PHP 5.5.x < 5.5.38 / 5.6.x < 5.6.24 / 7.0.x < 7.0.9 Multiple Vulnerabilities

Versions of PHP 5.5.x prior to 5.5.38, or 5.6.x prior to 5.6.24, or 7.0.x prior to 7.0.9 are vulnerable to the following issues :

• A NULL pointer dereference flaw within the ‘_gdScaleVert()’ function inside of ‘ext/gd/libgd/gd_interpolation.c’ is triggered during the handling of ‘_gdContributionsCalc’ return values. This may allow a remote attacker to cause a denial of service in a process linked against PHP.
• A flaw related to missing protection against ‘RFC 3875 section 4.1.18’ namespace conflicts is triggered when handling requests containing ‘Proxy’ HTTP headers. These may be stored in the ‘HTTP_PROXY’ environment variable also commonly used to configure an outbound HTTP proxy for applications. With a specially crafted request, a remote attacker can specify an arbitrary HTTP proxy server to be used by applications relying on the HTTP_PROXY environment variable. (CVE-2016-5385)
• An out-of-bounds read flaw within the ‘gdImageScaleBilinearPalette()’ function inside of ‘gd_interpolation.c’ is triggered when handling transparent colors. This may allow a context-dependent attacker to crash a process linked against the library or potentially disclose memory contents.
• A flaw within the ‘gdImageScaleTwoPass()’ function inside of ‘gd_interpolation.c’ is triggered as certain input is not properly validated. This may allow a context-dependent attacker to crash a process linked against the library. (CVE-2016-6207)
• A use-after-free error within ‘ext/snmp/snmp.c’ is triggered during the unserialization of user-supplied input when handling garbage collection. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6295)
• An out-of-bounds read flaw within the ‘uloc_acceptLanguageFromHTTP()’ function inside of ‘common/uloc.cpp’ may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6293, CVE-2016-6294)
• A use-after-free error within ‘ext/session/session.c’ is triggered during the handling of ‘var_hash destruction’. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code. (CVE-2016-6290)
• An out-of-bounds read flaw within the ‘exif_process_IFD_in_MAKERNOTE()’ function inside of ‘ext/exif/exif.c’ may allow a remote attacker to crash a program using the language or potentially disclose memory contents. (CVE-2016-6291)
• An overflow condition within the ‘php_bz2iop_read()’ function inside of ‘ext/bz2/bz2.c’ is triggered as error conditions are not properly handled. With a specially crafted request, a remote attacker can cause a buffer overflow and potentially execute arbitrary code. (CVE-2016-5399)
• An overflow condition within the ‘mdecrypt_generic()’ function inside of ‘ext/mcrypt/mcrypt.c’ is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code.
• A NULL pointer dereference flaw within the ‘exif_process_user_comment()’ function inside of ‘ext/exif/exif.c’ may allow a remote attacker to crash a program using the language. (CVE-2016-6292)
• A flaw within the ‘curl_unescape()’ function inside of ‘ext/curl/interface.c’ is triggered during the handling of string lengths. This may allow a remote attacker to trigger heap corruption and crash a program using the language.
• An overflow condition within the ‘mcrypt_generic()’ function inside of ‘ext/mcrypt/mcrypt.c’ is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
• An integer overflow condition within the ‘php_stream_zip_opener()’ function inside of ‘ext/zip/zip_stream.c’ is triggered as user-supplied input is not properly validated when handling zip streams. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6297)
• An integer overflow condition within the ‘virtual_file_ex()’ function inside of ‘Zend/zend_virtual_cwd.c’ is triggered as user-supplied input is not properly validated when handling variables. This may allow a remote attacker to cause a stack-based buffer overflow, crashing a program using the language or potentially allowing the execution of arbitrary code. (CVE-2016-6289)
• An overflow condition within the ‘simplestring_addn()’ function inside of ‘simplestring.c.’ is triggered as user-supplied input is not properly validated. This may allow a context-dependent attacker to cause a heap-based buffer overflow, resulting in a denial of service in a process linked against the library or potentially allowing the execution of arbitrary code. (CVE-2016-6296)
• A NULL write flaw within the ‘gdImageColorTransparent()’ function inside of ‘gd.c’ is triggered during the handling of negative transparent colors. This may allow a context-dependent attacker to disclose memory.
• An overflow condition within the ‘php_url_prase_ex()’ function inside of ‘ext/standard/url.c’ is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a buffer overflow, potentially resulting in a denial of service in a process utilizing the language. (CVE-2016-6288)