Oracle Linux 7 : php55-php (ELSA-2015-1186)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2015-1186.
##

include('compat.inc');

if (description)
{
  script_id(181083);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/07");

  script_cve_id(
    "CVE-2015-2783",
    "CVE-2015-3307",
    "CVE-2015-3329",
    "CVE-2015-3330",
    "CVE-2015-3411",
    "CVE-2015-3412",
    "CVE-2015-4021",
    "CVE-2015-4022",
    "CVE-2015-4024",
    "CVE-2015-4025",
    "CVE-2015-4026",
    "CVE-2015-4598",
    "CVE-2015-4602",
    "CVE-2015-4603",
    "CVE-2015-4604",
    "CVE-2015-4605",
    "CVE-2015-4643",
    "CVE-2015-4644"
  );
  script_xref(name:"IAVB", value:"2016-B-0054-S");

  script_name(english:"Oracle Linux 7 : php55-php (ELSA-2015-1186)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2015-1186 advisory.

  - ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers
    to obtain sensitive information from process memory or cause a denial of service (buffer over-read and
    application crash) via a crafted length value in conjunction with crafted serialized data in a phar
    archive, related to the phar_parse_metadata and phar_parse_pharfile functions. (CVE-2015-2783)

  - The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x
    before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly
    have unspecified other impact via a crafted tar archive. (CVE-2015-3307)

  - Multiple stack-based buffer overflows in the phar_set_inode function in phar_internal.h in PHP before
    5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allow remote attackers to execute arbitrary code via a
    crafted length value in a (1) tar, (2) phar, or (3) ZIP archive. (CVE-2015-3329)

  - The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24,
    and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a
    denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that
    result in a deconfigured interpreter. (CVE-2015-3330)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00
    sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an
    application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the
    finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that
    bypasses an intended configuration in which client users may read only .xml files. (CVE-2015-3411)

  - PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00
    sequences, which might allow remote attackers to read arbitrary files via crafted input to an application
    that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a
    filename\0.extension attack that bypasses an intended configuration in which client users may read files
    with only one specific extension. (CVE-2015-3412)

  - The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x
    before 5.6.9 does not verify that the first character of a filename is different from the \0 character,
    which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a
    crafted entry in a tar archive. (CVE-2015-4021)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25,
    and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST
    command, leading to a heap-based buffer overflow. (CVE-2015-4022)

  - Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP
    before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of
    service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
    (CVE-2015-4024)

  - PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a
    \x00 character in certain situations, which allows remote attackers to bypass intended extension
    restrictions and access files or directories with unexpected names via a crafted argument to (1)
    set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2006-7243. (CVE-2015-4025)

  - The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates
    a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended
    extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this
    vulnerability exists because of an incomplete fix for CVE-2006-7243. (CVE-2015-4026)

  - PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00
    sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an
    application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as
    demonstrated by a filename\0.html attack that bypasses an intended configuration in which client users may
    write to only .html files. (CVE-2015-4598)

  - The __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before
    5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or
    possibly execute arbitrary code via an unexpected data type, related to a type confusion issue.
    (CVE-2015-4602)

  - The exception::getTraceAsString function in Zend/zend_exceptions.c in PHP before 5.4.40, 5.5.x before
    5.5.24, and 5.6.x before 5.6.8 allows remote attackers to execute arbitrary code via an unexpected data
    type, related to a type confusion issue. (CVE-2015-4603)

  - The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,
    5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship,
    which allows remote attackers to cause a denial of service (application crash) or possibly execute
    arbitrary code via a crafted string that is mishandled by a Python script text executable rule.
    (CVE-2015-4604)

  - The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40,
    5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which
    allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary
    code via a crafted string that is mishandled by a Python script text executable rule. (CVE-2015-4605)

  - Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26,
    and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST
    command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete
    fix for CVE-2015-4022. (CVE-2015-4643)

  - The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42,
    5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which
    might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash)
    via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.
    (CVE-2015-4644)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2015-1186.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-4603");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2015-4643");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/02/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:php55-php-xmlrpc");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);

var pkgs = [
    {'reference':'php55-php-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-bcmath-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-cli-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-common-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-dba-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-devel-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-enchant-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-fpm-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-gd-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-gmp-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-intl-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-ldap-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-mbstring-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-mysqlnd-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-odbc-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-opcache-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-pdo-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-pgsql-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-process-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-pspell-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-recode-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-snmp-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-soap-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-xml-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'php55-php-xmlrpc-5.5.21-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php55-php / php55-php-bcmath / php55-php-cli / etc');
}