[SECURITY] [DLA 749-1] php5 security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 749-1] php5 security update
From: Thorsten Alteholz <debian@alteholz.de>
Date: Fri, 16 Dec 2016 22:48:18 +0100 (CET)
Message-id: <[🔎] alpine.DEB.2.02.1612162245530.807@jupiter.server.alteholz.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.4.45-0+deb7u6
CVE ID         : CVE-2016-5385 CVE-2016-7124 CVE-2016-7128 CVE-2016-7129
                 CVE-2016-7130 CVE-2016-7131 CVE-2016-7132 CVE-2016-7411
                 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416
                 CVE-2016-7417 CVE-2016-7418


CVE-2016-5385
     PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
     namespace conflicts and therefore does not protect applications from
     the presence of untrusted client data in the HTTP_PROXY environment
     variable, which might allow remote attackers to redirect an application's
     outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy
     header in an HTTP request, as demonstrated by (1) an application that
     makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP,
     aka an "httpoxy" issue.

CVE-2016-7124
     ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10
     mishandles certain invalid objects, which allows remote attackers to cause
     a denial of service or possibly have unspecified other impact via crafted
     serialized data that leads to a (1) __destruct call or (2) magic method
     call.

CVE-2016-7128
     The exif_process_IFD_in_TIFF function in ext/exif/exif.c in PHP before
     5.6.25 and 7.x before 7.0.10 mishandles the case of a thumbnail offset
     that exceeds the file size, which allows remote attackers to obtain
     sensitive information from process memory via a crafted TIFF image.

CVE-2016-7129
     The php_wddx_process_data function in ext/wddx/wddx.c in PHP before
     5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial
     of service (segmentation fault) or possibly have unspecified other
     impact via an invalid ISO 8601 time value, as demonstrated by
     a wddx_deserialize call that mishandles a dateTime element in
     a wddxPacket XML document.

CVE-2016-7130
     The php_wddx_pop_element function in ext/wddx/wddx.c in PHP before
     5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a
     denial of service (NULL pointer dereference and application crash)
     or possibly have unspecified other impact via an invalid base64
     binary value, as demonstrated by a wddx_deserialize call that
     mishandles a binary element in a wddxPacket XML document.

CVE-2016-7131
     ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
     remote attackers to cause a denial of service (NULL pointer
     dereference and application crash) or possibly have unspecified
     other impact via a malformed wddxPacket XML document that is
     mishandled in a wddx_deserialize call, as demonstrated by a tag
     that lacks a < (less than) character.

CVE-2016-7132
     ext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows
     remote attackers to cause a denial of service (NULL pointer
     dereference and application crash) or possibly have unspecified
     other impact via an invalid wddxPacket XML document that is
     mishandled in a wddx_deserialize call, as demonstrated by
     a stray element inside a boolean element, leading to incorrect
     pop processing.

CVE-2016-7411
     ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles
     object-deserialization failures, which allows remote attackers
     to cause a denial of service (memory corruption) or possibly
     have unspecified other impact via an unserialize call that
     references a partially constructed object.

CVE-2016-7412
     ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x
     before 7.0.11 does not verify that a BIT field has the
     UNSIGNED_FLAG flag, which allows remote MySQL servers to cause
     a denial of service (heap-based buffer overflow) or possibly
     have unspecified other impact via crafted field metadata.

CVE-2016-7413
     Use-after-free vulnerability in the wddx_stack_destroy function in
     ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows
     remote attackers to cause a denial of service or possibly have
     unspecified other impact via a wddxPacket XML document that lacks
     an end-tag for a recordset field element, leading to mishandling
     in a wddx_deserialize call.

CVE-2016-7414
     The ZIP signature-verification feature in PHP before 5.6.26 and 7.x
     before 7.0.11 does not ensure that the uncompressed_filesize field
     is large enough, which allows remote attackers to cause a denial of
     service (out-of-bounds memory access) or possibly have unspecified
     other impact via a crafted PHAR archive, related to ext/phar/util.c
     and ext/phar/zip.c.

CVE-2016-7416
     ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x
     before 7.0.11 does not properly restrict the locale length provided
     to the Locale class in the ICU library, which allows remote attackers
     to cause a denial of service (application crash) or possibly have
     unspecified other impact via a MessageFormatter::formatMessage call
     with a long first argument.

CVE-2016-7417
     ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11
     proceeds with SplArray unserialization without validating a
     return value and data type, which allows remote attackers to
     cause a denial of service or possibly have unspecified other
     impact via crafted serialized data.

CVE-2016-7418
     The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
     5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a
     denial of service (invalid pointer access and out-of-bounds read)
     or possibly have unspecified other impact via an incorrect boolean
     element in a wddxPacket XML document, leading to mishandling in
     a wddx_deserialize call.


For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u6.

We recommend that you upgrade your php5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJYVGEiXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHopQQAKvHW9KWyxPYmMVxXL84K+pK
8l7UD9hSQXnjjIwJC+qSxc+00ryOWoV6mv30b6YM4hOQKVB1NU4ihNxasIeGCHaP
NrOqj4vBpY9/ign84u04Thtih8gdF078kw9VXFm2Cinh5VDlgrnb7fK0Lldt8Rvv
5xNcq6v/VIE3SIwPytxPHlMHWol3YZxPmcHZYWc2Kg7KOjzfCaWULjldp8ADqGRr
gOX9BFazOumU+nqwWoY+O8HB1o1S2tW8p4SWNxV8C9fZG2O+Z89WDau7yIuyUsEd
vRy67RauZM/7gVsronCqnwICaz5l98mfb1bm+gUjU09zf9TJxNXFD+mdqBuyrgz7
Ug2eL0LKf4HLqhKkOA2dl8k0E1qVKPl/sDJCUdeaCyBEEScr3m1thqpE37gCk8Ef
AldUDKry5Tz3TN0GJ75jQ1CrUdjdzzWzZHjSfDysk7g/1MQoEf03YyXW/ZyoVYoX
D/+twHdCmVGbKAiAC7C0T2hufYhRy1Plq1cWa3Mu/unRWjkau81hdSMa+50YBLIj
7HRUb0qWPK4aiAyNUsZf1nqcNAqeOOrLsjab8SdzrUjE2DjWU7ofhbFkbwwPc3+U
e1J9gcm+V8a84ianIv4miluJ+e2cfmDn9r0Q4whpKf8bwLFObNIKKxnxpS3OBUeM
TqhV7XE/MgbIRiYHVGUl
=EXBV
-----END PGP SIGNATURE-----
Reply to:
Prev by Date: [SECURITY] [DLA 748-1] libupnp4 security update
Next by Date: [SECURITY] [DLA 750-1] game-music-emu security update
Previous by thread: [SECURITY] [DLA 748-1] libupnp4 security update
Next by thread: [SECURITY] [DLA 750-1] game-music-emu security update
Index(es):
- Date
- Thread