SB2016052202 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2015-8878)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory corruption) by leveraging an application that performs many temporary-file accesses.

2) Input validation error (CVE-ID: CVE-2015-8876)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and application crash) or trigger unintended method execution via crafted serialized data.

3) Cryptographic issues (CVE-ID: CVE-2015-8867)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The openssl_random_pseudo_bytes function in ext/openssl/openssl.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 incorrectly relies on the deprecated RAND_pseudo_bytes function, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors.

4) Resource management error (CVE-ID: CVE-2015-8877)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The gdImageScaleTwoPass function in gd_interpolation.c in the GD Graphics Library (aka libgd) before 2.2.0, as used in PHP before 5.6.12, uses inconsistent allocate and free approaches, which allows remote attackers to cause a denial of service (memory consumption) via a crafted call, as demonstrated by a call to the PHP imagescale function.

Remediation

Install update from vendor's website.

References

• http://www.php.net/ChangeLog-5.php
• https://bugs.php.net/bug.php?id=70002
• http://rhn.redhat.com/errata/RHSA-2016-2750.html
• https://bugs.php.net/bug.php?id=70121
• http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html
• http://www.openwall.com/lists/oss-security/2016/04/24/1
• http://www.php.net/ChangeLog-7.php
• http://www.ubuntu.com/usn/USN-2952-1
• http://www.ubuntu.com/usn/USN-2952-2
• https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203
• https://bugs.php.net/bug.php?id=70014
• http://www.debian.org/security/2016/dsa-3587
• http://www.ubuntu.com/usn/USN-2987-1
• https://bugs.php.net/bug.php?id=70064
• https://github.com/libgd/libgd/commit/4751b606fa38edc456d627140898a7ec679fcc24
• https://github.com/libgd/libgd/issues/173