RHEL 6 : php (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory php. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196157);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/13");

  script_cve_id(
    "CVE-2016-2554",
    "CVE-2016-3074",
    "CVE-2016-3141",
    "CVE-2016-3142",
    "CVE-2016-3185",
    "CVE-2016-4072",
    "CVE-2016-4073",
    "CVE-2016-4342",
    "CVE-2016-4343",
    "CVE-2016-4537",
    "CVE-2016-4538",
    "CVE-2016-4539",
    "CVE-2016-4540",
    "CVE-2016-4541",
    "CVE-2016-4542",
    "CVE-2016-4543",
    "CVE-2016-4544",
    "CVE-2016-5093",
    "CVE-2016-5096",
    "CVE-2016-5114",
    "CVE-2016-5399",
    "CVE-2016-5768",
    "CVE-2016-5771",
    "CVE-2016-5772",
    "CVE-2016-5773",
    "CVE-2016-6288",
    "CVE-2016-6289",
    "CVE-2016-6290",
    "CVE-2016-6291",
    "CVE-2016-6294",
    "CVE-2016-6296",
    "CVE-2016-6297",
    "CVE-2016-7124",
    "CVE-2016-7125",
    "CVE-2016-7126",
    "CVE-2016-7127",
    "CVE-2016-7128",
    "CVE-2016-7129",
    "CVE-2016-7130",
    "CVE-2016-7131",
    "CVE-2016-7132",
    "CVE-2016-7411",
    "CVE-2016-7412",
    "CVE-2016-7413",
    "CVE-2016-7414",
    "CVE-2016-7416",
    "CVE-2016-7417",
    "CVE-2016-7418",
    "CVE-2016-7478",
    "CVE-2016-7479",
    "CVE-2016-7480",
    "CVE-2016-9137",
    "CVE-2016-9138",
    "CVE-2016-9934",
    "CVE-2016-9935",
    "CVE-2016-9936",
    "CVE-2016-10158",
    "CVE-2016-10159",
    "CVE-2016-10160",
    "CVE-2016-10161",
    "CVE-2016-10162",
    "CVE-2016-10397",
    "CVE-2016-10712",
    "CVE-2017-5340",
    "CVE-2017-7189",
    "CVE-2017-7272",
    "CVE-2017-7890",
    "CVE-2017-9118",
    "CVE-2017-11143",
    "CVE-2017-11144",
    "CVE-2017-11145",
    "CVE-2017-11147",
    "CVE-2017-11362",
    "CVE-2017-11628",
    "CVE-2017-12933",
    "CVE-2017-16642",
    "CVE-2018-5712",
    "CVE-2018-7584",
    "CVE-2018-10545",
    "CVE-2018-10546",
    "CVE-2018-10547",
    "CVE-2018-10548",
    "CVE-2018-14851",
    "CVE-2018-14883",
    "CVE-2018-17082",
    "CVE-2018-19518",
    "CVE-2018-20783",
    "CVE-2019-9020",
    "CVE-2019-9021",
    "CVE-2019-9023",
    "CVE-2019-9024",
    "CVE-2019-9637",
    "CVE-2019-9640",
    "CVE-2019-9641",
    "CVE-2019-11034",
    "CVE-2019-11035",
    "CVE-2019-11036",
    "CVE-2019-11040",
    "CVE-2019-11041",
    "CVE-2019-11042",
    "CVE-2019-11045",
    "CVE-2019-11047",
    "CVE-2019-11048",
    "CVE-2019-11050",
    "CVE-2020-7059",
    "CVE-2020-7060",
    "CVE-2020-7062",
    "CVE-2020-7063",
    "CVE-2020-7068",
    "CVE-2020-7070",
    "CVE-2020-7071",
    "CVE-2021-21702",
    "CVE-2021-21703",
    "CVE-2021-21705",
    "CVE-2021-21707",
    "CVE-2022-4900",
    "CVE-2022-31628",
    "CVE-2022-31629",
    "CVE-2022-31631",
    "CVE-2023-0567",
    "CVE-2023-0568",
    "CVE-2023-3247",
    "CVE-2024-1874",
    "CVE-2024-2756",
    "CVE-2024-3096"
  );

  script_name(english:"RHEL 6 : php (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 6 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Uninitialized read in exif_process_IFD_in_TIFF (CVE-2019-9641)

  - The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and
    7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted
    EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.
    (CVE-2016-10158)

  - Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x
    before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application
    crash) via a truncated manifest entry in a PHAR archive. (CVE-2016-10159)

  - Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x
    before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute
    arbitrary code via a crafted PHAR archive with an alias mismatch. (CVE-2016-10160)

  - The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15,
    and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and
    application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
    (CVE-2016-10161)

  - The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1
    allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via
    an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize
    call. (CVE-2016-10162)

  - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser
    could be used by attackers to bypass hostname-specific URL checks, as demonstrated by
    evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url
    function (implemented in the php_url_parse_ex function in ext/standard/url.c). (CVE-2016-10397)

  - In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of
    stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For
    example, a $uri = stream_get_meta_data(fopen($file, r))['uri'] call mishandles the case where $file is
    data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker. (CVE-2016-10712)

  - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to
    cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data,
    which triggers a heap-based buffer overflow. (CVE-2016-3074)

  - Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19
    allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly
    have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var
    element. (CVE-2016-3141)

  - The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before
    5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of
    service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid
    location. (CVE-2016-3142)

  - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28,
    5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from
    process memory or cause a denial of service (type confusion and application crash) via crafted serialized
    _cookies data, related to the SoapClient::__call method in ext/soap/soap.c. (CVE-2016-3185)

  - The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers
    to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the
    phar_analyze_path function in ext/phar/phar.c. (CVE-2016-4072)

  - Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP
    before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of
    service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call.
    (CVE-2016-4073)

  - ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-
    length uncompressed data, which allows remote attackers to cause a denial of service (heap memory
    corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.
    (CVE-2016-4342)

  - The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3
    mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service
    (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
    (CVE-2016-4343)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
    7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial
    of service or possibly have unspecified other impact via a crafted call. (CVE-2016-4537)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
    7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_,
    or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have
    unspecified other impact via a crafted call. (CVE-2016-4538)

  - The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x
    before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation
    fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a
    parser level of zero. (CVE-2016-4539)

  - The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before
    5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or
    possibly have unspecified other impact via a negative offset. (CVE-2016-4540)

  - The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before
    5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or
    possibly have unspecified other impact via a negative offset. (CVE-2016-4541)

  - The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x
    before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a
    denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
    (CVE-2016-4542)

  - The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and
    7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service
    (out-of-bounds read) or possibly have unspecified other impact via crafted header data. (CVE-2016-4543)

  - The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and
    7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of
    service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
    (CVE-2016-4544)

  - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before
    5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote
    attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via
    a crafted locale_get_primary_language call. (CVE-2016-5093)

  - Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22
    allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large
    integer in the second argument. (CVE-2016-5096)

  - sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the
    semantics of the snprintf return value, which allows attackers to obtain sensitive information from
    process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as
    demonstrated by a long URI in a configuration with custom REQUEST_URI logging. (CVE-2016-5114)

  - The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9
    allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a
    crafted bz2 archive. (CVE-2016-5399)

  - Double free vulnerability in the _php_mb_regex_ereg_replace_exec function in php_mbregex.c in the mbstring
    extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to
    execute arbitrary code or cause a denial of service (application crash) by leveraging a callback
    exception. (CVE-2016-5768)

  - spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with
    the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary
    code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
    (CVE-2016-5771)

  - Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP
    before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of
    service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in
    a wddx_deserialize call. (CVE-2016-5772)

  - php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly
    interacts with the unserialize implementation and garbage collection, which allows remote attackers to
    execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted
    serialized data containing a ZipArchive object. (CVE-2016-5773)

  - The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause
    a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the
    smart_str data type. (CVE-2016-6288)

  - Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based
    buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP
    archive. (CVE-2016-6289)

  - ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly
    maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-
    after-free) or possibly have unspecified other impact via vectors related to session deserialization.
    (CVE-2016-6290)

  - The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24,
    and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and
    memory corruption), obtain sensitive information from process memory, or possibly have unspecified other
    impact via a crafted JPEG image. (CVE-2016-6291)

  - The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU
    uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-
    bounds read) or possibly have unspecified other impact via a call with a long argument. (CVE-2016-6294)

  - Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2,
    as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause
    a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long
    first argument to the PHP xmlrpc_encode_request function. (CVE-2016-6296)

  - Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based
    buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. (CVE-2016-6297)

  - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid
    objects, which allows remote attackers to cause a denial of service or possibly have unspecified other
    impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
    (CVE-2016-7124)

  - ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that
    triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by
    leveraging control of a session name, as demonstrated by object injection. (CVE-2016-7125)

  - The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not
    properly validate the number of colors, which allows remote attackers to cause a denial of service
    (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a
    large value in the third argument. (CVE-2016-7126)

  - The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly
    validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or
    possibly have unspecified other impact by providing different signs for the second and third arguments.
    (CVE-2016-7127)

  - The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10
    mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to
    obtain sensitive information from process memory via a crafted TIFF image. (CVE-2016-7128)

  - The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
    remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other
    impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a
    dateTime element in a wddxPacket XML document. (CVE-2016-7129)

  - The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
    remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly
    have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize
    call that mishandles a binary element in a wddxPacket XML document. (CVE-2016-7130)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of
    service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a
    malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag
    that lacks a < (less than) character. (CVE-2016-7131)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of
    service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an
    invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray
    element inside a boolean element, leading to incorrect pop processing. (CVE-2016-7132)

  - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which
    allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified
    other impact via an unserialize call that references a partially constructed object. (CVE-2016-7411)

  - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT
    field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-
    based buffer overflow) or possibly have unspecified other impact via crafted field metadata.
    (CVE-2016-7412)

  - Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26
    and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified
    other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to
    mishandling in a wddx_deserialize call. (CVE-2016-7413)

  - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the
    uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service
    (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive,
    related to ext/phar/util.c and ext/phar/zip.c. (CVE-2016-7414)

  - ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly
    restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers
    to cause a denial of service (application crash) or possibly have unspecified other impact via a
    MessageFormatter::formatMessage call with a long first argument. (CVE-2016-7416)

  - ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization
    without validating a return value and data type, which allows remote attackers to cause a denial of
    service or possibly have unspecified other impact via crafted serialized data. (CVE-2016-7417)

  - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows
    remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly
    have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to
    mishandling in a wddx_deserialize call. (CVE-2016-7418)

  - Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers
    to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related
    issue to CVE-2015-8876. (CVE-2016-7478)

  - In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a
    serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary
    code execution. (CVE-2016-7479)

  - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not
    verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial
    of service (uninitialized memory access) via crafted serialized data. (CVE-2016-7480)

  - Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27
    and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified
    other impact via crafted serialized data that is mishandled during __wakeup processing. (CVE-2016-9137)

  - PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing,
    which allows remote attackers to cause a denial of service or possibly have unspecified other impact via
    crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
    (CVE-2016-9138)

  - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of
    service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as
    demonstrated by a PDORow string. (CVE-2016-9934)

  - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows
    remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have
    unspecified other impact via an empty boolean element in a wddxPacket XML document. (CVE-2016-9935)

  - The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to
    cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted
    serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
    (CVE-2016-9936)

  - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by
    attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free
    for an empty boolean element in ext/wddx/wddx.c. (CVE-2017-11143)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code
    did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP
    interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an
    OpenSSL documentation omission. (CVE-2017-11144)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's
    timelib_meridian parsing code could be used by attackers able to supply date strings to leak information
    from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the
    php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit,
    not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist. (CVE-2017-11145)

  - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying
    malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer
    over-read in the phar_parse_pharfile function in ext/phar/phar.c. (CVE-2017-11147)

  - In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict
    the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow
    and application crash) or possibly have unspecified other impact within International Components for
    Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function. (CVE-2017-11362)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the
    zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow
    executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of
    the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application
    for syntax validation of php.ini directives. (CVE-2017-11628)

  - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before
    7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data.
    Exploitation of this issue can have an unspecified impact on the integrity of PHP. (CVE-2017-12933)

  - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's
    timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply
    date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds
    reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.
    (CVE-2017-16642)

  - Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandles certain cases that require large
    array allocations, which allows remote attackers to execute arbitrary code or cause a denial of service
    (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via
    crafted serialized data. (CVE-2017-5340)

  - main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsockopen calls, such as by interpreting
    fsockopen('127.0.0.1:80', 443) as if the address/port were 127.0.0.1:80:443, which is later truncated to
    127.0.0.1:80. This behavior has a security risk if the explicitly provided port number (i.e., 443 in this
    example) is hardcoded into an application as a security policy, but the hostname argument (i.e.,
    127.0.0.1:80 in this example) is obtained from untrusted input. (CVE-2017-7189)

  - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname
    argument with an expectation that the port number is constrained. Because a :port syntax is recognized,
    fsockopen will use the port number that is specified in the hostname argument, instead of the port number
    in the second argument of the function. (CVE-2017-7272)

  - The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in the GD Graphics Library (aka libgd),
    as used in PHP before 5.6.31 and 7.x before 7.1.7, does not zero colorMap arrays before use. A specially
    crafted GIF image could use the uninitialized tables to read ~700 bytes from the top of the stack,
    potentially disclosing sensitive information. (CVE-2017-7890)

  - PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a crafted preg_replace call.
    (CVE-2017-9118)

  - An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before
    7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a
    PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information
    from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM
    worker process. (CVE-2018-10545)

  - An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
    7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject
    invalid multibyte sequences. (CVE-2018-10546)

  - An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before
    7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request
    data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for
    CVE-2018-5712. (CVE-2018-10547)

  - An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
    7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference
    and application crash) because of mishandling of the ldap_get_dn return value. (CVE-2018-10548)

  - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before
    7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read
    and application crash) via a crafted JPEG file. (CVE-2018-14851)

  - An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before
    7.2.8. An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c.
    (CVE-2018-14883)

  - The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before
    7.2.10 allows XSS via the body of a Transfer-Encoding: chunked request, because the bucket brigade is
    mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c. (CVE-2018-17082)

  - University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products,
    launches an rsh command (by means of the imap_rimap function in c-client/imap4r1.c and the tcp_aopen
    function in osdep/unix/tcp_unix.c) without preventing argument injection, which might allow remote
    attackers to execute arbitrary OS commands if the IMAP server name is untrusted input (e.g., entered by a
    user of a web application) and if rsh has been replaced by a program with different argument semantics.
    For example, if rsh is a link to ssh (as seen on Debian and Ubuntu systems), then the attack can use an
    IMAP server name containing a -oProxyCommand argument. (CVE-2018-19518)

  - In PHP before 5.6.39, 7.x before 7.0.33, 7.1.x before 7.1.25, and 7.2.x before 7.2.13, a buffer over-read
    in PHAR reading functions may allow an attacker to read allocated or unallocated memory past the actual
    data when trying to parse a .phar file. This is related to phar_parse_pharfile in ext/phar/phar.c.
    (CVE-2018-20783)

  - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before
    7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
    (CVE-2018-5712)

  - In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a
    stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function
    in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string. (CVE-2018-7584)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and
    7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may
    lead to information disclosure or crash. (CVE-2019-11034)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and
    7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may
    lead to information disclosure or crash. (CVE-2019-11035)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and
    7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may
    lead to information disclosure or crash. (CVE-2019-11036)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in
    PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with
    data what will cause it to read past the allocated buffer. This may lead to information disclosure or
    crash. (CVE-2019-11040)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in
    PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with
    data what will cause it to read past the allocated buffer. This may lead to information disclosure or
    crash. (CVE-2019-11041, CVE-2019-11042)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts
    filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security
    vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in
    PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what
    will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
    (CVE-2019-11047, CVE-2019-11050)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are
    allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized
    memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files
    created by upload request. This potentially could lead to accumulation of uncleaned temporary files
    exhausting the disk space on the target server. (CVE-2019-11048)

  - An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before
    7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of
    bounds read or read after free). This is related to xml_elem_parse_buf in
    ext/xmlrpc/libxmlrpc/xml_element.c. (CVE-2019-9020)

  - An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before
    7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker
    to read allocated or unallocated memory past the actual data when trying to parse the file name, a
    different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in
    ext/phar/phar.c. (CVE-2019-9021)

  - An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before
    7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression
    functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c,
    ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c,
    and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid
    multibyte sequences. (CVE-2019-9023)

  - An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before
    7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated
    areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c. (CVE-2019-9024)

  - An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way
    rename() across filesystems is implemented, it is possible that file being renamed is briefly available
    with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
    (CVE-2019-9637)

  - An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before
    7.3.3. There is an Invalid Read in exif_process_SOFn. (CVE-2019-9640)

  - When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x
    below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read
    past the allocated buffer. This may lead to information disclosure or crash. (CVE-2020-7059)

  - When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27,
    7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function
    mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or
    crash. (CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload
    functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0
    (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist
    and encounter null pointer dereference, which would likely lead to a crash. (CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive
    using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all
    access) even if the original files on the filesystem were with more restrictive permissions. This may
    result in files having more lax permissions than intended when such archive is extracted. (CVE-2020-7063)

  - In PHP versions 7.2.x below 7.2.33, 7.3.x below 7.3.21 and 7.4.x below 7.4.9, while processing PHAR files
    using phar extension, phar_parse_zipfile could be tricked into accessing freed memory, which could lead to
    a crash or information disclosure. (CVE-2020-7068)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing
    incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge
    cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

  - In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like
    filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may
    lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components
    of the URL. (CVE-2020-7071)

  - In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to
    connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would
    cause PHP to access a null pointer and thus cause a crash. (CVE-2021-21702)

  - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running
    PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-
    privileged users, it is possible for the child processes to access memory shared with the main process and
    write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and
    writes, which can be used to escalate privileges from local unprivileged user to the root user.
    (CVE-2021-21703)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation
    functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password
    field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially
    leading to other security implications - like contacting a wrong server or making a wrong access decision.
    (CVE-2021-21705)

  - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing
    functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains
    URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus
    interpreting the filename differently from what the user intended, which may lead it to reading a
    different file than intended. (CVE-2021-21707)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress
    quines gzip files, resulting in an infinite loop. (CVE-2022-31628)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site
    attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or
    `__Secure-` cookie by PHP applications. (CVE-2022-31629)

  - php: PDO::quote() may return unquoted string due to an integer overflow (CVE-2022-31631)

  - A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large
    value leads to a heap buffer overflow. (CVE-2022-4900)

  - In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may
    accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database,
    it may lead to an application allowing any password for this entry as valid. (CVE-2023-0567)

  - In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function
    allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting,
    this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to
    unauthorized data access or modification. (CVE-2023-0568)

  - In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest
    Authentication, random value generator was not checked for failure, and was using narrower range of values
    than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of
    uninitialized memory from the client to the server, and it also made easier to a malicious server to guess
    the client's nonce. (CVE-2023-3247)

  - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open()
    command with array syntax, due to insufficient escaping, if the arguments of the executed command are
    controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in
    Windows shell. (CVE-2024-1874)

  - Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and
    same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
    __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756)

  - In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with
    password_hash() starts with a null byte (\x00), testing a blank string as the password via
    password_verify() will incorrectly return true. (CVE-2024-3096)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2554");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-9641");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'php imap_open Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php53");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '6')) audit(AUDIT_OS_NOT, 'Red Hat 6.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'gd', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gd', 'cves':['CVE-2016-3074']},
      {'reference':'php', 'release':'6', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'php'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gd / php');
}