Security update for PHP5 (important)

php5 has been updated to roll up all pending security fixes
for Long Term Service Pack Support.

The Following security issues have been fixed:

CVE-2013-4635: Integer overflow in the SdnToJewish
function in jewish.c in the Calendar component in PHP
allowed context-dependent attackers to cause a denial of
service (application hang) via a large argument to the
jdtojewish function.

CVE-2013-1635: ext/soap/soap.c in PHP did not
validate the relationship between the soap.wsdl_cache_dir
directive and the open_basedir directive, which allowed
remote attackers to bypass intended access restrictions by
triggering the creation of cached SOAP WSDL files in an
arbitrary directory.

CVE-2013-1643: The SOAP parser in PHP allowed remote
attackers to read arbitrary files via a SOAP WSDL file
containing an XML external entity declaration in
conjunction with an entity reference, related to an XML
External Entity (XXE) issue in the soap_xmlParseFile and
soap_xmlParseMemory functions.

CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27
does not properly consider parsing depth, which allowed
remote attackers to cause a denial of service (heap memory
corruption) or possibly have unspecified other impact via a
crafted document that is processed by the
xml_parse_into_struct function.

CVE-2011-1398 / CVE-2012-4388: The sapi_header_op
function in main/SAPI.c in PHP did not check for %0D
sequences (aka carriage return characters), which allowed
remote attackers to bypass an HTTP response-splitting
protection mechanism via a crafted URL, related to improper
interaction between the PHP header function and certain
browsers, as demonstrated by Internet Explorer and Google
Chrome.

CVE-2012-2688: An unspecified vulnerability in the
_php_stream_scandir function in the stream implementation
in PHP had unknown impact and remote attack vectors,
related to an "overflow."

CVE-2012-3365: The SQLite functionality in PHP before
5.3.15 allowed remote attackers to bypass the open_basedir
protection mechanism via unspecified vectors.

CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), did not properly
handle query strings that lack an = (equals sign)
character, which allowed remote attackers to execute
arbitrary code by placing command-line options in the query
string, related to lack of skipping a certain php_getopt
for the ‘d’ case.

CVE-2012-2335: php-wrapper.fcgi did not properly
handle command-line arguments, which allowed remote
attackers to bypass a protection mechanism in PHP and
execute arbitrary code by leveraging improper interaction
between the PHP sapi/cgi/cgi_main.c component and a query
string beginning with a ± sequence.

CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), did not properly
handle query strings that lack an = (equals sign)
character, which allowed remote attackers to cause a denial
of service (resource consumption) by placing command-line
options in the query string, related to lack of skipping a
certain php_getopt for the ‘T’ case. NOTE: this
vulnerability exists because of an incomplete fix for
CVE-2012-1823.

CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), does not properly
handle query strings that contain a %3D sequence but no =
(equals sign) character, which allows remote attackers to
execute arbitrary code by placing command-line options in
the query string, related to lack of skipping a certain
php_getopt for the ‘d’ case. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2012-1823.

CVE-2012-1172: The file-upload implementation in
rfc1867.c in PHP did not properly handle invalid [ (open
square bracket) characters in name values, which makes it
easier for remote attackers to cause a denial of service
(malformed $_FILES indexes) or conduct directory traversal
attacks during multi-file uploads by leveraging a script
that lacks its own filename restrictions.

CVE-2012-0830: The php_register_variable_ex function
in php_variables.c in PHP allowed remote attackers to
execute arbitrary code via a request containing a large
number of variables, related to improper handling of array
variables. NOTE: this vulnerability exists because of an
incorrect fix for CVE-2011-4885.

CVE-2012-0807: Stack-based buffer overflow in the
suhosin_encrypt_single_cookie function in the transparent
cookie-encryption feature in the Suhosin extension before
0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might have allowed remote
attackers to execute arbitrary code via a long string that
is used in a Set-Cookie HTTP header.

CVE-2012-0057: PHP had improper libxslt security
settings, which allowed remote attackers to create
arbitrary files via a crafted XSLT stylesheet that uses the
libxslt output extension.

CVE-2012-0831: PHP did not properly perform a
temporary change to the magic_quotes_gpc directive during
the importing of environment variables, which made it
easier for remote attackers to conduct SQL injection
attacks via a crafted request, related to
main/php_variables.c, sapi/cgi/cgi_main.c, and
sapi/fpm/fpm/fpm_main.c.

CVE-2011-4153: PHP did not always check the return
value of the zend_strndup function, which might have
allowed remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via crafted
input to an application that performs strndup operations on
untrusted string data, as demonstrated by the define
function in zend_builtin_functions.c, and unspecified
functions in ext/soap/php_sdl.c, ext/standard/syslog.c,
ext/standard/browscap.c, ext/oci8/oci8.c,
ext/com_dotnet/com_typeinfo.c, and
main/php_open_temporary_file.c.

CVE-2012-0781: The tidy_diagnose function in PHP
might have allowed remote attackers to cause a denial of
service (NULL pointer dereference and application crash)
via crafted input to an application that attempts to
perform Tidy::diagnose operations on invalid objects, a
different vulnerability than CVE-2011-4153.

CVE-2012-0788: The PDORow implementation in PHP did
not properly interact with the session feature, which
allowed remote attackers to cause a denial of service
(application crash) via a crafted application that uses a
PDO driver for a fetch and then calls the session_start
function, as demonstrated by a crash of the Apache HTTP
Server.

CVE-2012-0789: Memory leak in the timezone
functionality in PHP allowed remote attackers to cause a
denial of service (memory consumption) by triggering many
strtotime function calls, which were not properly handled
by the php_date_parse_tzfile cache.

CVE-2011-4885: PHP computed hash values for form
parameters without restricting the ability to trigger hash
collisions predictably, which allowed remote attackers to
cause a denial of service (CPU consumption) by sending many
crafted parameters. We added a max_input_vars directive to
prevent attacks based on hash collisions.

CVE-2011-4566: Integer overflow in the
exif_process_IFD_TAG function in exif.c in the exif
extension in PHP allowed remote attackers to read the
contents of arbitrary memory locations or cause a denial of
service via a crafted offset_val value in an EXIF header in
a JPEG file, a different vulnerability than CVE-2011-0708.

CVE-2011-3182: PHP did not properly check the return
values of the malloc, calloc, and realloc library
functions, which allowed context-dependent attackers to
cause a denial of service (NULL pointer dereference and
application crash) or trigger a buffer overflow by
leveraging the ability to provide an arbitrary value for a
function argument, related to (1) ext/curl/interface.c, (2)
ext/date/lib/parse_date.c, (3)
ext/date/lib/parse_iso_intervals.c, (4)
ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6)
ext/pdo_odbc/pdo_odbc.c, (7)
ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c,
(9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c,
and (11) the strtotime function.

CVE-2011-1466: Integer overflow in the SdnToJulian
function in the Calendar extension in PHP allowed
context-dependent attackers to cause a denial of service
(application crash) via a large integer in the first
argument to the cal_from_jd function.

CVE-2011-1072: The installer in PEAR allowed local
users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2)
cache_dir, (3) tmp_dir, and (4) pear-build-download
directories, a different vulnerability than CVE-2007-2519.

CVE-2011-2202: The rfc1867_post_handler function in
main/rfc1867.c in PHP did not properly restrict filenames
in multipart/form-data POST requests, which allowed remote
attackers to conduct absolute path traversal attacks, and
possibly create or overwrite arbitrary files, via a crafted
upload request, related to a "file path injection
vulnerability."

Bugfixes:

• fixed php bug #43200 (Interface implementation /
  inheritence not possible in abstract classes) [bnc#783239]
• use FilesMatch with ‘SetHandler’ rather than
  ‘AddHandler’ [bnc#775852]
• fixed unpredictable unpack()/pack() behaviour
  [bnc#753778]
• memory corruption in parse_ini_string() [bnc#742806]
• amend README.SUSE to discourage using apache module
  with apache2-worker [bnc#728671]
• allow uploading files bigger than 2GB for 64bit
  systems [bnc#709549]