Security update for php53 (important)

This update for php53 to version 5.3.17 fixes the following issues:

These security issues were fixed:

• CVE-2016-5093: get_icu_value_internal out-of-bounds read (bnc#982010).
• CVE-2016-5094: Don’t create strings with lengths outside int range
  (bnc#982011).
• CVE-2016-5095: Don’t create strings with lengths outside int range
  (bnc#982012).
• CVE-2016-5096: int/size_t confusion in fread (bsc#982013).
• CVE-2016-5114: fpm_log.c memory leak and buffer overflow (bnc#982162).
• CVE-2015-8879: The odbc_bindcols function in ext/odbc/php_odbc.c in PHP
  mishandles driver behavior for SQL_WVARCHAR columns, which allowed
  remote attackers to cause a denial of service (application crash) in
  opportunistic circumstances by leveraging use of the odbc_fetch_array
  function to access a certain type of Microsoft SQL Server table
  (bsc#981050).
• CVE-2015-4116: Use-after-free vulnerability in the spl_ptr_heap_insert
  function in ext/spl/spl_heap.c in PHP allowed remote attackers to
  execute arbitrary code by triggering a failed SplMinHeap::compare
  operation (bsc#980366).
• CVE-2015-8874: Stack consumption vulnerability in GD in PHP allowed
  remote attackers to cause a denial of service via a crafted
  imagefilltoborder call (bsc#980375).
• CVE-2015-8873: Stack consumption vulnerability in Zend/zend_exceptions.c
  in PHP allowed remote attackers to cause a denial of service
  (segmentation fault) via recursive method calls (bsc#980373).
• CVE-2016-4540: The grapheme_stripos function in
  ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to
  cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a negative offset (bsc#978829).
• CVE-2016-4541: The grapheme_strpos function in
  ext/intl/grapheme/grapheme_string.c in PHP allowed remote attackers to
  cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via a negative offset (bsc#978829.
• CVE-2016-4542: The exif_process_IFD_TAG function in ext/exif/exif.c in
  PHP did not properly construct spprintf arguments, which allowed remote
  attackers to cause a denial of service (out-of-bounds read) or possibly
  have unspecified other impact via crafted header data (bsc#978830).
• CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif.c
  in PHP did not validate IFD sizes, which allowed remote attackers to
  cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via crafted header data (bsc#978830.
• CVE-2016-4544: The exif_process_TIFF_in_JPEG function in ext/exif/exif.c
  in PHP did not validate TIFF start data, which allowed remote attackers
  to cause a denial of service (out-of-bounds read) or possibly have
  unspecified other impact via crafted header data (bsc#978830.
• CVE-2016-4537: The bcpowmod function in ext/bcmath/bcmath.c in PHP
  accepted a negative integer for the scale argument, which allowed remote
  attackers to cause a denial of service or possibly have unspecified
  other impact via a crafted call (bsc#978827).
• CVE-2016-4538: The bcpowmod function in ext/bcmath/bcmath.c in PHP
  modified certain data structures without considering whether they are
  copies of the zero, one, or two global variable, which allowed
  remote attackers to cause a denial of service or possibly have
  unspecified other impact via a crafted call (bsc#978827).
• CVE-2016-4539: The xml_parse_into_struct function in ext/xml/xml.c in
  PHP allowed remote attackers to cause a denial of service (buffer
  under-read and segmentation fault) or possibly have unspecified other
  impact via crafted XML data in the second argument, leading to a parser
  level of zero (bsc#978828).
• CVE-2016-4342: ext/phar/phar_object.c in PHP mishandles zero-length
  uncompressed data, which allowed remote attackers to cause a denial of
  service (heap memory corruption) or possibly have unspecified other
  impact via a crafted (1) TAR, (2) ZIP, or (3) PHAR archive (bsc#977991).
• CVE-2016-4346: Integer overflow in the str_pad function in
  ext/standard/string.c in PHP allowed remote attackers to cause a denial
  of service or possibly have unspecified other impact via a long string,
  leading to a heap-based buffer overflow (bsc#977994).
• CVE-2016-4073: Multiple integer overflows in the mbfl_strcut function in
  ext/mbstring/libmbfl/mbfl/mbfilter.c in PHP allowed remote attackers to
  cause a denial of service (application crash) or possibly execute
  arbitrary code via a crafted mb_strcut call (bsc#977003).
• CVE-2015-8867: The openssl_random_pseudo_bytes function in
  ext/openssl/openssl.c in PHP incorrectly relied on the deprecated
  RAND_pseudo_bytes function, which made it easier for remote attackers to
  defeat cryptographic protection mechanisms via unspecified vectors
  (bsc#977005).
• CVE-2016-4070: Integer overflow in the php_raw_url_encode function in
  ext/standard/url.c in PHP allowed remote attackers to cause a denial of
  service (application crash) via a long string to the rawurlencode
  function (bsc#976997).
• CVE-2015-8866: ext/libxml/libxml.c in PHP when PHP-FPM is used, did not
  isolate each thread from libxml_disable_entity_loader changes in other
  threads, which allowed remote attackers to conduct XML External Entity
  (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document,
  a related issue to CVE-2015-5161 (bsc#976996).
• CVE-2015-8838: ext/mysqlnd/mysqlnd.c in PHP used a client SSL option to
  mean that SSL is optional, which allowed man-in-the-middle attackers to
  spoof servers via a cleartext-downgrade attack, a related issue to
  CVE-2015-3152 (bsc#973792).
• CVE-2015-8835: The make_http_soap_request function in
  ext/soap/php_http.c in PHP did not properly retrieve keys, which allowed
  remote attackers to cause a denial of service (NULL pointer dereference,
  type confusion, and application crash) or possibly execute arbitrary
  code via crafted serialized data representing a numerically indexed
  _cookies array, related to the SoapClient::__call method in
  ext/soap/soap.c (bsc#973351).
• CVE-2016-3141: Use-after-free vulnerability in wddx.c in the WDDX
  extension in PHP allowed remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly have unspecified
  other impact by triggering a wddx_deserialize call on XML data
  containing a crafted var element (bsc#969821).
• CVE-2016-3142: The phar_parse_zipfile function in zip.c in the PHAR
  extension in PHP allowed remote attackers to obtain sensitive
  information from process memory or cause a denial of service
  (out-of-bounds read and application crash) by placing a PK\x05\x06
  signature at an invalid location (bsc#971912).
• CVE-2014-9767: Directory traversal vulnerability in the
  ZipArchive::extractTo function in ext/zip/php_zip.c in PHP
  ext/zip/ext_zip.cpp in HHVM allowed remote attackers to create arbitrary
  empty directories via a crafted ZIP archive (bsc#971612).
• CVE-2016-3185: The make_http_soap_request function in
  ext/soap/php_http.c in PHP allowed remote attackers to obtain sensitive
  information from process memory or cause a denial of service (type
  confusion and application crash) via crafted serialized _cookies data,
  related to the SoapClient::__call method in ext/soap/soap.c (bsc#971611).
• CVE-2016-2554: Stack-based buffer overflow in ext/phar/tar.c in PHP
  allowed remote attackers to cause a denial of service (application
  crash) or possibly have unspecified other impact via a crafted TAR
  archive (bsc#968284).
• CVE-2015-7803: The phar_get_entry_data function in ext/phar/util.c in
  PHP allowed remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via a .phar file with a crafted TAR
  archive entry in which the Link indicator references a file that did not
  exist (bsc#949961).
• CVE-2015-6831: Multiple use-after-free vulnerabilities in SPL in PHP
  allowed remote attackers to execute arbitrary code via vectors involving
  (1) ArrayObject, (2) SplObjectStorage, and (3) SplDoublyLinkedList,
  which are mishandled during unserialization (bsc#942291).
• CVE-2015-6833: Directory traversal vulnerability in the PharData class
  in PHP allowed remote attackers to write to arbitrary files via a …
  (dot dot) in a ZIP archive entry that is mishandled during an extractTo
  call (bsc#942296.
• CVE-2015-6836: The SoapClient __call method in ext/soap/soap.c in PHP
  did not properly manage headers, which allowed remote attackers to
  execute arbitrary code via crafted serialized data that triggers a "type
  confusion" in the serialize_function_call function (bsc#945428).
• CVE-2015-6837: The xsl_ext_function_php function in
  ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider
  the possibility of a NULL valuePop return value proceeding with a free
  operation during initial error checking, which allowed remote attackers
  to cause a denial of service (NULL pointer dereference and application
  crash) via a crafted XML document, a different vulnerability than
  CVE-2015-6838 (bsc#945412).
• CVE-2015-6838: The xsl_ext_function_php function in
  ext/xsl/xsltprocessor.c in PHP when libxml2 is used, did not consider
  the possibility of a NULL valuePop return value proceeding with a free
  operation after the principal argument loop, which allowed remote
  attackers to cause a denial of service (NULL pointer dereference and
  application crash) via a crafted XML document, a different vulnerability
  than CVE-2015-6837 (bsc#945412).
• CVE-2015-5590: Stack-based buffer overflow in the phar_fix_filepath
  function in ext/phar/phar.c in PHP allowed remote attackers to cause a
  denial of service or possibly have unspecified other impact via a large
  length value, as demonstrated by mishandling of an e-mail attachment by
  the imap PHP extension (bsc#938719).
• CVE-2015-5589: The phar_convert_to_other function in
  ext/phar/phar_object.c in PHP did not validate a file pointer a close
  operation, which allowed remote attackers to cause a denial of service
  (segmentation fault) or possibly have unspecified other impact via a
  crafted TAR archive that is mishandled in a Phar::convertToData call
  (bsc#938721).
• CVE-2015-4602: The __PHP_Incomplete_Class function in
  ext/standard/incomplete_class.c in PHP allowed remote attackers to cause
  a denial of service (application crash) or possibly execute arbitrary
  code via an unexpected data type, related to a "type confusion" issue
  (bsc#935224).
• CVE-2015-4599: The SoapFault::__toString method in ext/soap/soap.c in
  PHP allowed remote attackers to obtain sensitive information, cause a
  denial of service (application crash), or possibly execute arbitrary
  code via an unexpected data type, related to a "type confusion" issue
  (bsc#935226).
• CVE-2015-4600: The SoapClient implementation in PHP allowed remote
  attackers to cause a denial of service (application crash) or possibly
  execute arbitrary code via an unexpected data type, related to "type
  confusion" issues in the (1) SoapClient::__getLastRequest, (2)
  SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders,
  (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies,
  and (6) SoapClient::__setCookie methods (bsc#935226).
• CVE-2015-4601: PHP allowed remote attackers to cause a denial of service
  (application crash) or possibly execute arbitrary code via an unexpected
  data type, related to "type confusion" issues in (1)
  ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3)
  ext/soap/soap.c, a different issue than CVE-2015-4600 (bsc#935226.
• CVE-2015-4603: The exception::getTraceAsString function in
  Zend/zend_exceptions.c in PHP allowed remote attackers to execute
  arbitrary code via an unexpected data type, related to a "type
  confusion" issue (bsc#935234).
• CVE-2015-4644: The php_pgsql_meta_data function in pgsql.c in the
  PostgreSQL (aka pgsql) extension in PHP did not validate token
  extraction for table names, which might allowed remote attackers to
  cause a denial of service (NULL pointer dereference and application
  crash) via a crafted name. NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2015-1352 (bsc#935274).
• CVE-2015-4643: Integer overflow in the ftp_genlist function in
  ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary
  code via a long reply to a LIST command, leading to a heap-based buffer
  overflow. NOTE: this vulnerability exists because of an incomplete fix
  for CVE-2015-4022 (bsc#935275).
• CVE-2015-3411: PHP did not ensure that pathnames lack %00 sequences,
  which might have allowed remote attackers to read or write to arbitrary
  files via crafted input to an application that calls (1) a DOMDocument
  load method, (2) the xmlwriter_open_uri function, (3) the finfo_file
  function, or (4) the hash_hmac_file function, as demonstrated by a
  filename\0.xml attack that bypasses an intended configuration in which
  client users may read only .xml files (bsc#935227).
• CVE-2015-3412: PHP did not ensure that pathnames lack %00 sequences,
  which might have allowed remote attackers to read arbitrary files via
  crafted input to an application that calls the
  stream_resolve_include_path function in ext/standard/streamsfuncs.c, as
  demonstrated by a filename\0.extension attack that bypasses an intended
  configuration in which client users may read files with only one
  specific extension (bsc#935229).
• CVE-2015-4598: PHP did not ensure that pathnames lack %00 sequences,
  which might have allowed remote attackers to read or write to arbitrary
  files via crafted input to an application that calls (1) a DOMDocument
  save method or (2) the GD imagepsloadfont function, as demonstrated by a
  filename\0.html attack that bypasses an intended configuration in which
  client users may write to only .html files (bsc#935232).
• CVE-2015-4148: The do_soap_call function in ext/soap/soap.c in PHP did
  not verify that the uri property is a string, which allowed remote
  attackers to obtain sensitive information by providing crafted
  serialized data with an int data type, related to a "type confusion"
  issue (bsc#933227).
• CVE-2015-4024: Algorithmic complexity vulnerability in the
  multipart_buffer_headers function in main/rfc1867.c in PHP allowed
  remote attackers to cause a denial of service (CPU consumption) via
  crafted form data that triggers an improper order-of-growth outcome
  (bsc#931421).
• CVE-2015-4026: The pcntl_exec implementation in PHP truncates a pathname
  upon encountering a \x00 character, which might allowed remote attackers
  to bypass intended extension restrictions and execute files with
  unexpected names via a crafted first argument. NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2006-7243 (bsc#931776).
• CVE-2015-4022: Integer overflow in the ftp_genlist function in
  ext/ftp/ftp.c in PHP allowed remote FTP servers to execute arbitrary
  code via a long reply to a LIST command, leading to a heap-based buffer
  overflow (bsc#931772).
• CVE-2015-4021: The phar_parse_tarfile function in ext/phar/tar.c in PHP
  did not verify that the first character of a filename is different from
  the \0 character, which allowed remote attackers to cause a denial of
  service (integer underflow and memory corruption) via a crafted entry in
  a tar archive (bsc#931769).
• CVE-2015-3329: Multiple stack-based buffer overflows in the
  phar_set_inode function in phar_internal.h in PHP allowed remote
  attackers to execute arbitrary code via a crafted length value in a (1)
  tar, (2) phar, or (3) ZIP archive (bsc#928506).
• CVE-2015-2783: ext/phar/phar.c in PHP allowed remote attackers to obtain
  sensitive information from process memory or cause a denial of service
  (buffer over-read and application crash) via a crafted length value in
  conjunction with crafted serialized data in a phar archive, related to
  the phar_parse_metadata and phar_parse_pharfile functions (bsc#928511).
• CVE-2015-2787: Use-after-free vulnerability in the process_nested_data
  function in ext/standard/var_unserializer.re in PHP allowed remote
  attackers to execute arbitrary code via a crafted unserialize call that
  leverages use of the unset function within an __wakeup function, a
  related issue to CVE-2015-0231 (bsc#924972).
• CVE-2014-9709: The GetCode_ function in gd_gif_in.c in GD 2.1.1 and
  earlier, as used in PHP allowed remote attackers to cause a denial of
  service (buffer over-read and application crash) via a crafted GIF image
  that is improperly handled by the gdImageCreateFromGif function
  (bsc#923945).
• CVE-2015-2301: Use-after-free vulnerability in the phar_rename_archive
  function in phar_object.c in PHP allowed remote attackers to cause a
  denial of service or possibly have unspecified other impact via vectors
  that trigger an attempted renaming of a Phar archive to the name of an
  existing file (bsc#922452).
• CVE-2015-2305: Integer overflow in the regcomp implementation in the
  Henry Spencer BSD regex library (aka rxspencer) 32-bit platforms might
  have allowed context-dependent attackers to execute arbitrary code via a
  large regular expression that leads to a heap-based buffer overflow
  (bsc#921950).
• CVE-2014-9705: Heap-based buffer overflow in the
  enchant_broker_request_dict function in ext/enchant/enchant.c in PHP
  allowed remote attackers to execute arbitrary code via vectors that
  trigger creation of multiple dictionaries (bsc#922451).
• CVE-2015-0273: Multiple use-after-free vulnerabilities in
  ext/date/php_date.c in PHP allowed remote attackers to execute arbitrary
  code via crafted serialized input containing a (1) R or (2) r type
  specifier in (a) DateTimeZone data handled by the
  php_date_timezone_initialize_from_hash function or (b) DateTime data
  handled by the php_date_initialize_from_hash function (bsc#918768).
• CVE-2014-9652: The mconvert function in softmagic.c in file as used in
  the Fileinfo component in PHP did not properly handle a certain
  string-length field during a copy of a truncated version of a Pascal
  string, which might allowed remote attackers to cause a denial of
  service (out-of-bounds memory access and application crash) via a
  crafted file (bsc#917150).
• CVE-2014-8142: Use-after-free vulnerability in the process_nested_data
  function in ext/standard/var_unserializer.re in PHP allowed remote
  attackers to execute arbitrary code via a crafted unserialize call that
  leverages improper handling of duplicate keys within the serialized
  properties of an object, a different vulnerability than CVE-2004-1019
  (bsc#910659).
• CVE-2015-0231: Use-after-free vulnerability in the process_nested_data
  function in ext/standard/var_unserializer.re in PHP allowed remote
  attackers to execute arbitrary code via a crafted unserialize call that
  leverages improper handling of duplicate numerical keys within the
  serialized properties of an object. NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2014-8142 (bsc#910659).
• CVE-2014-8142: Use-after-free vulnerability in the process_nested_data
  function in ext/standard/var_unserializer.re in PHP allowed remote
  attackers to execute arbitrary code via a crafted unserialize call that
  leverages improper handling of duplicate keys within the serialized
  properties of an object, a different vulnerability than CVE-2004-1019
  (bsc#910659).
• CVE-2015-0232: The exif_process_unicode function in ext/exif/exif.c in
  PHP allowed remote attackers to execute arbitrary code or cause a denial
  of service (uninitialized pointer free and application crash) via
  crafted EXIF data in a JPEG image (bsc#914690).
• CVE-2014-3670: The exif_ifd_make_value function in exif.c in the EXIF
  extension in PHP operates on floating-point arrays incorrectly, which
  allowed remote attackers to cause a denial of service (heap memory
  corruption and application crash) or possibly execute arbitrary code via
  a crafted JPEG image with TIFF thumbnail data that is improperly handled
  by the exif_thumbnail function (bsc#902357).
• CVE-2014-3669: Integer overflow in the object_custom function in
  ext/standard/var_unserializer.c in PHP allowed remote attackers to cause
  a denial of service (application crash) or possibly execute arbitrary
  code via an argument to the unserialize function that triggers
  calculation of a large length value (bsc#902360).
• CVE-2014-3668: Buffer overflow in the date_from_ISO8601 function in the
  mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in
  PHP allowed remote attackers to cause a denial of service (application
  crash) via (1) a crafted first argument to the xmlrpc_set_type function
  or (2) a crafted argument to the xmlrpc_decode function, related to an
  out-of-bounds read operation (bsc#902368).
• CVE-2014-5459: The PEAR_REST class in REST.php in PEAR in PHP allowed
  local users to write to arbitrary files via a symlink attack on a (1)
  rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to
  the retrieveCacheFirst and useLocalCache functions (bsc#893849).
• CVE-2014-3597: Multiple buffer overflows in the php_parserr function in
  ext/standard/dns.c in PHP allowed remote DNS servers to cause a denial
  of service (application crash) or possibly execute arbitrary code via a
  crafted DNS record, related to the dns_get_record function and the
  dn_expand function. NOTE: this issue exists because of an incomplete fix
  for CVE-2014-4049 (bsc#893853).
• CVE-2014-4670: Use-after-free vulnerability in ext/spl/spl_dllist.c in
  the SPL component in PHP allowed context-dependent attackers to cause a
  denial of service or possibly have unspecified other impact via crafted
  iterator usage within applications in certain web-hosting environments
  (bsc#886059).
• CVE-2014-4698: Use-after-free vulnerability in ext/spl/spl_array.c in
  the SPL component in PHP allowed context-dependent attackers to cause a
  denial of service or possibly have unspecified other impact via crafted
  ArrayIterator usage within applications in certain web-hosting
  environments (bsc#886060).
• CVE-2014-4721: The phpinfo implementation in ext/standard/info.c in PHP
  did not ensure use of the string data type for the PHP_AUTH_PW,
  PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might
  allowed context-dependent attackers to obtain sensitive information from
  process memory by using the integer data type with crafted values,
  related to a "type confusion" vulnerability, as demonstrated by reading
  a private SSL key in an Apache HTTP Server web-hosting environment with
  mod_ssl and a PHP 5.3.x mod_php (bsc#885961).
• CVE-2014-0207: The cdf_read_short_sector function in cdf.c in file as
  used in the Fileinfo component in PHP allowed remote attackers to cause
  a denial of service (assertion failure and application exit) via a
  crafted CDF file (bsc#884986).
• CVE-2014-3478: Buffer overflow in the mconvert function in softmagic.c
  in file as used in the Fileinfo component in PHP allowed remote
  attackers to cause a denial of service (application crash) via a crafted
  Pascal string in a FILE_PSTRING conversion (bsc#884987).
• CVE-2014-3479: The cdf_check_stream_offset function in cdf.c in file as
  used in the Fileinfo component in PHP relies on incorrect sector-size
  data, which allowed remote attackers to cause a denial of service
  (application crash) via a crafted stream offset in a CDF file
  (bsc#884989).
• CVE-2014-3480: The cdf_count_chain function in cdf.c in file as used in
  the Fileinfo component in PHP did not properly validate sector-count
  data, which allowed remote attackers to cause a denial of service
  (application crash) via a crafted CDF file (bsc#884990).
• CVE-2014-3487: The cdf_read_property_info function in file as used in
  the Fileinfo component in PHP did not properly validate a stream offset,
  which allowed remote attackers to cause a denial of service (application
  crash) via a crafted CDF file (bsc#884991).
• CVE-2014-3515: The SPL component in PHP incorrectly anticipates that
  certain data structures will have the array data type after
  unserialization, which allowed remote attackers to execute arbitrary
  code via a crafted string that triggers use of a Hashtable destructor,
  related to "type confusion" issues in (1) ArrayObject and (2)
  SPLObjectStorage (bsc#884992).

These non-security issues were fixed:

• bnc#935074: compare with SQL_NULL_DATA correctly
• bnc#935074: fix segfault in odbc_fetch_array
• bnc#919080: fix timezone map
• bnc#925109: unserialize SoapClient type confusion