(RHSA-2018:1296) Moderate: rh-php70-php security, bug fix, and enhancement update

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

The following packages have been upgraded to a later upstream version: rh-php70-php (7.0.27). (BZ#1518843)

Security Fix(es):

• php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field (CVE-2016-7412)

• php: Use after free in wddx_deserialize (CVE-2016-7413)

• php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile (CVE-2016-7414)

• php: Stack based buffer overflow in msgfmt_format_message (CVE-2016-7416)

• php: Missing type check when unserializing SplArray (CVE-2016-7417)

• php: Null pointer dereference in php_wddx_push_element (CVE-2016-7418)

• php: Use-after-free vulnerability when resizing the ‘properties’ hash table of a serialized object (CVE-2016-7479)

• php: Invalid read when wddx decodes empty boolean element (CVE-2016-9935)

• php: Use After Free in unserialize() (CVE-2016-9936)

• php: Wrong calculation in exif_convert_any_to_int function (CVE-2016-10158)

• php: Integer overflow in phar_parse_pharfile (CVE-2016-10159)

• php: Off-by-one error in phar_parse_pharfile when loading crafted phar archive (CVE-2016-10160)

• php: Out-of-bounds heap read on unserialize in finish_nested_data() (CVE-2016-10161)

• php: Null pointer dereference when unserializing PHP object (CVE-2016-10162)

• gd: DoS vulnerability in gdImageCreateFromGd2Ctx() (CVE-2016-10167)

• gd: Integer overflow in gd_io.c (CVE-2016-10168)

• php: Use of uninitialized memory in unserialize() (CVE-2017-5340)

• php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function (CVE-2017-7890)

• oniguruma: Out-of-bounds stack read in match_at() during regular expression searching (CVE-2017-9224)

• oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation (CVE-2017-9226)

• oniguruma: Out-of-bounds stack read in mbc_enc_len() during regular expression searching (CVE-2017-9227)

• oniguruma: Out-of-bounds heap write in bitset_set_range() (CVE-2017-9228)

• oniguruma: Invalid pointer dereference in left_adjust_char_head() (CVE-2017-9229)

• php: Incorrect WDDX deserialization of boolean parameters leads to DoS (CVE-2017-11143)

• php: Incorrect return value check of OpenSSL sealing function leads to crash (CVE-2017-11144)

• php: Out-of-bounds read in phar_parse_pharfile (CVE-2017-11147)

• php: Stack-based buffer over-read in msgfmt_parse_message function (CVE-2017-11362)

• php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c (CVE-2017-11628)

• php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12932)

• php: heap use after free in ext/standard/var_unserializer.re (CVE-2017-12934)

• php: reflected XSS in .phar 404 page (CVE-2018-5712)

• php, gd: Stack overflow in gdImageFillToBorder on truecolor images (CVE-2016-9933)

• php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow (CVE-2016-9934)

• php: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)

• php: buffer over-read in finish_nested_data function (CVE-2017-12933)

• php: Out-of-bound read in timelib_meridian() (CVE-2017-16642)

• php: Denial of Service (DoS) via infinite loop in libgd gdImageCreateFromGifCtx function in ext/gd/libgd/gd_gif_in.c (CVE-2018-5711)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For details, see the Red Hat Software Collections 3.1 Release Notes linked from the References section.