SB2015071705 - SUSE Linux update for PHP

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2015-3411)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename.xml attack that bypasses an intended configuration in which client users may read only .xml files.

2) Information disclosure (CVE-ID: CVE-2015-3412)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences. A remote attacker can read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

3) Type confusion (CVE-ID: CVE-2015-4148)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string. A remote attacker can trigger memory corruption and obtain sensitive information by providing crafted serialized data with an int data type.

4) Security restrictions bypass (CVE-ID: CVE-2015-4598)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not ensure that pathnames lack %00 sequences. A remote attacker can read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument save method or (2) the GD imagepsloadfont function, as demonstrated by a filename.html attack that bypasses an intended configuration in which client users may write to only .html files.

5) Type confusion (CVE-ID: CVE-2015-4599)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the SoapFault::__toString method in ext/soap/soap.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to obtain sensitive information, cause a denial of service or possibly execute arbitrary code via an unexpected data type.

6) Type confusion (CVE-ID: CVE-2015-4600)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.

7) Type confusion (CVE-ID: CVE-2015-4601)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in (1) ext/soap/php_encoding.c, (2) ext/soap/php_http.c, and (3) ext/soap/soap.c in PHP before 5.6.7. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type.

8) Type confusion (CVE-ID: CVE-2015-4602)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the __PHP_Incomplete_Class function in ext/standard/incomplete_class.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to cause a denial of service or possibly execute arbitrary code via an unexpected data type.

9) Type confusion (CVE-ID: CVE-2015-4603)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to type confusion in the exception::getTraceAsString function in Zend/zend_exceptions.c in in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8. A remote attacker can trigger memory corruption to execute arbitrary code via an unexpected data type.

10) Integer overflow (CVE-ID: CVE-2015-4643)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 . A remote attacker can trigger heap-based buffer overflow via a long reply to a LIST command and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

11) NULL pointer dereference (CVE-ID: CVE-2015-4644)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names. A remote attacker can trigger NULL pointer dereference and application crash via a crafted name.

Remediation

Install update from vendor's website.

References

• https://lists.opensuse.org/opensuse-security-announce/2015-07/msg00030.html