FreshPorts - VuXML

PHP development team reports:

Security Enhancements and Fixes in PHP 5.3.7:

• Updated crypt_blowfish to 1.2. (CVE-2011-2483)
• Fixed crash in error_log(). Reported by Mateusz Kocielski
• Fixed buffer overflow on overlog salt in crypt().
• Fixed bug #54939 (File path injection vulnerability in RFC1867 File upload filename). Reported by Krzysztof Kotowicz. (CVE-2011-2202)
• Fixed stack buffer overflow in socket_connect(). (CVE-2011-1938)
• Fixed bug #54238 (use-after-free in substr_replace()). (CVE-2011-1148)

< 5.3.7

The PHP development team reports:

PHP does not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allows remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory.

The SOAP parser in PHP allows remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions.

< 5.4.13

< 5.3.23

The PHP project reports:

The PHP development team announces the immediate availability of PHP 5.4.40. 14 security-related bugs were fixed in this release, including CVE-2014-9709, CVE-2015-2301, CVE-2015-2783, CVE-2015-1352. All PHP 5.4 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.5.24. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.5 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.6.8. Several bugs have been fixed, some of them being security related, like CVE-2015-1351 and CVE-2015-1352. All PHP 5.6 users are encouraged to upgrade to this version.

< 5.4.40

< 5.5.24

< 5.6.8

PHP Developers reports:

Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on.

< 5.2.8

Secunia reports:

Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

An input validation error exists within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive.

An error in the included PCRE library can be exploited to cause a buffer overflow.

The problem is that the "BG(page_uid)" and "BG(page_gid)" variables are not initialized. No further information is currently available.

The problem is that the "php_value" order is incorrect for Apache configurations. No further information is currently available.

An error in the GD library can be exploited to cause a crash via a specially crafted font file.

< 5.2.7

PHP developers reports:

Security Enhancements and Fixes in PHP 5.3.5:

• Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645)

Security Enhancements and Fixes in PHP 5.2.17:

• Fixed bug #53632 (PHP hangs on numeric value 2.2250738585072011e-308). (CVE-2010-4645)

< 5.3.5

< 5.2.17

php development team reports:

Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:

• Insufficient validating of upload name leading to corrupted $_FILES indices. (CVE-2012-1172)
• Add open_basedir checks to readline_write_history and readline_read_history.

Security Enhancements for both PHP 5.3.11 only:

• Regression in magic_quotes_gpc fix for CVE-2012-0831.

< 5.3.11

< 5.3.11

PHP development team reports:

Fixed bug #69364 (PHP Multipart/form-data remote DoS Vulnerability). (CVE-2015-4024)

Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025)

Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow). (CVE-2015-4022)

Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)

Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry filename starts with null). (CVE-2015-4021)

< 5.4.41

< 5.5.25

< 5.6.9

PHP-specific version of NULL-byte poisoning was briefly described by ShAnKaR:

Poison NULL byte vulnerability for perl CGI applications was described in [1]. ShAnKaR noted, that same vulnerability also affects different PHP applications.

PHP developers report that branch 5.3 received a fix:

Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).

< 5.3.4

< 5.2.17_12

PHP project reports:

Security Enhancements and Fixes in PHP 5.2.5:

• Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
• Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
• Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
• Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
• Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
• Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
• Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).

< 5.2.5

PHP developers reports:

This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.12:

• Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
• Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
• Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
• Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)
• Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

< 5.2.12

PHP reports:

• Core:
  • Fixed bug #70172 (Use After Free Vulnerability in unserialize()).
  • Fixed bug #70219 (Use after free vulnerability in session deserializer).
• EXIF:
  • Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes).
• hash:
  • Fixed bug #70312 (HAVAL gives wrong hashes in specific cases).
• PCRE:
  • Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions).
• SOAP:
  • Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).
• SPL:
  • Fixed bug #70365 (Use-after-free vulnerability in unserialize() with SplObjectStorage).
  • Fixed bug #70366 (Use-after-free vulnerability in unserialize() with SplDoublyLinkedList).
• XSLT:
  • Fixed bug #69782 (NULL pointer dereference).
• ZIP:
  • Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories).

< 5.4.45

< 5.5.29

< 5.6.13

PHP development team reports:

If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected.

ge 5.3.7 lt 5.3.7_2

Secunia reports:

A vulnerability has been reported in PHP, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a logic error within the "php_register_variable_ex()" function (php_variables.c) when hashing form posts and updating a hash table, which can be exploited to execute arbitrary code.

ge 5.3.9 lt 5.3.10

Vendor reports

Security Enhancements and Fixes in PHP 5.2.11: Fixed certificate validation inside php_openssl_apply_verification_policy. Fixed sanity check for the color index in imagecolortransparent. Added missing sanity checks around exif processing. Fixed bug 44683 popen crashes when an invalid mode is passed.

< 5.2.11

Stefan Esser reports:

The PHP function openssl_x509_parse() uses a helper function called asn1_time_to_time_t() to convert timestamps from ASN1 string format into integer timestamp values. The parser within this helper function is not binary safe and can therefore be tricked to write up to five NUL bytes outside of an allocated buffer.

This problem can be triggered by x509 certificates that contain NUL bytes in their notBefore and notAfter timestamp fields and leads to a memory corruption that might result in arbitrary code execution.

Depending on how openssl_x509_parse() is used within a PHP application the attack requires either a malicious cert signed by a compromised/malicious CA or can be carried out with a self-signed cert.

ge 5.4.0 lt 5.4.23

< 5.3.28

ge 5.5.0 lt 5.5.7

Stefano Di Paola discovered an issue with PHP that could allow someone to upload a file to any directory writeable by the httpd process. Any sanitizing performed on the prepended directory path is ignored. This bug can only be triggered if the $_FILES element name contains an underscore.

le 4.3.8_2

le 4.3.8_2,1

le 5.0.1

le 5.0.1,1

The PHP Development Team reports:

The release of PHP 5.4.13 and 5.4.3 complete a fix for the vulnerability in CGI-based setups as originally described in CVE-2012-1823. (CVE-2012-2311)

Note: mod_php and php-fpm are not vulnerable to this attack.

PHP 5.4.3 fixes a buffer overflow vulnerability in the apache_request_headers() (CVE-2012-2329).

gt 5.4 lt 5.4.3

< 5.3.13

< 5.3.13

< 5.2.17_9

The PHP development team reports:

A Heap-based buffer overflow flaw was found in the php quoted_printable_encode() function. A remote attacker could use this flaw to cause php to crash or execute arbirary code with the permission of the user running php

< 5.4.16

< 5.3.26

cmb reports:

When delayed variable substitution is enabled (can be set in the Registry, for instance), !ENV! works similar to %ENV%, and the value of the environment variable ENV will be subsituted.

< 5.6.11

< 5.5.27

< 5.4.43

The PHP development team reports:

Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP before 5.3.26 and 5.4.x before 5.4.16 allows context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function.

ge 5.4.0 lt 5.4.16

< 5.3.26

php development team reports:

Security Enhancements and Fixes in PHP 5.3.12:

• Initial fix for cgi-bin ?-s cmdarg parse issue (CVE-2012-1823)

gt 5.4 lt 5.4.2

< 5.3.12

< 5.3.12

< 4.4.10

< 5.2.17_8

The PHP development team reports:

Security Enhancements and Fixes in PHP 5.2.4:

• Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)
• Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)
• Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)
• Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson)
• Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)
• Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)
• Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)
• Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)
• Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)
• Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)
• Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)
• Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)
• Improved fix for MOPB-03-2007.
• Corrected fix for CVE-2007-2872.

< 5.2.4

< 4.4.8

MITRE reports:

fopen_wrappers.c in PHP 5.3.x through 5.3.3 might allow remote attackers to bypass open_basedir restrictions via vectors related to the length of a filename.

< 5.3.4

< 5.2.15

The PHP project reports:

The PHP development team announces the immediate availability of PHP 5.6.7. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.6 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.5.23. Several bugs have been fixed as well as CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.5 users are encouraged to upgrade to this version.

The PHP development team announces the immediate availability of PHP 5.4.39. Six security-related bugs were fixed in this release, including CVE-2015-0231, CVE-2015-2305 and CVE-2015-2331. All PHP 5.4 users are encouraged to upgrade to this version.

le 5.3.29_5

< 5.4.39

< 5.5.23

< 5.6.7

The PHP project reports:

Core:

• Fixed bug #69793 (Remotely triggerable stack exhaustion via recursive method calls).
• Fixed bug #70121 (unserialize() could lead to unexpected methods execution / NULL pointer deref).

OpenSSL:

• Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically secure).

Phar:

• Improved fix for bug #69441.
• Fixed bug #70019 (Files extracted from archive may be placed outside of destination directory).

SOAP:

• Fixed bug #70081 (SoapClient info leak / null pointer dereference via multiple type confusions).

SPL:

• Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject items).
• Fixed bug #70166 (Use After Free Vulnerability in unserialize() with SPLArrayObject).
• Fixed bug #70168 (Use After Free Vulnerability in unserialize() with SplObjectStorage).
• Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList).

< 5.4.44

< 5.5.28

< 5.6.12

Multiple vulnerabilities have been found in PHP, including: buffer overflows, stack overflows, format string, and information disclosure vulnerabilities.

The session extension contained safe_mode and open_basedir bypasses, but the FreeBSD Security Officer does not consider these real security vulnerabilities, since safe_mode and open_basedir are insecure by design and should not be relied upon.

< 5.2.1_2

< 4.4.5

ge 4 lt 4.4.5

ge 5 lt 5.2.1_2

These packages have reached End of Life status and/or have been removed from the Ports Tree. They may contain undocumented security issues. Please take caution and find alternative software as soon as possible.

ge 0

ge 0

< 5.18

ge 0

< 2.1,1

ge 0

ge 0

ge 0

ge 0

ge 0

Rui Hirokawa reports:

As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D).

However, some browsers including Google Chrome, IE also recognize CR as the line-end.

The current specification of header() still has the vulnerability against the HTTP header splitting attack.

ge 5.2 lt 5.2.17_11

ge 5.3 lt 5.3.11

ge 5.4 lt 5.4.1

< 5.2.17_11

< 5.3.11

MITRE CVE team reports:

Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.

ge 5.2 lt 5.2.17_11

ge 5.3 lt 5.3.9

< 5.2.17_11

< 5.3.9

Stefano Di Paola reports:

Bad array parsing in php_variables.c could lead to show arbitrary memory content such as pieces of php code and other data. This affects all GET, POST or COOKIES variables.

le 4.3.8_2

ge 4 le 4.3.8_2,1

le 5.0.1

le 5.0.1,1

Symeon Paraschoudis reports:

Use-after-free vulnerability in spl_recursive_it_move_forward_ex()

< 5.6.11

< 5.5.27

< 5.4.43

The PHP Development Team reports:

The release of PHP 5.4.15 and 5.4.5 fix a potential overflow in _php_stream_scandir

gt 5.4 lt 5.4.5

ge 5.3 lt 5.3.15

ge 5.2 lt 5.2.17_10

< 5.3.15

< 5.2.17_10

php development team reports:

Security Enhancements and Fixes in PHP 5.3.9:

• Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
• Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

< 5.3.9

< 5.2.17_5

< 5.2.17_6

Secunia reports:

Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system.

< 4.3.10

ge 4 lt 4.3.10,1

< 5.0.3

< 5.0.3,1

Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memory_limit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as zend_hash_init() at locations not suitable for interruption. The result would leave these functions in a vulnerable state.

An attacker that is able to trigger the memory_limit abort within zend_hash_init() and is additionally able to control the heap before the HashTable itself is allocated, is able to supply his own HashTable destructor pointer. [...]

All mentioned places outside of the extensions are quite easy to exploit, because the memory allocation up to those places is deterministic and quite static throughout different PHP versions. [...]

Because the exploit itself consist of supplying an arbitrary destructor pointer this bug is exploitable on any platform.

le 4.3.7_3

le 4.3.7_3,1

le 5.0.0.r3_2

le 5.0.0.r3_2,1

Stefan Esser reports:

The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.

It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity.

The successful exploitation of this integer overflow will result in arbitrary code execution.

< 5.1.6_1

ge 5 lt 5.1.6_1

The PHP development team reports:

• Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
• Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
• Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache.
• Fixed overflow in GD extension on invalid GIF images.
• Fixed a buffer overflow inside sscanf() function.
• Fixed an out of bounds read inside stripos() function.
• Fixed memory_limit restriction on 64 bit system.

< 4.4.4

ge 5 lt 5.1.5

< 4.4.4

ge 5 lt 5.1.5

Stefan Esser reports:

PHP's open_basedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed.

Obviously there is a little span of time between the check and the actual open call. During this time span the checked path could have been altered and point to a file that is forbidden to be accessed due to open_basedir restrictions.

Because the open_basedir restrictions often not call PHP functions but 3rd party library functions to actually open the file it is impossible to close this time span in a general way. It would only be possible to close it when PHP handles the actual opening on it's own.

While it seems hard to change the path during this little time span it is very simple with the use of the symlink() function combined with a little trick. PHP's symlink() function ensures that source and target of the symlink operation are allowed by open_basedir restrictions (and safe_mode). However it is possible to point a symlink to any file by the use of mkdir(), unlink() and at least two symlinks.

< 4.4.4_1

ge 5 lt 5.1.6_2

< 0.9.6

ge 4 lt 4.4.4_1

ge 5 lt 5.1.6_2

Stefan Esser of e-matters discovered that PHP's strip_tags() function would ignore certain characters during parsing of tags, allowing these tags to pass through. Select browsers could then parse these tags, possibly allowing cross-site scripting attacks.

le 4.3.7_3

le 4.3.7_3,1

le 5.0.0.r3_2

le 5.0.0.r3_2,1

According to Maksymilian Arciemowicz research, it is possible to bypass security restrictions of safe_mode in various functions via directory traversal vulnerability. The attacker can use this attack to gain access to sensitive information. Functions utilizing expand_filepath() may be affected.

It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon.

< 5.2.6_2

Off-by-one error in the sanity validator for the extract() method allowed attackers to replace the values of $GLOBALS and $this when mode EXTR_OVERWRITE was used.

< 5.3.4

< 5.2.15

The PHP development team reports:

Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7:

• Fixed CVE-2007-1001, GD wbmp used with invalid image size
• Fixed asciiz byte truncation inside mail()
• Fixed a bug in mb_parse_str() that can be used to activate register_globals
• Fixed unallocated memory access/double free in in array_user_key_compare()
• Fixed a double free inside session_regenerate_id()
• Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
• Limit nesting level of input variables with max_input_nesting_level as fix for.
• Fixed CRLF injection inside ftp_putcmd().
• Fixed a possible super-global overwrite inside import_request_variables().
• Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library.

Security Enhancements and Fixes in PHP 5.2.2 only:

• Fixed a header injection via Subject and To parameters to the mail() function
• Fixed wrong length calculation in unserialize S type.
• Fixed substr_compare and substr_count information leak.
• Fixed a remotely trigger-able buffer overflow inside make_http_soap_request().
• Fixed a buffer overflow inside user_filter_factory_create().

Security Enhancements and Fixes in PHP 4.4.7 only:

• XSS in phpinfo()

< 5.2.2

< 4.4.7

ge 4 lt 4.4.7

ge 5 lt 5.2.2

CVE reports:

Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).

< 5.2.6

The PHP Project reports:

Use after free vulnerability in unserialize() with DateTimeZone.

Mitigation for CVE-2015-0235 -- GHOST: glibc gethostbyname buffer overflow.

< 5.4.38

< 5.5.22

< 5.6.6