Moderate: rh-php70-php security, bug fix, and enhancement update

Synopsis

Moderate: rh-php70-php security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for rh-php70-php is now available for Red Hat Software Collections.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

The following packages have been upgraded to a later upstream version: rh-php70-php (7.0.27). (BZ#1518843)

Security Fix(es):

• php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field (CVE-2016-7412)
  
• php: Use after free in wddx_deserialize (CVE-2016-7413)
  
• php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile (CVE-2016-7414)
  
• php: Stack based buffer overflow in msgfmt_format_message (CVE-2016-7416)
  
• php: Missing type check when unserializing SplArray (CVE-2016-7417)
  
• php: Null pointer dereference in php_wddx_push_element (CVE-2016-7418)
  
• php: Use-after-free vulnerability when resizing the 'properties' hash table of a serialized object (CVE-2016-7479)
  
• php: Invalid read when wddx decodes empty boolean element (CVE-2016-9935)
  
• php: Use After Free in unserialize() (CVE-2016-9936)
  
• php: Wrong calculation in exif_convert_any_to_int function (CVE-2016-10158)
  
• php: Integer overflow in phar_parse_pharfile (CVE-2016-10159)
  
• php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive (CVE-2016-10160)
  
• php: Out-of-bounds heap read on unserialize in finish_nested_data() (CVE-2016-10161)
  
• php: Null pointer dereference when unserializing PHP object (CVE-2016-10162)
  
• gd: DoS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)
  
• gd: Integer overflow in gd_io.c (CVE-2016-10168)
  
• php: Use of uninitialized memory in unserialize() (CVE-2017-5340)
  
• php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function (CVE-2017-7890)
  
• oniguruma: Out-of-bounds stack read in match_at() during regular expression searching (CVE-2017-9224)
  
• oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation (CVE-2017-9226)
  
• oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching (CVE-2017-9227)
  
• oniguruma: Out-of-bounds heap write in bitset_set_range() (CVE-2017-9228)
  
• oniguruma: Invalid pointer dereference in left_adjust_char_head() (CVE-2017-9229)
  
• php: Incorrect WDDX deserialization of boolean parameters leads to DoS (CVE-2017-11143)
  
• php: Incorrect return value check of OpenSSL sealing function leads to crash (CVE-2017-11144)
  
• php: Out-of-bounds read in phar_parse_pharfile (CVE-2017-11147)
  
• php: Stack-based buffer over-read in msgfmt_parse_message function (CVE-2017-11362)
  
• php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c (CVE-2017-11628)
  
• php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12932)
  
• php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12934)
  
• php: reflected XSS in .phar 404 page (CVE-2018-5712)
  
• php, gd: Stack overflow in gdImageFillToBorder on truecolor images (CVE-2016-9933)
  
• php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow (CVE-2016-9934)
  
• php: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)
  
• php: buffer over-read in finish_nested_data function (CVE-2017-12933)
  
• php: Out-of-bound read in timelib_meridian() (CVE-2017-16642)
  
• php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c (CVE-2018-5711)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For details, see the Red Hat Software Collections 3.1 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Affected Products

• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.6 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.5 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.4 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7.3 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 6.7 x86_64
• Red Hat Software Collections (for RHEL Server) 1 for RHEL 6 x86_64
• Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
• Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 6 x86_64

Fixes

• BZ - 1377311 - CVE-2016-7412 php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field
• BZ - 1377314 - CVE-2016-7413 php: Use after free in wddx_deserialize
• BZ - 1377336 - CVE-2016-7414 php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile
• BZ - 1377340 - CVE-2016-7416 php: Stack based buffer overflow in msgfmt_format_message
• BZ - 1377344 - CVE-2016-7417 php: Missing type check when unserializing SplArray
• BZ - 1377352 - CVE-2016-7418 php: Null pointer dereference in php_wddx_push_element
• BZ - 1404723 - CVE-2016-9933 php, gd: Stack overflow in gdImageFillToBorder on truecolor images
• BZ - 1404726 - CVE-2016-9934 php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
• BZ - 1404731 - CVE-2016-9935 php: Invalid read when wddx decodes empty boolean element
• BZ - 1404735 - CVE-2016-9936 php: Use After Free in unserialize()
• BZ - 1412631 - CVE-2017-5340 php: Use of uninitialized memory in unserialize()
• BZ - 1412686 - CVE-2016-7479 php: Use-after-free vulnerability when resizing the 'properties' hash table of a serialized object
• BZ - 1418984 - CVE-2016-10167 gd: DoS vulnerability in gdImageCreateFromGd2Ctx()
• BZ - 1418986 - CVE-2016-10168 gd: Integer overflow in gd_io.c
• BZ - 1419010 - CVE-2016-10161 php: Out-of-bounds heap read on unserialize in finish_nested_data()
• BZ - 1419012 - CVE-2016-10162 php: Null pointer dereference when unserializing PHP object
• BZ - 1419015 - CVE-2016-10158 php: Wrong calculation in exif_convert_any_to_int function
• BZ - 1419018 - CVE-2016-10160 php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive
• BZ - 1419020 - CVE-2016-10159 php: Integer overflow in phar_parse_pharfile
• BZ - 1466730 - CVE-2017-9224 oniguruma: Out-of-bounds stack read in match_at() during regular expression searching
• BZ - 1466736 - CVE-2017-9226 oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation
• BZ - 1466739 - CVE-2017-9227 oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching
• BZ - 1466740 - CVE-2017-9228 oniguruma: Out-of-bounds heap write in bitset_set_range()
• BZ - 1466746 - CVE-2017-9229 oniguruma: Invalid pointer dereference in left_adjust_char_head()
• BZ - 1471824 - CVE-2017-11143 php: Incorrect WDDX deserialization of boolean parameters leads to DoS
• BZ - 1471827 - CVE-2017-11144 php: Incorrect return value check of OpenSSL sealing function leads to crash
• BZ - 1471834 - CVE-2017-11145 php: wddx_deserialize() heap out-of-bound read via php_parse_date()
• BZ - 1471842 - CVE-2017-11147 php: Out-of-bounds read in phar_parse_pharfile
• BZ - 1473822 - CVE-2017-7890 php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function
• BZ - 1475373 - CVE-2017-11362 php: Stack-based buffer over-read in msgfmt_parse_message function
• BZ - 1475522 - CVE-2017-11628 php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c
• BZ - 1484837 - CVE-2017-12932 php: heap use after free in ext/standard/var_unserializer.re
• BZ - 1484838 - CVE-2017-12933 php: buffer over-read in finish_nested_data function
• BZ - 1484839 - CVE-2017-12934 php: heap use after free in ext/standard/var_unserializer.re
• BZ - 1512057 - CVE-2017-16642 php: Out-of-bound read in timelib_meridian()
• BZ - 1535246 - CVE-2018-5711 php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c
• BZ - 1535251 - CVE-2018-5712 php: reflected XSS in .phar 404 page

CVEs

• CVE-2016-7412
• CVE-2016-7413
• CVE-2016-7414
• CVE-2016-7416
• CVE-2016-7417
• CVE-2016-7418
• CVE-2016-7479
• CVE-2016-9933
• CVE-2016-9934
• CVE-2016-9935
• CVE-2016-9936
• CVE-2016-10158
• CVE-2016-10159
• CVE-2016-10160
• CVE-2016-10161
• CVE-2016-10162
• CVE-2016-10167
• CVE-2016-10168
• CVE-2017-5340
• CVE-2017-7890
• CVE-2017-9224
• CVE-2017-9226
• CVE-2017-9227
• CVE-2017-9228
• CVE-2017-9229
• CVE-2017-11143
• CVE-2017-11144
• CVE-2017-11145
• CVE-2017-11147
• CVE-2017-11362
• CVE-2017-11628
• CVE-2017-12932
• CVE-2017-12933
• CVE-2017-12934
• CVE-2017-16642
• CVE-2018-5711
• CVE-2018-5712

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_software_collections/3/html/3.1_release_notes/chap-rhscl#sect-RHSCL-Changes-php