regular expression
compilation
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write or read occurs in next_state_val() during regular
expression compilation. Octal numbers larger than 0xff are not handled
correctly in fetch_token() and fetch_token_in_cc(). A malformed
regular expression containing an octal number in the form of '\\700';
would produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption. (CVE-2017-9226)
Out-of-bounds stack read in mbc_enc_len() during regular expression
searching
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in mbc_enc_len() during regular expression
searching. Invalid handling of reg>dmin in forward_search_range()
could result in an invalid pointer dereference, as an out-of-bounds
read from a stack buffer. CVE-2017-9227
Out-of-bounds stack read in match_at() during regular expression
searching
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in match_at() during regular expression
searching. A logical error involving order of validation and access in
match_at() could result in an out-of-bounds read from a stack buffer.
(CVE-2017-9224) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 102545 | | published | 2017-08-18 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=102545 | | title | Amazon Linux AMI : php56 (ALAS-2017-871) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-E314044789.NASL | | description | This new package includes additional fixes for CVE-2017-9228 .
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-02 | | plugin id | 103552 | | published | 2017-09-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=103552 | | title | Fedora 25 : oniguruma (2017-e314044789) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2017-1662-1.NASL | | description | This update for php5 fixes the following security issues :
- CVE-2016-6294: The locale_accept_from_http function in
ext/intl/locale/locale_methods.c did not properly
restrict calls to the ICU uloc_acceptLanguageFromHTTP
function, which allowed remote attackers to cause a
denial of service (out-of-bounds read) or possibly have
unspecified other impact via a call with a long argument
(bsc#1035111).
- CVE-2017-9227: A stack out-of-bounds read occurs in
mbc_enc_len() during regular expression searching.
(bsc#1040883)
- CVE-2017-9226: A heap out-of-bounds write or read occurs
in next_state_val() during regular expression
compilation. (bsc#1040889)
- CVE-2017-9224: A stack out-of-bounds read occurs in
match_at() during regular expression searching.
(bsc#1040891)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 119999 | | published | 2019-01-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=119999 | | title | SUSE SLES12 Security Update : php5 (SUSE-SU-2017:1662-1) |
| NASL family | SuSE Local Security Checks | | NASL id | OPENSUSE-2017-764.NASL | | description | This update for php5 fixes the following security issues :
- CVE-2016-6294: The locale_accept_from_http function in
ext/intl/locale/locale_methods.c did not properly
restrict calls to the ICU uloc_acceptLanguageFromHTTP
function, which allowed remote attackers to cause a
denial of service (out-of-bounds read) or possibly have
unspecified other impact via a call with a long argument
(bsc#1035111).
- CVE-2017-9227: A stack out-of-bounds read occurs in
mbc_enc_len() during regular expression searching.
(bsc#1040883)
- CVE-2017-9226: A heap out-of-bounds write or read occurs
in next_state_val() during regular expression
compilation. (bsc#1040889)
- CVE-2017-9224: A stack out-of-bounds read occurs in
match_at() during regular expression searching.
(bsc#1040891)
This update was imported from the SUSE:SLE-12:Update update project. | | last seen | 2019-01-16 | | modified | 2017-07-05 | | plugin id | 101219 | | published | 2017-07-05 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101219 | | title | openSUSE Security Update : php5 (openSUSE-2017-764) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-60997F0D14.NASL | | description | Multiple security flaws were found on oniguruma currently being
shipped on Fedora. This new rpm should fix the issue.
Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227
CVE-2017-9229 CVE-2017-9228
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-01 | | plugin id | 100730 | | published | 2017-06-12 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=100730 | | title | Fedora 25 : oniguruma (2017-60997f0d14) |
| NASL family | PhotonOS Local Security Checks | | NASL id | PHOTONOS_PHSA-2017-0021.NASL | | description | An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has
been released. | | last seen | 2019-02-08 | | modified | 2019-02-07 | | plugin id | 111870 | | published | 2018-08-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=111870 | | title | Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated) |
| NASL family | PhotonOS Local Security Checks | | NASL id | PHOTONOS_PHSA-2017-0021_RUBY.NASL | | description | An update of the ruby package has been released. | | last seen | 2019-02-08 | | modified | 2019-02-07 | | plugin id | 121702 | | published | 2019-02-07 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=121702 | | title | Photon OS 1.0: Ruby PHSA-2017-0021 |
| NASL family | CGI abuses | | NASL id | PHP_7_0_21.NASL | | description | According to its banner, the version of PHP running on the remote web
server is 7.0.x prior to 7.0.21. It is, therefore, affected by the
following vulnerabilities :
- An out-of-bounds read error exists in the PCRE library
in the compile_bracket_matchingpath() function within
file pcre_jit_compile.c. An unauthenticated, remote
attacker can exploit this, via a specially crafted
regular expression, to crash a process linked to the
library, resulting in a denial of service condition.
(CVE-2017-6004)
- An out-of-bounds read error exists in the GD Graphics
Library (LibGD) in the gdImageCreateFromGifCtx()
function within file gd_gif_in.c when handling a
specially crafted GIF file. An unauthenticated, remote
attacker can exploit this to disclose sensitive memory
contents or crash a process linked to the library.
(CVE-2017-7890)
- An out-of-bounds read error exists in Oniguruma in the
match_at() function within file regexec.c. An
unauthenticated, remote attacker can exploit this to
disclose sensitive memory contents or crash a process
linked to the library. (CVE-2017-9224)
- An out-of-bounds write error exists in Oniguruma in the
next_state_val() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9226)
- An out-of-bounds read error exists in Oniguruma in the
mbc_enc_len() function within file utf8.c. An
unauthenticated, remote attacker can exploit this to
disclose memory contents or crash a process linked to
the library. (CVE-2017-9227)
- An out-of-bounds write error exists in Oniguruma in the
bitset_set_range() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9228)
- An invalid pointer deference flaw exists in Oniguruma
in the left_adjust_char_head() function within file
regexec.c during regular expression compilation. An
unauthenticated, remote attacker can exploit this to
crash a process linked to the library, resulting in a
denial of service condition. (CVE-2017-9229)
- A flaw exists in OpenSSL in the EVP_SealInit() function
within file crypto/evp/p_seal.c due to returning an
undocumented value of '-1'. An unauthenticated, remote
attacker can exploit this to cause an unspecified
impact. (CVE-2017-11144)
- An out-of-bounds read error exists in PHP in the
php_parse_date() function within file
ext/date/lib/parse_date.c. An unauthenticated, remote
attacker can exploit this to disclose memory contents or
cause a denial of service condition. (CVE-2017-11145)
- A use-after-free error exists in PHP in the
zval_get_type() function within file
ext/standard/var_unserializer.c. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code.
- An out-of-bounds read error exists in PHP in the
finish_nested_data() function within file
ext/standard/var_unserializer.re. An unauthenticated,
remote attacker can exploit this to disclose memory
contents or cause a denial of service condition.
- An off-by-one overflow condition exists in PHP in the
INI parsing API, specifically in the zend_ini_do_op()
function within file Zend/zend_ini_parser.y, due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code.
- A stack-based buffer overflow condition exists in PHP
in the msgfmt_parse_message() function due to improper
validation of user-supplied input when parsing locale.
An unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 101526 | | published | 2017-07-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101526 | | title | PHP 7.0.x < 7.0.21 Multiple Vulnerabilities |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-EE01A2CED6.NASL | | description | Multiple security flaws were found on the previous version of
oniguruma. This new version should fix the issue.
Fixed CVEs: CVE-2017-9226 CVE-2017-9225 CVE-2017-9224 CVE-2017-9227
CVE-2017-9229 CVE-2017-9228
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-02 | | plugin id | 101745 | | published | 2017-07-17 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101745 | | title | Fedora 26 : oniguruma (2017-ee01a2ced6) |
| NASL family | CGI abuses | | NASL id | PHP_5_6_31.NASL | | description | According to its banner, the version of PHP running on the remote web
server is 5.6.x prior to 5.6.31. It is, therefore, affected by the
following vulnerabilities :
- An out-of-bounds read error exists in the PCRE library
in the compile_bracket_matchingpath() function within
file pcre_jit_compile.c. An unauthenticated, remote
attacker can exploit this, via a specially crafted
regular expression, to crash a process linked to the
library, resulting in a denial of service condition.
(CVE-2017-6004)
- An out-of-bounds read error exists in the GD Graphics
Library (LibGD) in the gdImageCreateFromGifCtx()
function within file gd_gif_in.c when handling a
specially crafted GIF file. An unauthenticated, remote
attacker can exploit this to disclose sensitive memory
contents or crash a process linked to the library.
(CVE-2017-7890)
- An out-of-bounds read error exists in Oniguruma in the
match_at() function within file regexec.c. An
unauthenticated, remote attacker can exploit this to
disclose sensitive memory contents or crash a process
linked to the library. (CVE-2017-9224)
- An out-of-bounds write error exists in Oniguruma in the
next_state_val() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9226)
- An out-of-bounds read error exists in Oniguruma in the
mbc_enc_len() function within file utf8.c. An
unauthenticated, remote attacker can exploit this to
disclose memory contents or crash a process linked to
the library. (CVE-2017-9227)
- An out-of-bounds write error exists in Oniguruma in the
bitset_set_range() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9228)
- An invalid pointer deference flaw exists in Oniguruma
in the left_adjust_char_head() function within file
regexec.c during regular expression compilation. An
unauthenticated, remote attacker can exploit this to
crash a process linked to the library, resulting in a
denial of service condition. (CVE-2017-9229)
- A denial of service condition exists in PHP when
handling overlarge POST requests. An unauthenticated,
remote attacker can exploit this to exhaust available
CPU resources. (CVE-2017-11142)
- An extended invalid free error exists in PHP in the
php_wddx_push_element() function within file
ext/wddx/wddx.c when parsing empty boolean tags.
An unauthenticated, remote attacker can exploit this to
cause a denial of service condition. (CVE-2017-11143)
- A flaw exists in OpenSSL in the EVP_SealInit() function
within file crypto/evp/p_seal.c due to returning an
undocumented value of '-1'. An unauthenticated, remote
attacker can exploit this to cause an unspecified
impact. (CVE-2017-11144)
- An out-of-bounds read error exists in PHP in the
php_parse_date() function within file
ext/date/lib/parse_date.c. An unauthenticated, remote
attacker can exploit this to disclose memory contents or
cause a denial of service condition.
(CVE-2017-11145)
- An out-of-bounds read error exists in PHP in the
finish_nested_data() function within file
ext/standard/var_unserializer.re. An unauthenticated,
remote attacker can exploit this to disclose memory
contents or cause a denial of service condition.
- An off-by-one overflow condition exists in PHP in the
INI parsing API, specifically in the zend_ini_do_op()
function within file Zend/zend_ini_parser.y, due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 101525 | | published | 2017-07-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101525 | | title | PHP 5.6.x < 5.6.31 Multiple Vulnerabilities |
| NASL family | Slackware Local Security Checks | | NASL id | SLACKWARE_SSA_2017-188-01.NASL | | description | New php packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues. | | last seen | 2018-09-02 | | modified | 2018-01-26 | | plugin id | 101316 | | published | 2017-07-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101316 | | title | Slackware 14.0 / 14.1 / 14.2 / current : php (SSA:2017-188-01) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-5ADE380AB2.NASL | | description | **PHP version 5.6.31** (06 Jul 2017)
**Core:**
- Fixed bug php#73807 (Performance problem with processing
post request over 2000000 chars). (Nikita)
- Fixed bug php#74111 (Heap buffer overread (READ: 1)
finish_nested_data from unserialize). (Nikita)
- Fixed bug php#74603 (PHP INI Parsing Stack Buffer
Overflow Vulnerability). (Stas)
- Fixed bug php#74819 (wddx_deserialize() heap
out-of-bound read via php_parse_date()). (Derick)
**mbstring:**
- Add oniguruma upstream fix (CVE-2017-9224,
CVE-2017-9226, CVE-2017-9227, CVE-2017-9228,
CVE-2017-9229) (Remi, Mamoru TASAKA)
**OpenSSL:**
- Fixed bug php#74651 (negative-size-param (-1) in memcpy
in zif_openssl_seal()). (Stas)
**WDDX:**
- Fixed bug php#74145 (wddx parsing empty boolean tag
leads to SIGSEGV). (Stas)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-01 | | plugin id | 101864 | | published | 2017-07-21 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101864 | | title | Fedora 24 : php (2017-5ade380ab2) |
| NASL family | SuSE Local Security Checks | | NASL id | SUSE_SU-2017-1585-1.NASL | | description | This update for php53 fixes the following issues: This security issue
was fixed :
- CVE-2017-7272: PHP enabled potential SSRF in
applications that accept an fsockopen hostname argument
with an expectation that the port number is constrained.
Because a :port syntax was recognized, fsockopen used
the port number that is specified in the hostname
argument, instead of the port number in the second
argument of the function (bsc#1031246)
- CVE-2016-6294: The locale_accept_from_http function in
ext/intl/locale/locale_methods.c did not properly
restrict calls to the ICU uloc_acceptLanguageFromHTTP
function, which allowed remote attackers to cause a
denial of service (out-of-bounds read) or possibly have
unspecified other impact via a call with a long argument
(bsc#1035111).
- CVE-2017-9227: An issue was discovered in Oniguruma
6.2.0, as used in mbstring in PHP. A stack out-of-bounds
read occurs in mbc_enc_len() during regular expression
searching. Invalid handling of reg->dmin in
forward_search_range() could result in an invalid
pointer dereference, as an out-of-bounds read from a
stack buffer. (bsc#1040883)
- CVE-2017-9226: An issue was discovered in Oniguruma
6.2.0, as used in Oniguruma-mod in mbstring in PHP. A
heap out-of-bounds write or read occurs in
next_state_val() during regular expression compilation.
Octal numbers larger than 0xff are not handled correctly
in fetch_token() and fetch_token_in_cc(). A malformed
regular expression containing an octal number in the
form of '\700' would produce an invalid code point value
larger than 0xff in next_state_val(), resulting in an
out-of-bounds write memory corruption. (bsc#1040889)
- CVE-2017-9224: An issue was discovered in Oniguruma
6.2.0, as used in Oniguruma-mod in mbstring in PHP. A
stack out-of-bounds read occurs in match_at() during
regular expression searching. A logical error involving
order of validation and access in match_at() could
result in an out-of-bounds read from a stack buffer.
(bsc#1040891)
Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-11-30 | | plugin id | 100866 | | published | 2017-06-19 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=100866 | | title | SUSE SLES11 Security Update : php53 (SUSE-SU-2017:1585-1) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-B8BB4B86E2.NASL | | description | **PHP version 7.1.7** (06 Jul 2017)
**Core:**
- Fixed bug php#74738 (Multiple [PATH=] and [HOST=]
sections not properly parsed). (Manuel Mausz)
- Fixed bug php#74658 (Undefined constants in array
properties result in broken properties). (Laruence)
- Fixed misparsing of abstract unix domain socket names.
(Sara)
- Fixed bug php#74603 (PHP INI Parsing Stack Buffer
Overflow Vulnerability). (Stas)
- Fixed bug php#74101, bug php#74614 (Unserialize Heap
Use-After-Free (READ: 1) in zval_get_type). (Nikita)
- Fixed bug php#74111 (Heap buffer overread (READ: 1)
finish_nested_data from unserialize). (Nikita)
- Fixed bug php#74819 (wddx_deserialize() heap
out-of-bound read via php_parse_date()). (Derick)
**Date:**
- Fixed bug php#74639 (implement clone for DatePeriod and
DateInterval). (andrewnester)
**DOM:**
- Fixed bug php#69373 (References to deleted XPath query
results). (ttoohey)
**Intl:**
- Fixed bug php#73473 (Stack Buffer Overflow in
msgfmt_parse_message). (libnex)
- Fixed bug php#74705 (Wrong reflection on
Collator::getSortKey and collator_get_sort_key). (Tyson
Andre, Remi)
**Mbstring:**
- Add oniguruma upstream fix (CVE-2017-9224,
CVE-2017-9226, CVE-2017-9227, CVE-2017-9228,
CVE-2017-9229) (Remi, Mamoru TASAKA)
**Opcache:**
- Fixed bug php#74663 (Segfault with
opcache.memory_protect and validate_timestamp).
(Laruence)
- Revert opcache.enable_cli to default disabled. (Nikita)
**OpenSSL:**
- Fixed bug php#74720 (pkcs7_en/decrypt does not work if
\x1a is used in content). (Anatol)
- Fixed bug php#74651 (negative-size-param (-1) in memcpy
in zif_openssl_seal()). (Stas)
**Reflection:**
- Fixed bug php#74673 (Segfault when cast Reflection
object to string with undefined constant). (Laruence)
**SPL:**
- Fixed bug php#74478 (null coalescing operator failing
with SplFixedArray). (jhdxr)
**FTP:**
- Fixed bug php#74598 (ftp:// wrapper ignores context
arg). (Sara)
**PHAR:**
- Fixed bug php#74386 (Phar::__construct reflection
incorrect). (villfa)
**SOAP**
- Fixed bug php#74679 (Incorrect conversion array with
WSDL_CACHE_MEMORY). (Dmitry)
**Streams:**
- Fixed bug php#74556 (stream_socket_get_name() returns
'\0'). (Sara)
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-02 | | plugin id | 101797 | | published | 2017-07-19 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101797 | | title | Fedora 26 : php (2017-b8bb4b86e2) |
| NASL family | CGI abuses | | NASL id | PHP_7_1_7.NASL | | description | According to its banner, the version of PHP running on the remote web
server is 7.1.x prior to 7.1.7. It is, therefore, affected by the
following vulnerabilities :
- An out-of-bounds read error exists in the GD Graphics
Library (LibGD) in the gdImageCreateFromGifCtx()
function within file gd_gif_in.c when handling a
specially crafted GIF file. An unauthenticated, remote
attacker can exploit this to disclose sensitive memory
contents or crash a process linked to the library.
(CVE-2017-7890)
- An out-of-bounds read error exists in Oniguruma in the
match_at() function within file regexec.c. An
unauthenticated, remote attacker can exploit this to
disclose sensitive memory contents or crash a process
linked to the library. (CVE-2017-9224)
- An out-of-bounds write error exists in Oniguruma in the
next_state_val() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9226)
- An out-of-bounds read error exists in Oniguruma in the
mbc_enc_len() function within file utf8.c. An
unauthenticated, remote attacker can exploit this to
disclose memory contents or crash a process linked to
the library. (CVE-2017-9227)
- An out-of-bounds write error exists in Oniguruma in the
bitset_set_range() function during regular expression
compilation. An unauthenticated, remote attacker can
exploit this to execute arbitrary code. (CVE-2017-9228)
- An invalid pointer deference flaw exists in Oniguruma
in the left_adjust_char_head() function within file
regexec.c during regular expression compilation. An
unauthenticated, remote attacker can exploit this to
crash a process linked to the library, resulting in a
denial of service condition. (CVE-2017-9229)
- A flaw exists in OpenSSL in the EVP_SealInit() function
within file crypto/evp/p_seal.c due to returning an
undocumented value of '-1'. An unauthenticated, remote
attacker can exploit this to cause an unspecified
impact. (CVE-2017-11144)
- An out-of-bounds read error exists in PHP in the
php_parse_date() function within file
ext/date/lib/parse_date.c. An unauthenticated, remote
attacker can exploit this to disclose memory contents or
cause a denial of service condition. (CVE-2017-11145)
- A use-after-free error exists in PHP in the
zval_get_type() function within file
ext/standard/var_unserializer.c. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code.
- An out-of-bounds read error exists in PHP in the
finish_nested_data() function within file
ext/standard/var_unserializer.re. An unauthenticated,
remote attacker can exploit this to disclose memory
contents or cause a denial of service condition.
- An off-by-one overflow condition exists in PHP in the
INI parsing API, specifically in the zend_ini_do_op()
function within file Zend/zend_ini_parser.y, due to
improper validation of user-supplied input. An
unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code.
- A stack-based buffer overflow condition exists in PHP
in the msgfmt_parse_message() function due to improper
validation of user-supplied input when parsing locale.
An unauthenticated, remote attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. | | last seen | 2019-01-16 | | modified | 2019-01-02 | | plugin id | 101527 | | published | 2017-07-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101527 | | title | PHP 7.1.x < 7.1.7 Multiple Vulnerabilities |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2017-867.NASL | | description | Out-of-bounds heap write in bitset_set_range() :
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption. (CVE-2017-9228)
Buffer over-read from unitialized data in gdImageCreateFromGifCtx
function
The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in
the GD Graphics Library (aka libgd), as used in PHP before 5.6.31 and
7.x before 7.1.7, does not zero colorMap arrays before use. A
specially crafted GIF image could use the uninitialized tables to read
~700 bytes from the top of the stack, potentially disclosing sensitive
information. (CVE-2017-7890)
Invalid pointer dereference in left_adjust_char_head() :
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in forward_search_range()
could result in an invalid pointer dereference, normally as an
immediate denial-of-service condition. (CVE-2017-9229)
Heap buffer overflow in next_state_val() during regular expression
compilation :
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write or read occurs in next_state_val() during regular
expression compilation. Octal numbers larger than 0xff are not handled
correctly in fetch_token() and fetch_token_in_cc(). A malformed
regular expression containing an octal number in the form of \\700
would produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption.(CVE-2017-9226)
Out-of-bounds stack read in mbc_enc_len() during regular expression
searching :
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in mbc_enc_len() during regular expression
searching. Invalid handling of reg->dmin in forward_search_range()
could result in an invalid pointer dereference, as an out-of-bounds
read from a stack buffer. (CVE-2017-9227)
Out-of-bounds stack read in match_at() during regular expression
searching :
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in match_at() during regular expression
searching. A logical error involving order of validation and access in
match_at() could result in an out-of-bounds read from a stack buffer.
(CVE-2017-9224) | | last seen | 2019-01-16 | | modified | 2018-04-18 | | plugin id | 102181 | | published | 2017-08-04 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=102181 | | title | Amazon Linux AMI : php70 (ALAS-2017-867) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2017-E2D6D0067F.NASL | | description | Multiple security flaws were found on oniguruma currently being
shipped on Fedora. This new rpm should fix the issue.
Fixed CVEs: CVE-2017-9226 CVE-2017-9224 CVE-2017-9227 CVE-2017-9229
CVE-2017-9228
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-02-02 | | plugin id | 100748 | | published | 2017-06-13 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=100748 | | title | Fedora 24 : oniguruma (2017-e2d6d0067f) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DLA-958.NASL | | description | CVE-2017-9224
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in match_at() during regular expression
searching. A logical error involving order of validation and access in
match_at() could result in an out-of-bounds read from a stack buffer.
CVE-2017-9226
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write or read occurs in next_state_val() during regular
expression compilation. Octal numbers larger than 0xff are not handled
correctly in fetch_token() and fetch_token_in_cc(). A malformed
regular expression containing an octal number in the form of '\700'
would produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption.
CVE-2017-9227
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack
out-of-bounds read occurs in mbc_enc_len() during regular expression
searching. Invalid handling of reg->dmin in forward_search_range()
could result in an invalid pointer dereference, as an out-of-bounds
read from a stack buffer.
CVE-2017-9228
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap
out-of-bounds write occurs in bitset_set_range() during regular
expression compilation due to an uninitialized variable from an
incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption.
CVE-2017-9229
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod
in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV
occurs in left_adjust_char_head() during regular expression
compilation. Invalid handling of reg->dmax in
forward_search_range() could result in an invalid pointer dereference,
normally as an immediate denial of service condition.
For Debian 7 'Wheezy', these problems have been fixed in version
5.9.1-1+deb7u1.
We recommend that you upgrade your libonig packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-07-10 | | plugin id | 100478 | | published | 2017-05-30 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=100478 | | title | Debian DLA-958-1 : libonig security update |
| NASL family | FreeBSD Local Security Checks | | NASL id | FREEBSD_PKG_B396CF6C62E611E79DEFB499BAEBFEAF.NASL | | description | the PHP project reports :
- A stack out-of-bounds read occurs in match_at() during regular
expression searching. A logical error involving order of validation
and access in match_at() could result in an out-of-bounds read from a
stack buffer (CVE-2017-9224).
- A heap out-of-bounds write or read occurs in next_state_val() during
regular expression compilation. Octal numbers larger than 0xff are not
handled correctly in fetch_token() and fetch_token_in_cc(). A
malformed regular expression containing an octal number in the form of
'\700' would produce an invalid code point value larger than 0xff in
next_state_val(), resulting in an out-of-bounds write memory
corruption (CVE-2017-9226).
- A stack out-of-bounds read occurs in mbc_enc_len() during regular
expression searching. Invalid handling of reg->dmin in
forward_search_range() could result in an invalid pointer dereference,
as an out-of-bounds read from a stack buffer (CVE-2017-9227).
- A heap out-of-bounds write occurs in bitset_set_range() during
regular expression compilation due to an uninitialized variable from
an incorrect state transition. An incorrect state transition in
parse_char_class() could create an execution path that leaves a
critical local variable uninitialized until it's used as an index,
resulting in an out-of-bounds write memory corruption (CVE-2017-9228).
- A SIGSEGV occurs in left_adjust_char_head() during regular
expression compilation. Invalid handling of reg->dmax in
forward_search_range() could result in an invalid pointer dereference,
normally as an immediate denial-of-service condition (CVE-2017-9228). | | last seen | 2019-01-16 | | modified | 2018-11-10 | | plugin id | 101332 | | published | 2017-07-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=101332 | | title | FreeBSD : oniguruma -- multiple vulnerabilities (b396cf6c-62e6-11e7-9def-b499baebfeaf) |
| NASL family | Ubuntu Local Security Checks | | NASL id | UBUNTU_USN-3382-1.NASL | | description | It was discovered that the PHP opcache created keys for files it
cached based on their filepath. A local attacker could possibly use
this issue in a shared hosting environment to obtain sensitive
information. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-8994)
It was discovered that the PHP URL parser incorrectly handled certain
URI components. A remote attacker could possibly use this issue to
bypass hostname-specific URL checks. This issue only affected Ubuntu
14.04 LTS. (CVE-2016-10397)
It was discovered that PHP incorrectly handled certain boolean
parameters when unserializing data. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of
service. This issue only affected Ubuntu 14.04 LTS. (CVE-2017-11143)
Sebastian Li, Wei Lei, Xie Xiaofei, and Liu Yang discovered that PHP
incorrectly handled the OpenSSL sealing function. A remote attacker
could possibly use this issue to cause PHP to crash, resulting in a
denial of service. (CVE-2017-11144)
Wei Lei and Liu Yang discovered that the PHP date extension
incorrectly handled memory. A remote attacker could possibly use this
issue to disclose sensitive information from the server.
(CVE-2017-11145)
It was discovered that PHP incorrectly handled certain PHAR archives.
A remote attacker could use this issue to cause PHP to crash or
disclose sensitive information. This issue only affected Ubuntu 14.04
LTS. (CVE-2017-11147)
It was discovered that PHP incorrectly handled locale length. A remote
attacker could possibly use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2017-11362)
Wei Lei and Liu Yang discovered that PHP incorrectly handled parsing
ini files. An attacker could possibly use this issue to cause PHP to
crash, resulting in a denial of service. (CVE-2017-11628)
It was discovered that PHP mbstring incorrectly handled certain
regular expressions. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code. (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227,
CVE-2017-9228, CVE-2017-9229).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | | last seen | 2019-01-16 | | modified | 2018-12-01 | | plugin id | 102416 | | published | 2017-08-11 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=102416 | | title | Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : php5, php7.0 vulnerabilities (USN-3382-1) |
|
