RHEL 7 : php (Unpatched Vulnerability)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory php. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(196189);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");

  script_cve_id(
    "CVE-2016-2554",
    "CVE-2016-3074",
    "CVE-2016-3141",
    "CVE-2016-3142",
    "CVE-2016-3185",
    "CVE-2016-4072",
    "CVE-2016-4073",
    "CVE-2016-4342",
    "CVE-2016-4343",
    "CVE-2016-4537",
    "CVE-2016-4538",
    "CVE-2016-4539",
    "CVE-2016-4540",
    "CVE-2016-4541",
    "CVE-2016-4542",
    "CVE-2016-4543",
    "CVE-2016-4544",
    "CVE-2016-5093",
    "CVE-2016-5094",
    "CVE-2016-5096",
    "CVE-2016-5114",
    "CVE-2016-5771",
    "CVE-2016-5772",
    "CVE-2016-5773",
    "CVE-2016-6288",
    "CVE-2016-6289",
    "CVE-2016-6290",
    "CVE-2016-6291",
    "CVE-2016-6292",
    "CVE-2016-6294",
    "CVE-2016-6295",
    "CVE-2016-6296",
    "CVE-2016-6297",
    "CVE-2016-7124",
    "CVE-2016-7125",
    "CVE-2016-7126",
    "CVE-2016-7127",
    "CVE-2016-7128",
    "CVE-2016-7129",
    "CVE-2016-7130",
    "CVE-2016-7131",
    "CVE-2016-7132",
    "CVE-2016-7411",
    "CVE-2016-7412",
    "CVE-2016-7413",
    "CVE-2016-7414",
    "CVE-2016-7416",
    "CVE-2016-7417",
    "CVE-2016-7418",
    "CVE-2016-7478",
    "CVE-2016-7479",
    "CVE-2016-7480",
    "CVE-2016-9137",
    "CVE-2016-9138",
    "CVE-2016-9934",
    "CVE-2016-9935",
    "CVE-2016-9936",
    "CVE-2016-10158",
    "CVE-2016-10159",
    "CVE-2016-10160",
    "CVE-2016-10161",
    "CVE-2016-10162",
    "CVE-2016-10397",
    "CVE-2016-10712",
    "CVE-2017-5340",
    "CVE-2017-7272",
    "CVE-2017-11143",
    "CVE-2017-11144",
    "CVE-2017-11145",
    "CVE-2017-11147",
    "CVE-2017-11362",
    "CVE-2017-11628",
    "CVE-2017-12933",
    "CVE-2017-16642",
    "CVE-2018-10545",
    "CVE-2018-10546",
    "CVE-2018-10548",
    "CVE-2018-14851",
    "CVE-2018-17082",
    "CVE-2019-9637",
    "CVE-2019-9638",
    "CVE-2019-9640",
    "CVE-2019-11034",
    "CVE-2019-11035",
    "CVE-2019-11036",
    "CVE-2019-11039",
    "CVE-2020-7070",
    "CVE-2021-21702",
    "CVE-2021-21703",
    "CVE-2021-21705",
    "CVE-2021-21707",
    "CVE-2022-4900",
    "CVE-2022-31628",
    "CVE-2022-31629",
    "CVE-2022-31631",
    "CVE-2023-0567",
    "CVE-2023-0568",
    "CVE-2023-3247",
    "CVE-2024-1874",
    "CVE-2024-2756",
    "CVE-2024-3096"
  );

  script_name(english:"RHEL 7 : php (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - php: buffer overflow in handling of long link names in tar phar archives (CVE-2016-2554)

  - php: Use of uninitialized memory in unserialize() (CVE-2017-5340)

  - The exif_convert_any_to_int function in ext/exif/exif.c in PHP before 5.6.30, 7.0.x before 7.0.15, and
    7.1.x before 7.1.1 allows remote attackers to cause a denial of service (application crash) via crafted
    EXIF data that triggers an attempt to divide the minimum representable negative integer by -1.
    (CVE-2016-10158)

  - Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x
    before 7.0.15 allows remote attackers to cause a denial of service (memory consumption or application
    crash) via a truncated manifest entry in a PHAR archive. (CVE-2016-10159)

  - Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x
    before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute
    arbitrary code via a crafted PHAR archive with an alias mismatch. (CVE-2016-10160)

  - The object_common1 function in ext/standard/var_unserializer.c in PHP before 5.6.30, 7.0.x before 7.0.15,
    and 7.1.x before 7.1.1 allows remote attackers to cause a denial of service (buffer over-read and
    application crash) via crafted serialized data that is mishandled in a finish_nested_data call.
    (CVE-2016-10161)

  - The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7.0.x before 7.0.15 and 7.1.x before 7.1.1
    allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via
    an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize
    call. (CVE-2016-10162)

  - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser
    could be used by attackers to bypass hostname-specific URL checks, as demonstrated by
    evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url
    function (implemented in the php_url_parse_ex function in ext/standard/url.c). (CVE-2016-10397)

  - In PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3, all of the return values of
    stream_get_meta_data can be controlled if the input can be controlled (e.g., during file uploads). For
    example, a $uri = stream_get_meta_data(fopen($file, r))['uri'] call mishandles the case where $file is
    data:text/plain;uri=eviluri, -- in other words, metadata can be set by an attacker. (CVE-2016-10712)

  - Integer signedness error in GD Graphics Library 2.1.1 (aka libgd or libgd2) allows remote attackers to
    cause a denial of service (crash) or potentially execute arbitrary code via crafted compressed gd2 data,
    which triggers a heap-based buffer overflow. (CVE-2016-3074)

  - Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19
    allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly
    have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var
    element. (CVE-2016-3141)

  - The phar_parse_zipfile function in zip.c in the PHAR extension in PHP before 5.5.33 and 5.6.x before
    5.6.19 allows remote attackers to obtain sensitive information from process memory or cause a denial of
    service (out-of-bounds read and application crash) by placing a PK\x05\x06 signature at an invalid
    location. (CVE-2016-3142)

  - The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28,
    5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from
    process memory or cause a denial of service (type confusion and application crash) via crafted serialized
    _cookies data, related to the SoapClient::__call method in ext/soap/soap.c. (CVE-2016-3185)

  - The Phar extension in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers
    to execute arbitrary code via a crafted filename, as demonstrated by mishandling of \0 characters by the
    phar_analyze_path function in ext/phar/phar.c. (CVE-2016-4072)

  - Multiple integer overflows in the mbfl_strcut function in ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP
    before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allow remote attackers to cause a denial of
    service (application crash) or possibly execute arbitrary code via a crafted mb_strcut call.
    (CVE-2016-4073)

  - ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18, and 7.x before 7.0.3 mishandles zero-
    length uncompressed data, which allows remote attackers to cause a denial of service (heap memory
    corruption) or possibly have unspecified other impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive.
    (CVE-2016-4342)

  - The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3
    mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service
    (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.
    (CVE-2016-4343)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
    7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial
    of service or possibly have unspecified other impact via a crafted call. (CVE-2016-4537)

  - The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before
    7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_,
    or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have
    unspecified other impact via a crafted call. (CVE-2016-4538)

  - The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x
    before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation
    fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a
    parser level of zero. (CVE-2016-4539)

  - The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before
    5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or
    possibly have unspecified other impact via a negative offset. (CVE-2016-4540)

  - The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before
    5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or
    possibly have unspecified other impact via a negative offset. (CVE-2016-4541)

  - The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x
    before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a
    denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
    (CVE-2016-4542)

  - The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and
    7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service
    (out-of-bounds read) or possibly have unspecified other impact via crafted header data. (CVE-2016-4543)

  - The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and
    7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of
    service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
    (CVE-2016-4544)

  - The get_icu_value_internal function in ext/intl/locale/locale_methods.c in PHP before 5.5.36, 5.6.x before
    5.6.22, and 7.x before 7.0.7 does not ensure the presence of a '\0' character, which allows remote
    attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via
    a crafted locale_get_primary_language call. (CVE-2016-5093)

  - Integer overflow in the php_html_entities function in ext/standard/html.c in PHP before 5.5.36 and 5.6.x
    before 5.6.22 allows remote attackers to cause a denial of service or possibly have unspecified other
    impact by triggering a large output string from the htmlspecialchars function. (CVE-2016-5094)

  - Integer overflow in the fread function in ext/standard/file.c in PHP before 5.5.36 and 5.6.x before 5.6.22
    allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large
    integer in the second argument. (CVE-2016-5096)

  - sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 misinterprets the
    semantics of the snprintf return value, which allows attackers to obtain sensitive information from
    process memory or cause a denial of service (out-of-bounds read and buffer overflow) via a long string, as
    demonstrated by a long URI in a configuration with custom REQUEST_URI logging. (CVE-2016-5114)

  - spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with
    the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary
    code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
    (CVE-2016-5771)

  - Double free vulnerability in the php_wddx_process_data function in wddx.c in the WDDX extension in PHP
    before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 allows remote attackers to cause a denial of
    service (application crash) or possibly execute arbitrary code via crafted XML data that is mishandled in
    a wddx_deserialize call. (CVE-2016-5772)

  - php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly
    interacts with the unserialize implementation and garbage collection, which allows remote attackers to
    execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted
    serialized data containing a ZipArchive object. (CVE-2016-5773)

  - The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause
    a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the
    smart_str data type. (CVE-2016-6288)

  - Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based
    buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP
    archive. (CVE-2016-6289)

  - ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly
    maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-
    after-free) or possibly have unspecified other impact via vectors related to session deserialization.
    (CVE-2016-6290)

  - The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24,
    and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and
    memory corruption), obtain sensitive information from process memory, or possibly have unspecified other
    impact via a crafted JPEG image. (CVE-2016-6291)

  - The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and
    7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and
    application crash) via a crafted JPEG image. (CVE-2016-6292)

  - The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU
    uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-
    bounds read) or possibly have unspecified other impact via a call with a long argument. (CVE-2016-6294)

  - ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with
    the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of
    service (use-after-free and application crash) or possibly have unspecified other impact via crafted
    serialized data, a related issue to CVE-2016-5773. (CVE-2016-6295)

  - Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2,
    as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause
    a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long
    first argument to the PHP xmlrpc_encode_request function. (CVE-2016-6296)

  - Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x
    before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based
    buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. (CVE-2016-6297)

  - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid
    objects, which allows remote attackers to cause a denial of service or possibly have unspecified other
    impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
    (CVE-2016-7124)

  - ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that
    triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by
    leveraging control of a session name, as demonstrated by object injection. (CVE-2016-7125)

  - The imagetruecolortopalette function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not
    properly validate the number of colors, which allows remote attackers to cause a denial of service
    (select_colors allocation error and out-of-bounds write) or possibly have unspecified other impact via a
    large value in the third argument. (CVE-2016-7126)

  - The imagegammacorrect function in ext/gd/gd.c in PHP before 5.6.25 and 7.x before 7.0.10 does not properly
    validate gamma values, which allows remote attackers to cause a denial of service (out-of-bounds write) or
    possibly have unspecified other impact by providing different signs for the second and third arguments.
    (CVE-2016-7127)

  - The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before 5.6.25 and 7.x before 7.0.10
    mishandles the case of a thumbnail offset that exceeds the file size, which allows remote attackers to
    obtain sensitive information from process memory via a crafted TIFF image. (CVE-2016-7128)

  - The php_wddx_process_data function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
    remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other
    impact via an invalid ISO 8601 time value, as demonstrated by a wddx_deserialize call that mishandles a
    dateTime element in a wddxPacket XML document. (CVE-2016-7129)

  - The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
    remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly
    have unspecified other impact via an invalid base64 binary value, as demonstrated by a wddx_deserialize
    call that mishandles a binary element in a wddxPacket XML document. (CVE-2016-7130)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of
    service (NULL pointer dereference and application crash) or possibly have unspecified other impact via a
    malformed wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a tag
    that lacks a < (less than) character. (CVE-2016-7131)

  - ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of
    service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an
    invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray
    element inside a boolean element, leading to incorrect pop processing. (CVE-2016-7132)

  - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which
    allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified
    other impact via an unserialize call that references a partially constructed object. (CVE-2016-7411)

  - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT
    field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-
    based buffer overflow) or possibly have unspecified other impact via crafted field metadata.
    (CVE-2016-7412)

  - Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26
    and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified
    other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to
    mishandling in a wddx_deserialize call. (CVE-2016-7413)

  - The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the
    uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service
    (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive,
    related to ext/phar/util.c and ext/phar/zip.c. (CVE-2016-7414)

  - ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly
    restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers
    to cause a denial of service (application crash) or possibly have unspecified other impact via a
    MessageFormatter::formatMessage call with a long first argument. (CVE-2016-7416)

  - ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization
    without validating a return value and data type, which allows remote attackers to cause a denial of
    service or possibly have unspecified other impact via crafted serialized data. (CVE-2016-7417)

  - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows
    remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly
    have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to
    mishandling in a wddx_deserialize call. (CVE-2016-7418)

  - Zend/zend_exceptions.c in PHP, possibly 5.x before 5.6.28 and 7.x before 7.0.13, allows remote attackers
    to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related
    issue to CVE-2015-8876. (CVE-2016-7478)

  - In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a
    serialized object may lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary
    code execution. (CVE-2016-7479)

  - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not
    verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial
    of service (uninitialized memory access) via crafted serialized data. (CVE-2016-7480)

  - Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP before 5.6.27
    and 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified
    other impact via crafted serialized data that is mishandled during __wakeup processing. (CVE-2016-9137)

  - PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing,
    which allows remote attackers to cause a denial of service or possibly have unspecified other impact via
    crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.
    (CVE-2016-9138)

  - ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of
    service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as
    demonstrated by a PDORow string. (CVE-2016-9934)

  - The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows
    remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have
    unspecified other impact via an empty boolean element in a wddxPacket XML document. (CVE-2016-9935)

  - The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to
    cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted
    serialized data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6834.
    (CVE-2016-9936)

  - In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by
    attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free
    for an empty boolean element in ext/wddx/wddx.c. (CVE-2017-11143)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code
    did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP
    interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an
    OpenSSL documentation omission. (CVE-2017-11144)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's
    timelib_meridian parsing code could be used by attackers able to supply date strings to leak information
    from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the
    php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit,
    not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist. (CVE-2017-11145)

  - In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying
    malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer
    over-read in the phar_parse_pharfile function in ext/phar/phar.c. (CVE-2017-11147)

  - In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/msgformat_parse.c does not restrict
    the locale length, which allows remote attackers to cause a denial of service (stack-based buffer overflow
    and application crash) or possibly have unspecified other impact within International Components for
    Unicode (ICU) for C/C++ via a long first argument to the msgfmt_parse_message function. (CVE-2017-11362)

  - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the
    zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow
    executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of
    the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application
    for syntax validation of php.ini directives. (CVE-2017-11628)

  - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before
    7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data.
    Exploitation of this issue can have an unspecified impact on the integrity of PHP. (CVE-2017-12933)

  - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's
    timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply
    date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds
    reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.
    (CVE-2017-16642)

  - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname
    argument with an expectation that the port number is constrained. Because a :port syntax is recognized,
    fsockopen will use the port number that is specified in the hostname argument, instead of the port number
    in the second argument of the function. (CVE-2017-7272)

  - An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before
    7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a
    PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information
    from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM
    worker process. (CVE-2018-10545)

  - An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
    7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject
    invalid multibyte sequences. (CVE-2018-10546)

  - An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before
    7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference
    and application crash) because of mishandling of the ldap_get_dn return value. (CVE-2018-10548)

  - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before
    7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read
    and application crash) via a crafted JPEG file. (CVE-2018-14851)

  - The Apache2 component in PHP before 5.6.38, 7.0.x before 7.0.32, 7.1.x before 7.1.22, and 7.2.x before
    7.2.10 allows XSS via the body of a Transfer-Encoding: chunked request, because the bucket brigade is
    mishandled in the php_handler function in sapi/apache2handler/sapi_apache2.c. (CVE-2018-17082)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and
    7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may
    lead to information disclosure or crash. (CVE-2019-11034)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and
    7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may
    lead to information disclosure or crash. (CVE-2019-11035)

  - When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.29, 7.2.x below 7.2.18 and
    7.3.x below 7.3.5 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may
    lead to information disclosure or crash. (CVE-2019-11036)

  - Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x
    below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may
    lead to information disclosure or crash. (CVE-2019-11039)

  - An issue was discovered in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. Due to the way
    rename() across filesystems is implemented, it is possible that file being renamed is briefly available
    with wrong permissions while the rename is ongoing, thus enabling unauthorized users to access the data.
    (CVE-2019-9637)

  - An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before
    7.3.3. There is an uninitialized read in exif_process_IFD_in_MAKERNOTE because of mishandling the
    maker_note->offset relationship to value_len. (CVE-2019-9638)

  - An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before
    7.3.3. There is an Invalid Read in exif_process_SOFn. (CVE-2019-9640)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing
    incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge
    cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

  - In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x below 8.0.2, when using SOAP extension to
    connect to a SOAP server, a malicious SOAP server could return malformed XML data as a response that would
    cause PHP to access a null pointer and thus cause a crash. (CVE-2021-21702)

  - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running
    PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-
    privileged users, it is possible for the child processes to access memory shared with the main process and
    write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and
    writes, which can be used to escalate privileges from local unprivileged user to the root user.
    (CVE-2021-21703)

  - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation
    functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password
    field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially
    leading to other security implications - like contacting a wrong server or making a wrong access decision.
    (CVE-2021-21705)

  - In PHP versions 7.3.x below 7.3.33, 7.4.x below 7.4.26 and 8.0.x below 8.0.13, certain XML parsing
    functions, like simplexml_load_file(), URL-decode the filename passed to them. If that filename contains
    URL-encoded NUL character, this may cause the function to interpret this as the end of the filename, thus
    interpreting the filename differently from what the user intended, which may lead it to reading a
    different file than intended. (CVE-2021-21707)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar uncompressor code would recursively uncompress
    quines gzip files, resulting in an infinite loop. (CVE-2022-31628)

  - In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site
    attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or
    `__Secure-` cookie by PHP applications. (CVE-2022-31629)

  - php: PDO::quote() may return unquoted string due to an integer overflow (CVE-2022-31631)

  - A vulnerability was found in PHP where setting the environment variable PHP_CLI_SERVER_WORKERS to a large
    value leads to a heap buffer overflow. (CVE-2022-4900)

  - In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may
    accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database,
    it may lead to an application allowing any password for this entry as valid. (CVE-2023-0567)

  - In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function
    allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting,
    this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to
    unauthorized data access or modification. (CVE-2023-0568)

  - In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest
    Authentication, random value generator was not checked for failure, and was using narrower range of values
    than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of
    uninitialized memory from the client to the server, and it also made easier to a malicious server to guess
    the client's nonce. (CVE-2023-3247)

  - In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open()
    command with array syntax, due to insufficient escaping, if the arguments of the executed command are
    controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in
    Windows shell. (CVE-2024-1874)

  - Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and
    same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
    __Host- or __Secure- cookie by PHP applications. (CVE-2024-2756)

  - In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, if a password stored with
    password_hash() starts with a null byte (\x00), testing a blank string as the password via
    password_verify() will incorrectly return true. (CVE-2024-3096)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2554");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-5340");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:php53");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'gd', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'gd', 'cves':['CVE-2016-3074']},
      {'reference':'php', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'php'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'gd / php');
}