Security update for PHP5 (important)

2013-08-16T21:04:11
ID SUSE-SU-2013:1351-1
Type suse
Reporter Suse
Modified 2013-08-16T21:04:11

Description

php5 has been updated to roll up all pending security fixes for Long Term Service Pack Support.

The Following security issues have been fixed:

*

CVE-2013-4635: Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP allowed context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

*

CVE-2013-1635: ext/soap/soap.c in PHP did not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allowed remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

*

CVE-2013-1643: The SOAP parser in PHP allowed remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

*

CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function.

*

CVE-2011-1398 / CVE-2012-4388: The sapi_header_op function in main/SAPI.c in PHP did not check for %0D sequences (aka carriage return characters), which allowed remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.

*

CVE-2012-2688: An unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP had unknown impact and remote attack vectors, related to an "overflow."

*

CVE-2012-3365: The SQLite functionality in PHP before 5.3.15 allowed remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.

*

CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.

*

CVE-2012-2335: php-wrapper.fcgi did not properly handle command-line arguments, which allowed remote attackers to bypass a protection mechanism in PHP and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.

*

CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

*

CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.

*

CVE-2012-1172: The file-upload implementation in rfc1867.c in PHP did not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions.

*

CVE-2012-0830: The php_register_variable_ex function in php_variables.c in PHP allowed remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885.

*

CVE-2012-0807: Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might have allowed remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header.

*

CVE-2012-0057: PHP had improper libxslt security settings, which allowed remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension.

*

CVE-2012-0831: PHP did not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which made it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.

*

CVE-2011-4153: PHP did not always check the return value of the zend_strndup function, which might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c.

*

CVE-2012-0781: The tidy_diagnose function in PHP might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153.

*

CVE-2012-0788: The PDORow implementation in PHP did not properly interact with the session feature, which allowed remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

*

CVE-2012-0789: Memory leak in the timezone functionality in PHP allowed remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which were not properly handled by the php_date_parse_tzfile cache.

*

CVE-2011-4885: PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allowed remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. We added a max_input_vars directive to prevent attacks based on hash collisions.

*

CVE-2011-4566: Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP allowed remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708.

*

CVE-2011-3182: PHP did not properly check the return values of the malloc, calloc, and realloc library functions, which allowed context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.

*

CVE-2011-1466: Integer overflow in the SdnToJulian function in the Calendar extension in PHP allowed context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function.

*

CVE-2011-1072: The installer in PEAR allowed local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519.

*

CVE-2011-2202: The rfc1867_post_handler function in main/rfc1867.c in PHP did not properly restrict filenames in multipart/form-data POST requests, which allowed remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability."

Bugfixes:

  • fixed php bug #43200 (Interface implementation / inheritence not possible in abstract classes) [bnc#783239]
  • use FilesMatch with 'SetHandler' rather than 'AddHandler' [bnc#775852]
  • fixed unpredictable unpack()/pack() behaviour [bnc#753778]
  • memory corruption in parse_ini_string() [bnc#742806]
  • amend README.SUSE to discourage using apache module with apache2-worker [bnc#728671]
  • allow uploading files bigger than 2GB for 64bit systems [bnc#709549]