Synopsis
Moderate: rh-php56 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Topic
An update for rh-php56, rh-php56-php, and rh-php56-php-pear is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. The rh-php56 packages provide a recent stable release of PHP with PEAR 1.9.5 and enhanced language features including constant expressions, variadic functions, arguments unpacking, and the interactive debuger. The memcache, mongo, and XDebug extensions are also included.
The rh-php56 Software Collection has been upgraded to version 5.6.25, which provides a number of bug fixes and enhancements over the previous version. (BZ#1356157, BZ#1365401)
Security Fixes in the rh-php56-php component:
- Several Moderate and Low impact security issues were found in PHP. Under certain circumstances, these issues could cause PHP to crash, disclose portions of its memory, execute arbitrary code, or impact PHP application integrity. Space precludes documenting each of these issues in this advisory. Refer to the CVE links in the References section for a description of each of these vulnerabilities. (CVE-2013-7456, CVE-2014-9767, CVE-2015-8835, CVE-2015-8865, CVE-2015-8866, CVE-2015-8867, CVE-2015-8873, CVE-2015-8874, CVE-2015-8876, CVE-2015-8877, CVE-2015-8879, CVE-2016-1903, CVE-2016-2554, CVE-2016-3074, CVE-2016-3141, CVE-2016-3142, CVE-2016-4070, CVE-2016-4071, CVE-2016-4072, CVE-2016-4073, CVE-2016-4342, CVE-2016-4343, CVE-2016-4473, CVE-2016-4537, CVE-2016-4538, CVE-2016-4539, CVE-2016-4540, CVE-2016-4541, CVE-2016-4542, CVE-2016-4543, CVE-2016-4544, CVE-2016-5093, CVE-2016-5094, CVE-2016-5096, CVE-2016-5114, CVE-2016-5399, CVE-2016-5766, CVE-2016-5767, CVE-2016-5768, CVE-2016-5770, CVE-2016-5771, CVE-2016-5772, CVE-2016-5773, CVE-2016-6128, CVE-2016-6207, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-7124, CVE-2016-7125, CVE-2016-7126, CVE-2016-7127, CVE-2016-7128, CVE-2016-7129, CVE-2016-7130, CVE-2016-7131, CVE-2016-7132)
- Multiple flaws were found in the PCRE library included with the rh-php56-php packages for Red Hat Enterprise Linux 6. A specially crafted regular expression could cause PHP to crash or, possibly, execute arbitrary code. (CVE-2015-2325, CVE-2015-2326, CVE-2015-2327, CVE-2015-2328, CVE-2015-3210, CVE-2015-3217, CVE-2015-5073, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8395)
Red Hat would like to thank Hans Jerry Illikainen for reporting CVE-2016-3074, CVE-2016-4473, and CVE-2016-5399.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
Affected Products
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.2 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
-
Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
-
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64
Fixes
- BZ - 1207198 - CVE-2015-2325 pcre: heap buffer overflow in compile_branch()
- BZ - 1207202 - CVE-2015-2326 pcre: heap buffer over-read in pcre_compile2() (8.37/23)
- BZ - 1228283 - CVE-2015-3217 pcre: stack overflow caused by mishandled group empty match (8.38/11)
- BZ - 1237223 - CVE-2015-5073 CVE-2015-8388 pcre: buffer overflow for forward reference within backward assertion with excess closing parenthesis (8.38/18)
- BZ - 1260716 - CVE-2014-9767 php: ZipArchive::extractTo allows for directory traversal when creating directories
- BZ - 1285399 - CVE-2015-2328 pcre: infinite recursion compiling pattern with recursive reference in a group with indefinite repeat (8.36/20)
- BZ - 1285408 - CVE-2015-2327 pcre: infinite recursion compiling pattern with zero-repeated groups that include recursive back reference (8.36/19)
- BZ - 1287614 - CVE-2015-8383 pcre: Buffer overflow caused by repeated conditional group (8.38/3)
- BZ - 1287623 - CVE-2015-3210 CVE-2015-8384 pcre: buffer overflow caused by recursive back reference by name within certain group (8.38/4)
- BZ - 1287629 - CVE-2015-8385 pcre: buffer overflow caused by named forward reference to duplicate group number (8.38/30)
- BZ - 1287636 - CVE-2015-8386 pcre: Buffer overflow caused by lookbehind assertion (8.38/6)
- BZ - 1287671 - CVE-2015-8391 pcre: inefficient posix character class syntax check (8.38/16)
- BZ - 1287690 - CVE-2015-8392 pcre: buffer overflow caused by patterns with duplicated named groups with (?| (8.38/27)
- BZ - 1287711 - CVE-2015-8381 CVE-2015-8395 pcre: Buffer overflow caused by duplicate named references (8.38/36)
- BZ - 1297710 - CVE-2016-5114 php: out-of-bounds write in fpm_log.c
- BZ - 1297717 - CVE-2016-1903 php: Out-of-bounds memory read via gdImageRotateInterpolated
- BZ - 1305536 - CVE-2016-4342 php: use of uninitialized pointer in PharFileInfo::getContent
- BZ - 1305543 - CVE-2016-2554 php: buffer overflow in handling of long link names in tar phar archives
- BZ - 1315312 - CVE-2016-3142 php: Out-of-bounds read in phar_parse_zipfile()
- BZ - 1315328 - CVE-2016-3141 php: Use after free in WDDX Deserialize when processing XML data
- BZ - 1321893 - CVE-2016-3074 php: Signedness vulnerability causing heap overflow in libgd
- BZ - 1323074 - CVE-2015-8835 php: type confusion issue in Soap Client call() method
- BZ - 1323103 - CVE-2016-4073 php: Negative size parameter in memcpy
- BZ - 1323106 - CVE-2016-4072 php: Invalid memory write in phar on filename containing \0 inside name
- BZ - 1323108 - CVE-2016-4071 php: Format string vulnerability in php_snmp_error()
- BZ - 1323114 - CVE-2016-4070 php: Integer overflow in php_raw_url_encode
- BZ - 1323118 - CVE-2015-8865 file: Buffer over-write in finfo_open with malformed magic file
- BZ - 1330418 - CVE-2015-8866 php: libxml_disable_entity_loader setting is shared between threads
- BZ - 1330420 - CVE-2015-8867 php: openssl_random_pseudo_bytes() is not cryptographically secure
- BZ - 1332454 - CVE-2016-4343 php: Uninitialized pointer in phar_make_dirstream()
- BZ - 1332860 - CVE-2016-4537 CVE-2016-4538 php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition
- BZ - 1332865 - CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
- BZ - 1332872 - CVE-2016-4540 CVE-2016-4541 php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used
- BZ - 1332877 - CVE-2016-4539 php: xml_parse_into_struct() can crash when XML parser is re-used
- BZ - 1336772 - CVE-2015-8874 gd: gdImageFillToBorder deep recursion leading to stack overflow
- BZ - 1336775 - CVE-2015-8873 php: Stack consumption vulnerability in Zend/zend_exceptions.c
- BZ - 1338896 - CVE-2015-8876 php: Zend/zend_exceptions.c does not validate certain Exception objects
- BZ - 1338907 - CVE-2015-8877 gd: gdImageScaleTwoPass function in gd_interpolation.c uses inconsistent allocate and free approaches
- BZ - 1338912 - CVE-2015-8879 php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns
- BZ - 1339590 - CVE-2016-5093 php: improper nul termination leading to out-of-bounds read in get_icu_value_internal
- BZ - 1339949 - CVE-2016-5096 php: Integer underflow causing arbitrary null write in fread/gzread
- BZ - 1340433 - CVE-2013-7456 gd: incorrect boundary adjustment in _gdContributionsCalc
- BZ - 1340738 - CVE-2016-5094 php: Integer overflow in php_html_entities()
- BZ - 1347772 - CVE-2016-4473 php: Invalid free() instead of efree() in phar_extract_file()
- BZ - 1351068 - CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow
- BZ - 1351069 - CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
- BZ - 1351168 - CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec
- BZ - 1351171 - CVE-2016-5770 php: Int/size_t confusion in SplFileObject::fread
- BZ - 1351173 - CVE-2016-5771 php: Use After Free Vulnerability in PHP's GC algorithm and unserialize
- BZ - 1351175 - CVE-2016-5772 php: Double Free Corruption in wddx_deserialize
- BZ - 1351179 - CVE-2016-5773 php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
- BZ - 1351603 - CVE-2016-6128 gd: Invalid color index not properly handled
- BZ - 1358395 - CVE-2016-5399 php: Improper error handling in bzread()
- BZ - 1359698 - CVE-2016-6289 php: Integer overflow leads to buffer overflow in virtual_file_ex
- BZ - 1359710 - CVE-2016-6290 php: Use after free in unserialize() with Unexpected Session Deserialization
- BZ - 1359718 - CVE-2016-6291 php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE
- BZ - 1359756 - CVE-2016-6292 php: Null pointer dereference in exif_process_user_comment
- BZ - 1359800 - CVE-2016-6207 php,gd: Integer overflow error within _gdContributionsAlloc()
- BZ - 1359811 - CVE-2016-6294 php: Out-of-bounds access in locale_accept_from_http
- BZ - 1359815 - CVE-2016-6295 php: Use after free in SNMP with GC and unserialize()
- BZ - 1359822 - CVE-2016-6296 php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c
- BZ - 1359828 - CVE-2016-6297 php: Stack-based buffer overflow vulnerability in php_stream_zip_opener
- BZ - 1360322 - CVE-2016-6288 php: Buffer over-read in php_url_parse_ex
- BZ - 1374697 - CVE-2016-7124 php: bypass __wakeup() in deserialization of an unexpected object
- BZ - 1374698 - CVE-2016-7125 php: Session Data Injection Vulnerability
- BZ - 1374699 - CVE-2016-7126 php: select_colors write out-of-bounds
- BZ - 1374701 - CVE-2016-7127 php: imagegammacorrect allows arbitrary write access
- BZ - 1374704 - CVE-2016-7128 php: Memory Leakage In exif_process_IFD_in_TIFF
- BZ - 1374705 - CVE-2016-7129 php: wddx_deserialize allows illegal memory access
- BZ - 1374707 - CVE-2016-7130 php: wddx_deserialize null dereference
- BZ - 1374708 - CVE-2016-7131 php: wddx_deserialize null dereference with invalid xml
- BZ - 1374711 - CVE-2016-7132 php: wddx_deserialize null dereference in php_wddx_pop_element
CVEs
References
Vulmon