SUSE Security Update: Security update for PHP5
______________________________________________________________________________
Announcement ID: SUSE-SU-2013:1351-1
Rating: important
References: #699711 #709549 #713652 #728671 #733590 #735613
#736169 #738221 #741520 #741859 #742273 #742806
#743308 #744966 #746661 #749111 #752030 #753778
#760536 #761631 #772580 #772582 #775852 #778003
#783239 #807707 #828020 #829207
Cross-References: CVE-2011-1072 CVE-2011-1398 CVE-2011-1466
CVE-2011-2202 CVE-2011-3182 CVE-2011-4153
CVE-2011-4388 CVE-2011-4566 CVE-2011-4885
CVE-2012-0057 CVE-2012-0781 CVE-2012-0788
CVE-2012-0789 CVE-2012-0807 CVE-2012-0830
CVE-2012-0831 CVE-2012-1172 CVE-2012-1823
CVE-2012-2311 CVE-2012-2335 CVE-2012-2336
CVE-2012-2688 CVE-2012-3365 CVE-2013-1635
CVE-2013-1643 CVE-2013-4113 CVE-2013-4635
Affected Products:
SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________
An update that solves 27 vulnerabilities and has one errata
is now available. It includes one version update.
Description:
php5 has been updated to roll up all pending security fixes
for Long Term Service Pack Support.
The Following security issues have been fixed:
*
CVE-2013-4635: Integer overflow in the SdnToJewish
function in jewish.c in the Calendar component in PHP
allowed context-dependent attackers to cause a denial of
service (application hang) via a large argument to the
jdtojewish function.
*
CVE-2013-1635: ext/soap/soap.c in PHP did not
validate the relationship between the soap.wsdl_cache_dir
directive and the open_basedir directive, which allowed
remote attackers to bypass intended access restrictions by
triggering the creation of cached SOAP WSDL files in an
arbitrary directory.
*
CVE-2013-1643: The SOAP parser in PHP allowed remote
attackers to read arbitrary files via a SOAP WSDL file
containing an XML external entity declaration in
conjunction with an entity reference, related to an XML
External Entity (XXE) issue in the soap_xmlParseFile and
soap_xmlParseMemory functions.
*
CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27
does not properly consider parsing depth, which allowed
remote attackers to cause a denial of service (heap memory
corruption) or possibly have unspecified other impact via a
crafted document that is processed by the
xml_parse_into_struct function.
*
CVE-2011-1398 / CVE-2012-4388: The sapi_header_op
function in main/SAPI.c in PHP did not check for %0D
sequences (aka carriage return characters), which allowed
remote attackers to bypass an HTTP response-splitting
protection mechanism via a crafted URL, related to improper
interaction between the PHP header function and certain
browsers, as demonstrated by Internet Explorer and Google
Chrome.
*
CVE-2012-2688: An unspecified vulnerability in the
_php_stream_scandir function in the stream implementation
in PHP had unknown impact and remote attack vectors,
related to an "overflow."
*
CVE-2012-3365: The SQLite functionality in PHP before
5.3.15 allowed remote attackers to bypass the open_basedir
protection mechanism via unspecified vectors.
*
CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), did not properly
handle query strings that lack an = (equals sign)
character, which allowed remote attackers to execute
arbitrary code by placing command-line options in the query
string, related to lack of skipping a certain php_getopt
for the 'd' case.
*
CVE-2012-2335: php-wrapper.fcgi did not properly
handle command-line arguments, which allowed remote
attackers to bypass a protection mechanism in PHP and
execute arbitrary code by leveraging improper interaction
between the PHP sapi/cgi/cgi_main.c component and a query
string beginning with a +- sequence.
*
CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), did not properly
handle query strings that lack an = (equals sign)
character, which allowed remote attackers to cause a denial
of service (resource consumption) by placing command-line
options in the query string, related to lack of skipping a
certain php_getopt for the 'T' case. NOTE: this
vulnerability exists because of an incomplete fix for
CVE-2012-1823.
*
CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when
configured as a CGI script (aka php-cgi), does not properly
handle query strings that contain a %3D sequence but no (equals sign) character, which allows remote attackers to
execute arbitrary code by placing command-line options in
the query string, related to lack of skipping a certain
php_getopt for the 'd' case. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2012-1823.
*
CVE-2012-1172: The file-upload implementation in
rfc1867.c in PHP did not properly handle invalid [ (open
square bracket) characters in name values, which makes it
easier for remote attackers to cause a denial of service
(malformed $_FILES indexes) or conduct directory traversal
attacks during multi-file uploads by leveraging a script
that lacks its own filename restrictions.
*
CVE-2012-0830: The php_register_variable_ex function
in php_variables.c in PHP allowed remote attackers to
execute arbitrary code via a request containing a large
number of variables, related to improper handling of array
variables. NOTE: this vulnerability exists because of an
incorrect fix for CVE-2011-4885.
*
CVE-2012-0807: Stack-based buffer overflow in the
suhosin_encrypt_single_cookie function in the transparent
cookie-encryption feature in the Suhosin extension before
0.9.33 for PHP, when suhosin.cookie.encrypt and
suhosin.multiheader are enabled, might have allowed remote
attackers to execute arbitrary code via a long string that
is used in a Set-Cookie HTTP header.
*
CVE-2012-0057: PHP had improper libxslt security
settings, which allowed remote attackers to create
arbitrary files via a crafted XSLT stylesheet that uses the
libxslt output extension.
*
CVE-2012-0831: PHP did not properly perform a
temporary change to the magic_quotes_gpc directive during
the importing of environment variables, which made it
easier for remote attackers to conduct SQL injection
attacks via a crafted request, related to
main/php_variables.c, sapi/cgi/cgi_main.c, and
sapi/fpm/fpm/fpm_main.c.
*
CVE-2011-4153: PHP did not always check the return
value of the zend_strndup function, which might have
allowed remote attackers to cause a denial of service (NULL
pointer dereference and application crash) via crafted
input to an application that performs strndup operations on
untrusted string data, as demonstrated by the define
function in zend_builtin_functions.c, and unspecified
functions in ext/soap/php_sdl.c, ext/standard/syslog.c,
ext/standard/browscap.c, ext/oci8/oci8.c,
ext/com_dotnet/com_typeinfo.c, and
main/php_open_temporary_file.c.
*
CVE-2012-0781: The tidy_diagnose function in PHP
might have allowed remote attackers to cause a denial of
service (NULL pointer dereference and application crash)
via crafted input to an application that attempts to
perform Tidy::diagnose operations on invalid objects, a
different vulnerability than CVE-2011-4153.
*
CVE-2012-0788: The PDORow implementation in PHP did
not properly interact with the session feature, which
allowed remote attackers to cause a denial of service
(application crash) via a crafted application that uses a
PDO driver for a fetch and then calls the session_start
function, as demonstrated by a crash of the Apache HTTP
Server.
*
CVE-2012-0789: Memory leak in the timezone
functionality in PHP allowed remote attackers to cause a
denial of service (memory consumption) by triggering many
strtotime function calls, which were not properly handled
by the php_date_parse_tzfile cache.
*
CVE-2011-4885: PHP computed hash values for form
parameters without restricting the ability to trigger hash
collisions predictably, which allowed remote attackers to
cause a denial of service (CPU consumption) by sending many
crafted parameters. We added a max_input_vars directive to
prevent attacks based on hash collisions.
*
CVE-2011-4566: Integer overflow in the
exif_process_IFD_TAG function in exif.c in the exif
extension in PHP allowed remote attackers to read the
contents of arbitrary memory locations or cause a denial of
service via a crafted offset_val value in an EXIF header in
a JPEG file, a different vulnerability than CVE-2011-0708.
*
CVE-2011-3182: PHP did not properly check the return
values of the malloc, calloc, and realloc library
functions, which allowed context-dependent attackers to
cause a denial of service (NULL pointer dereference and
application crash) or trigger a buffer overflow by
leveraging the ability to provide an arbitrary value for a
function argument, related to (1) ext/curl/interface.c, (2)
ext/date/lib/parse_date.c, (3)
ext/date/lib/parse_iso_intervals.c, (4)
ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6)
ext/pdo_odbc/pdo_odbc.c, (7)
ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c,
(9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c,
and (11) the strtotime function.
*
CVE-2011-1466: Integer overflow in the SdnToJulian
function in the Calendar extension in PHP allowed
context-dependent attackers to cause a denial of service
(application crash) via a large integer in the first
argument to the cal_from_jd function.
*
CVE-2011-1072: The installer in PEAR allowed local
users to overwrite arbitrary files via a symlink attack on
the package.xml file, related to the (1) download_dir, (2)
cache_dir, (3) tmp_dir, and (4) pear-build-download
directories, a different vulnerability than CVE-2007-2519.
*
CVE-2011-2202: The rfc1867_post_handler function in
main/rfc1867.c in PHP did not properly restrict filenames
in multipart/form-data POST requests, which allowed remote
attackers to conduct absolute path traversal attacks, and
possibly create or overwrite arbitrary files, via a crafted
upload request, related to a "file path injection
vulnerability."
Bugfixes:
* fixed php bug #43200 (Interface implementation /
inheritence not possible in abstract classes) [bnc#783239]
* use FilesMatch with 'SetHandler' rather than
'AddHandler' [bnc#775852]
* fixed unpredictable unpack()/pack() behaviour
[bnc#753778]
* memory corruption in parse_ini_string() [bnc#742806]
* amend README.SUSE to discourage using apache module
with apache2-worker [bnc#728671]
* allow uploading files bigger than 2GB for 64bit
systems [bnc#709549]
Security Issue references:
* CVE-2011-1072
* CVE-2011-1398
* CVE-2011-1466
* CVE-2011-2202
* CVE-2011-3182
* CVE-2011-4153
* CVE-2011-4388
* CVE-2011-4566
* CVE-2011-4885
* CVE-2012-0057
* CVE-2012-0781
* CVE-2012-0788
* CVE-2012-0789
* CVE-2012-0807
* CVE-2012-0830
* CVE-2012-0831
* CVE-2012-1172
* CVE-2012-1823
* CVE-2012-2311
* CVE-2012-2335
* CVE-2012-2336
* CVE-2012-2688
* CVE-2012-3365
* CVE-2013-1635
* CVE-2013-1643
* CVE-2013-4113
* CVE-2013-4635
Package List:
- SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 5.2.14]:
apache2-mod_php5-5.2.14-0.42.1
php5-5.2.14-0.42.1
php5-bcmath-5.2.14-0.42.1
php5-bz2-5.2.14-0.42.1
php5-calendar-5.2.14-0.42.1
php5-ctype-5.2.14-0.42.1
php5-curl-5.2.14-0.42.1
php5-dba-5.2.14-0.42.1
php5-dbase-5.2.14-0.42.1
php5-devel-5.2.14-0.42.1
php5-dom-5.2.14-0.42.1
php5-exif-5.2.14-0.42.1
php5-fastcgi-5.2.14-0.42.1
php5-ftp-5.2.14-0.42.1
php5-gd-5.2.14-0.42.1
php5-gettext-5.2.14-0.42.1
php5-gmp-5.2.14-0.42.1
php5-hash-5.2.14-0.42.1
php5-iconv-5.2.14-0.42.1
php5-imap-5.2.14-0.42.1
php5-json-5.2.14-0.42.1
php5-ldap-5.2.14-0.42.1
php5-mbstring-5.2.14-0.42.1
php5-mcrypt-5.2.14-0.42.1
php5-mhash-5.2.14-0.42.1
php5-mysql-5.2.14-0.42.1
php5-ncurses-5.2.14-0.42.1
php5-odbc-5.2.14-0.42.1
php5-openssl-5.2.14-0.42.1
php5-pcntl-5.2.14-0.42.1
php5-pdo-5.2.14-0.42.1
php5-pear-5.2.14-0.42.1
php5-pgsql-5.2.14-0.42.1
php5-posix-5.2.14-0.42.1
php5-pspell-5.2.14-0.42.1
php5-shmop-5.2.14-0.42.1
php5-snmp-5.2.14-0.42.1
php5-soap-5.2.14-0.42.1
php5-sockets-5.2.14-0.42.1
php5-sqlite-5.2.14-0.42.1
php5-suhosin-5.2.14-0.42.1
php5-sysvmsg-5.2.14-0.42.1
php5-sysvsem-5.2.14-0.42.1
php5-sysvshm-5.2.14-0.42.1
php5-tokenizer-5.2.14-0.42.1
php5-wddx-5.2.14-0.42.1
php5-xmlreader-5.2.14-0.42.1
php5-xmlrpc-5.2.14-0.42.1
php5-xsl-5.2.14-0.42.1
php5-zlib-5.2.14-0.42.1
References:
https://www.suse.com/security/cve/CVE-2011-1072.html
https://www.suse.com/security/cve/CVE-2011-1398.html
https://www.suse.com/security/cve/CVE-2011-1466.html
https://www.suse.com/security/cve/CVE-2011-2202.html
https://www.suse.com/security/cve/CVE-2011-3182.html
https://www.suse.com/security/cve/CVE-2011-4153.html
https://www.suse.com/security/cve/CVE-2011-4388.html
https://www.suse.com/security/cve/CVE-2011-4566.html
https://www.suse.com/security/cve/CVE-2011-4885.html
https://www.suse.com/security/cve/CVE-2012-0057.html
https://www.suse.com/security/cve/CVE-2012-0781.html
https://www.suse.com/security/cve/CVE-2012-0788.html
https://www.suse.com/security/cve/CVE-2012-0789.html
https://www.suse.com/security/cve/CVE-2012-0807.html
https://www.suse.com/security/cve/CVE-2012-0830.html
https://www.suse.com/security/cve/CVE-2012-0831.html
https://www.suse.com/security/cve/CVE-2012-1172.html
https://www.suse.com/security/cve/CVE-2012-1823.html
https://www.suse.com/security/cve/CVE-2012-2311.html
https://www.suse.com/security/cve/CVE-2012-2335.html
https://www.suse.com/security/cve/CVE-2012-2336.html
https://www.suse.com/security/cve/CVE-2012-2688.html
https://www.suse.com/security/cve/CVE-2012-3365.html
https://www.suse.com/security/cve/CVE-2013-1635.html
https://www.suse.com/security/cve/CVE-2013-1643.html
https://www.suse.com/security/cve/CVE-2013-4113.html
https://www.suse.com/security/cve/CVE-2013-4635.html
https://bugzilla.novell.com/699711
https://bugzilla.novell.com/709549
https://bugzilla.novell.com/713652
https://bugzilla.novell.com/728671
https://bugzilla.novell.com/733590
https://bugzilla.novell.com/735613
https://bugzilla.novell.com/736169
https://bugzilla.novell.com/738221
https://bugzilla.novell.com/741520
https://bugzilla.novell.com/741859
https://bugzilla.novell.com/742273
https://bugzilla.novell.com/742806
https://bugzilla.novell.com/743308
https://bugzilla.novell.com/744966
https://bugzilla.novell.com/746661
https://bugzilla.novell.com/749111
https://bugzilla.novell.com/752030
https://bugzilla.novell.com/753778
https://bugzilla.novell.com/760536
https://bugzilla.novell.com/761631
https://bugzilla.novell.com/772580
https://bugzilla.novell.com/772582
https://bugzilla.novell.com/775852
https://bugzilla.novell.com/778003
https://bugzilla.novell.com/783239
https://bugzilla.novell.com/807707
https://bugzilla.novell.com/828020
https://bugzilla.novell.com/829207
https://login.microfocus.com/nidp/app/login