SUSE Security Update: Security update for PHP5
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1351-1
Rating:             important
References:         #699711 #709549 #713652 #728671 #733590 #735613 
                    #736169 #738221 #741520 #741859 #742273 #742806 
                    #743308 #744966 #746661 #749111 #752030 #753778 
                    #760536 #761631 #772580 #772582 #775852 #778003 
                    #783239 #807707 #828020 #829207 
Cross-References:   CVE-2011-1072 CVE-2011-1398 CVE-2011-1466
                    CVE-2011-2202 CVE-2011-3182 CVE-2011-4153
                    CVE-2011-4388 CVE-2011-4566 CVE-2011-4885
                    CVE-2012-0057 CVE-2012-0781 CVE-2012-0788
                    CVE-2012-0789 CVE-2012-0807 CVE-2012-0830
                    CVE-2012-0831 CVE-2012-1172 CVE-2012-1823
                    CVE-2012-2311 CVE-2012-2335 CVE-2012-2336
                    CVE-2012-2688 CVE-2012-3365 CVE-2013-1635
                    CVE-2013-1643 CVE-2013-4113 CVE-2013-4635
                   
Affected Products:
                    SUSE Linux Enterprise Server 10 SP3 LTSS
______________________________________________________________________________

   An update that solves 27 vulnerabilities and has one errata
   is now available. It includes one version update.

Description:


   php5 has been updated to roll up all pending security fixes
   for Long Term  Service Pack Support.

   The Following security issues have been fixed:

   *

   CVE-2013-4635: Integer overflow in the SdnToJewish
   function in jewish.c in the Calendar component in PHP
   allowed context-dependent attackers to cause a denial of
   service (application hang) via a large argument to the
   jdtojewish function.

   *

   CVE-2013-1635: ext/soap/soap.c in PHP did not
   validate the relationship between the soap.wsdl_cache_dir
   directive and the open_basedir directive, which allowed
   remote attackers to bypass intended access restrictions by
   triggering the creation of cached SOAP WSDL files in an
   arbitrary directory.

   *

   CVE-2013-1643: The SOAP parser in PHP allowed remote
   attackers to read arbitrary files via a SOAP WSDL file
   containing an XML external entity declaration in
   conjunction with an entity reference, related to an XML
   External Entity (XXE) issue in the soap_xmlParseFile and
   soap_xmlParseMemory functions.

   *

   CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27
   does not properly consider parsing depth, which allowed
   remote attackers to cause a denial of service (heap memory
   corruption) or possibly have unspecified other impact via a
   crafted document that is processed by the
   xml_parse_into_struct function.

   *

   CVE-2011-1398 / CVE-2012-4388: The sapi_header_op
   function in main/SAPI.c in PHP did not check for %0D
   sequences (aka carriage return characters), which allowed
   remote attackers to bypass an HTTP response-splitting
   protection mechanism via a crafted URL, related to improper
   interaction between the PHP header function and certain
   browsers, as demonstrated by Internet Explorer and Google
   Chrome.

   *

   CVE-2012-2688: An unspecified vulnerability in the
   _php_stream_scandir function in the stream implementation
   in PHP had unknown impact and remote attack vectors,
   related to an "overflow."

   *

   CVE-2012-3365: The SQLite functionality in PHP before
   5.3.15 allowed remote attackers to bypass the open_basedir
   protection mechanism via unspecified vectors.

   *

   CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when
   configured as a CGI script (aka php-cgi), did not properly
   handle query strings that lack an = (equals sign)
   character, which allowed remote attackers to execute
   arbitrary code by placing command-line options in the query
   string, related to lack of skipping a certain php_getopt
   for the 'd' case.

   *

   CVE-2012-2335: php-wrapper.fcgi did not properly
   handle command-line arguments, which allowed remote
   attackers to bypass a protection mechanism in PHP and
   execute arbitrary code by leveraging improper interaction
   between the PHP sapi/cgi/cgi_main.c component and a query
   string beginning with a +- sequence.

   *

   CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when
   configured as a CGI script (aka php-cgi), did not properly
   handle query strings that lack an = (equals sign)
   character, which allowed remote attackers to cause a denial
   of service (resource consumption) by placing command-line
   options in the query string, related to lack of skipping a
   certain php_getopt for the 'T' case. NOTE: this
   vulnerability exists because of an incomplete fix for
   CVE-2012-1823.

   *

   CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when
   configured as a CGI script (aka php-cgi), does not properly
   handle query strings that contain a %3D sequence but no    (equals sign) character, which allows remote attackers to
   execute arbitrary code by placing command-line options in
   the query string, related to lack of skipping a certain
   php_getopt for the 'd' case. NOTE: this vulnerability
   exists because of an incomplete fix for CVE-2012-1823.

   *

   CVE-2012-1172: The file-upload implementation in
   rfc1867.c in PHP did not properly handle invalid [ (open
   square bracket) characters in name values, which makes it
   easier for remote attackers to cause a denial of service
   (malformed $_FILES indexes) or conduct directory traversal
   attacks during multi-file uploads by leveraging a script
   that lacks its own filename restrictions.

   *

   CVE-2012-0830: The php_register_variable_ex function
   in php_variables.c in PHP allowed remote attackers to
   execute arbitrary code via a request containing a large
   number of variables, related to improper handling of array
   variables. NOTE: this vulnerability exists because of an
   incorrect fix for CVE-2011-4885.

   *

   CVE-2012-0807: Stack-based buffer overflow in the
   suhosin_encrypt_single_cookie function in the transparent
   cookie-encryption feature in the Suhosin extension before
   0.9.33 for PHP, when suhosin.cookie.encrypt and
   suhosin.multiheader are enabled, might have allowed remote
   attackers to execute arbitrary code via a long string that
   is used in a Set-Cookie HTTP header.

   *

   CVE-2012-0057: PHP had improper libxslt security
   settings, which allowed remote attackers to create
   arbitrary files via a crafted XSLT stylesheet that uses the
   libxslt output extension.

   *

   CVE-2012-0831: PHP did not properly perform a
   temporary change to the magic_quotes_gpc directive during
   the importing of environment variables, which made it
   easier for remote attackers to conduct SQL injection
   attacks via a crafted request, related to
   main/php_variables.c, sapi/cgi/cgi_main.c, and
   sapi/fpm/fpm/fpm_main.c.

   *

   CVE-2011-4153: PHP did not always check the return
   value of the zend_strndup function, which might have
   allowed remote attackers to cause a denial of service (NULL
   pointer dereference and application crash) via crafted
   input to an application that performs strndup operations on
   untrusted string data, as demonstrated by the define
   function in zend_builtin_functions.c, and unspecified
   functions in ext/soap/php_sdl.c, ext/standard/syslog.c,
   ext/standard/browscap.c, ext/oci8/oci8.c,
   ext/com_dotnet/com_typeinfo.c, and
   main/php_open_temporary_file.c.

   *

   CVE-2012-0781: The tidy_diagnose function in PHP
   might have allowed remote attackers to cause a denial of
   service (NULL pointer dereference and application crash)
   via crafted input to an application that attempts to
   perform Tidy::diagnose operations on invalid objects, a
   different vulnerability than CVE-2011-4153.

   *

   CVE-2012-0788: The PDORow implementation in PHP did
   not properly interact with the session feature, which
   allowed remote attackers to cause a denial of service
   (application crash) via a crafted application that uses a
   PDO driver for a fetch and then calls the session_start
   function, as demonstrated by a crash of the Apache HTTP
   Server.

   *

   CVE-2012-0789: Memory leak in the timezone
   functionality in PHP allowed remote attackers to cause a
   denial of service (memory consumption) by triggering many
   strtotime function calls, which were not properly handled
   by the php_date_parse_tzfile cache.

   *

   CVE-2011-4885: PHP computed hash values for form
   parameters without restricting the ability to trigger hash
   collisions predictably, which allowed remote attackers to
   cause a denial of service (CPU consumption) by sending many
   crafted parameters. We added a max_input_vars directive to
   prevent attacks based on hash collisions.

   *

   CVE-2011-4566: Integer overflow in the
   exif_process_IFD_TAG function in exif.c in the exif
   extension in PHP allowed remote attackers to read the
   contents of arbitrary memory locations or cause a denial of
   service via a crafted offset_val value in an EXIF header in
   a JPEG file, a different vulnerability than CVE-2011-0708.

   *

   CVE-2011-3182: PHP did not properly check the return
   values of the malloc, calloc, and realloc library
   functions, which allowed context-dependent attackers to
   cause a denial of service (NULL pointer dereference and
   application crash) or trigger a buffer overflow by
   leveraging the ability to provide an arbitrary value for a
   function argument, related to (1) ext/curl/interface.c, (2)
   ext/date/lib/parse_date.c, (3)
   ext/date/lib/parse_iso_intervals.c, (4)
   ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6)
   ext/pdo_odbc/pdo_odbc.c, (7)
   ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c,
   (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c,
   and (11) the strtotime function.

   *

   CVE-2011-1466: Integer overflow in the SdnToJulian
   function in the Calendar extension in PHP allowed
   context-dependent attackers to cause a denial of service
   (application crash) via a large integer in the first
   argument to the cal_from_jd function.

   *

   CVE-2011-1072: The installer in PEAR allowed local
   users to overwrite arbitrary files via a symlink attack on
   the package.xml file, related to the (1) download_dir, (2)
   cache_dir, (3) tmp_dir, and (4) pear-build-download
   directories, a different vulnerability than CVE-2007-2519.

   *

   CVE-2011-2202: The rfc1867_post_handler function in
   main/rfc1867.c in PHP did not properly restrict filenames
   in multipart/form-data POST requests, which allowed remote
   attackers to conduct absolute path traversal attacks, and
   possibly create or overwrite arbitrary files, via a crafted
   upload request, related to a "file path injection
   vulnerability."

   Bugfixes:

   * fixed php bug #43200 (Interface implementation /
   inheritence not possible in abstract classes) [bnc#783239]
   * use FilesMatch with 'SetHandler' rather than
   'AddHandler' [bnc#775852]
   * fixed unpredictable unpack()/pack() behaviour
   [bnc#753778]
   * memory corruption in parse_ini_string() [bnc#742806]
   * amend README.SUSE to discourage using apache module
   with apache2-worker [bnc#728671]
   * allow uploading files bigger than 2GB for 64bit
   systems [bnc#709549]

   Security Issue references:

   * CVE-2011-1072
   
   * CVE-2011-1398
   
   * CVE-2011-1466
   
   * CVE-2011-2202
   
   * CVE-2011-3182
   
   * CVE-2011-4153
   
   * CVE-2011-4388
   
   * CVE-2011-4566
   
   * CVE-2011-4885
   
   * CVE-2012-0057
   
   * CVE-2012-0781
   
   * CVE-2012-0788
   
   * CVE-2012-0789
   
   * CVE-2012-0807
   
   * CVE-2012-0830
   
   * CVE-2012-0831
   
   * CVE-2012-1172
   
   * CVE-2012-1823
   
   * CVE-2012-2311
   
   * CVE-2012-2335
   
   * CVE-2012-2336
   
   * CVE-2012-2688
   
   * CVE-2012-3365
   
   * CVE-2013-1635
   
   * CVE-2013-1643
   
   * CVE-2013-4113
   
   * CVE-2013-4635
   



Package List:

   - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.42.1
      php5-5.2.14-0.42.1
      php5-bcmath-5.2.14-0.42.1
      php5-bz2-5.2.14-0.42.1
      php5-calendar-5.2.14-0.42.1
      php5-ctype-5.2.14-0.42.1
      php5-curl-5.2.14-0.42.1
      php5-dba-5.2.14-0.42.1
      php5-dbase-5.2.14-0.42.1
      php5-devel-5.2.14-0.42.1
      php5-dom-5.2.14-0.42.1
      php5-exif-5.2.14-0.42.1
      php5-fastcgi-5.2.14-0.42.1
      php5-ftp-5.2.14-0.42.1
      php5-gd-5.2.14-0.42.1
      php5-gettext-5.2.14-0.42.1
      php5-gmp-5.2.14-0.42.1
      php5-hash-5.2.14-0.42.1
      php5-iconv-5.2.14-0.42.1
      php5-imap-5.2.14-0.42.1
      php5-json-5.2.14-0.42.1
      php5-ldap-5.2.14-0.42.1
      php5-mbstring-5.2.14-0.42.1
      php5-mcrypt-5.2.14-0.42.1
      php5-mhash-5.2.14-0.42.1
      php5-mysql-5.2.14-0.42.1
      php5-ncurses-5.2.14-0.42.1
      php5-odbc-5.2.14-0.42.1
      php5-openssl-5.2.14-0.42.1
      php5-pcntl-5.2.14-0.42.1
      php5-pdo-5.2.14-0.42.1
      php5-pear-5.2.14-0.42.1
      php5-pgsql-5.2.14-0.42.1
      php5-posix-5.2.14-0.42.1
      php5-pspell-5.2.14-0.42.1
      php5-shmop-5.2.14-0.42.1
      php5-snmp-5.2.14-0.42.1
      php5-soap-5.2.14-0.42.1
      php5-sockets-5.2.14-0.42.1
      php5-sqlite-5.2.14-0.42.1
      php5-suhosin-5.2.14-0.42.1
      php5-sysvmsg-5.2.14-0.42.1
      php5-sysvsem-5.2.14-0.42.1
      php5-sysvshm-5.2.14-0.42.1
      php5-tokenizer-5.2.14-0.42.1
      php5-wddx-5.2.14-0.42.1
      php5-xmlreader-5.2.14-0.42.1
      php5-xmlrpc-5.2.14-0.42.1
      php5-xsl-5.2.14-0.42.1
      php5-zlib-5.2.14-0.42.1


References:

   https://www.suse.com/security/cve/CVE-2011-1072.html
   https://www.suse.com/security/cve/CVE-2011-1398.html
   https://www.suse.com/security/cve/CVE-2011-1466.html
   https://www.suse.com/security/cve/CVE-2011-2202.html
   https://www.suse.com/security/cve/CVE-2011-3182.html
   https://www.suse.com/security/cve/CVE-2011-4153.html
   https://www.suse.com/security/cve/CVE-2011-4388.html
   https://www.suse.com/security/cve/CVE-2011-4566.html
   https://www.suse.com/security/cve/CVE-2011-4885.html
   https://www.suse.com/security/cve/CVE-2012-0057.html
   https://www.suse.com/security/cve/CVE-2012-0781.html
   https://www.suse.com/security/cve/CVE-2012-0788.html
   https://www.suse.com/security/cve/CVE-2012-0789.html
   https://www.suse.com/security/cve/CVE-2012-0807.html
   https://www.suse.com/security/cve/CVE-2012-0830.html
   https://www.suse.com/security/cve/CVE-2012-0831.html
   https://www.suse.com/security/cve/CVE-2012-1172.html
   https://www.suse.com/security/cve/CVE-2012-1823.html
   https://www.suse.com/security/cve/CVE-2012-2311.html
   https://www.suse.com/security/cve/CVE-2012-2335.html
   https://www.suse.com/security/cve/CVE-2012-2336.html
   https://www.suse.com/security/cve/CVE-2012-2688.html
   https://www.suse.com/security/cve/CVE-2012-3365.html
   https://www.suse.com/security/cve/CVE-2013-1635.html
   https://www.suse.com/security/cve/CVE-2013-1643.html
   https://www.suse.com/security/cve/CVE-2013-4113.html
   https://www.suse.com/security/cve/CVE-2013-4635.html
   https://bugzilla.novell.com/699711
   https://bugzilla.novell.com/709549
   https://bugzilla.novell.com/713652
   https://bugzilla.novell.com/728671
   https://bugzilla.novell.com/733590
   https://bugzilla.novell.com/735613
   https://bugzilla.novell.com/736169
   https://bugzilla.novell.com/738221
   https://bugzilla.novell.com/741520
   https://bugzilla.novell.com/741859
   https://bugzilla.novell.com/742273
   https://bugzilla.novell.com/742806
   https://bugzilla.novell.com/743308
   https://bugzilla.novell.com/744966
   https://bugzilla.novell.com/746661
   https://bugzilla.novell.com/749111
   https://bugzilla.novell.com/752030
   https://bugzilla.novell.com/753778
   https://bugzilla.novell.com/760536
   https://bugzilla.novell.com/761631
   https://bugzilla.novell.com/772580
   https://bugzilla.novell.com/772582
   https://bugzilla.novell.com/775852
   https://bugzilla.novell.com/778003
   https://bugzilla.novell.com/783239
   https://bugzilla.novell.com/807707
   https://bugzilla.novell.com/828020
   https://bugzilla.novell.com/829207
   https://login.microfocus.com/nidp/app/login

SuSE: 2013:1351-1: important: PHP5

August 16, 2013
An update that solves 27 vulnerabilities and has one errata An update that solves 27 vulnerabilities and has one errata An update that solves 27 vulnerabilities and has one errata ...

Summary

php5 has been updated to roll up all pending security fixes for Long Term Service Pack Support. The Following security issues have been fixed: * CVE-2013-4635: Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP allowed context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. * CVE-2013-1635: ext/soap/soap.c in PHP did not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allowed remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. * CVE-2013-1643: The SOAP parser in PHP allowed remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) is...

Read the Full Advisory

References

#699711 #709549 #713652 #728671 #733590 #735613

#736169 #738221 #741520 #741859 #742273 #742806

#743308 #744966 #746661 #749111 #752030 #753778

#760536 #761631 #772580 #772582 #775852 #778003

#783239 #807707 #828020 #829207

Cross- CVE-2011-1072 CVE-2011-1398 CVE-2011-1466

CVE-2011-2202 CVE-2011-3182 CVE-2011-4153

CVE-2011-4388 CVE-2011-4566 CVE-2011-4885

CVE-2012-0057 CVE-2012-0781 CVE-2012-0788

CVE-2012-0789 CVE-2012-0807 CVE-2012-0830

CVE-2012-0831 CVE-2012-1172 CVE-2012-1823

CVE-2012-2311 CVE-2012-2335 CVE-2012-2336

CVE-2012-2688 CVE-2012-3365 CVE-2013-1635

CVE-2013-1643 CVE-2013-4113 CVE-2013-4635

Affected Products:

SUSE Linux Enterprise Server 10 SP3 LTSS

https://www.suse.com/security/cve/CVE-2011-107...

Read the Full Advisory

Severity
Announcement ID: SUSE-SU-2013:1351-1
Rating: important

Related News