SUSE Security Update: Security update for PHP5 ______________________________________________________________________________ Announcement ID: SUSE-SU-2013:1351-1 Rating: important References: #699711 #709549 #713652 #728671 #733590 #735613 #736169 #738221 #741520 #741859 #742273 #742806 #743308 #744966 #746661 #749111 #752030 #753778 #760536 #761631 #772580 #772582 #775852 #778003 #783239 #807707 #828020 #829207 Cross-References: CVE-2011-1072 CVE-2011-1398 CVE-2011-1466 CVE-2011-2202 CVE-2011-3182 CVE-2011-4153 CVE-2011-4388 CVE-2011-4566 CVE-2011-4885 CVE-2012-0057 CVE-2012-0781 CVE-2012-0788 CVE-2012-0789 CVE-2012-0807 CVE-2012-0830 CVE-2012-0831 CVE-2012-1172 CVE-2012-1823 CVE-2012-2311 CVE-2012-2335 CVE-2012-2336 CVE-2012-2688 CVE-2012-3365 CVE-2013-1635 CVE-2013-1643 CVE-2013-4113 CVE-2013-4635 Affected Products: SUSE Linux Enterprise Server 10 SP3 LTSS ______________________________________________________________________________ An update that solves 27 vulnerabilities and has one errata is now available. It includes one version update. Description: php5 has been updated to roll up all pending security fixes for Long Term Service Pack Support. The Following security issues have been fixed: * CVE-2013-4635: Integer overflow in the SdnToJewish function in jewish.c in the Calendar component in PHP allowed context-dependent attackers to cause a denial of service (application hang) via a large argument to the jdtojewish function. * CVE-2013-1635: ext/soap/soap.c in PHP did not validate the relationship between the soap.wsdl_cache_dir directive and the open_basedir directive, which allowed remote attackers to bypass intended access restrictions by triggering the creation of cached SOAP WSDL files in an arbitrary directory. * CVE-2013-1643: The SOAP parser in PHP allowed remote attackers to read arbitrary files via a SOAP WSDL file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue in the soap_xmlParseFile and soap_xmlParseMemory functions. * CVE-2013-4113: ext/xml/xml.c in PHP before 5.3.27 does not properly consider parsing depth, which allowed remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. * CVE-2011-1398 / CVE-2012-4388: The sapi_header_op function in main/SAPI.c in PHP did not check for %0D sequences (aka carriage return characters), which allowed remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome. * CVE-2012-2688: An unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP had unknown impact and remote attack vectors, related to an "overflow." * CVE-2012-3365: The SQLite functionality in PHP before 5.3.15 allowed remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. * CVE-2012-1823: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. * CVE-2012-2335: php-wrapper.fcgi did not properly handle command-line arguments, which allowed remote attackers to bypass a protection mechanism in PHP and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence. * CVE-2012-2336: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), did not properly handle query strings that lack an = (equals sign) character, which allowed remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. * CVE-2012-2311: sapi/cgi/cgi_main.c in PHP, when configured as a CGI script (aka php-cgi), does not properly handle query strings that contain a %3D sequence but no = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. * CVE-2012-1172: The file-upload implementation in rfc1867.c in PHP did not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions. * CVE-2012-0830: The php_register_variable_ex function in php_variables.c in PHP allowed remote attackers to execute arbitrary code via a request containing a large number of variables, related to improper handling of array variables. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4885. * CVE-2012-0807: Stack-based buffer overflow in the suhosin_encrypt_single_cookie function in the transparent cookie-encryption feature in the Suhosin extension before 0.9.33 for PHP, when suhosin.cookie.encrypt and suhosin.multiheader are enabled, might have allowed remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header. * CVE-2012-0057: PHP had improper libxslt security settings, which allowed remote attackers to create arbitrary files via a crafted XSLT stylesheet that uses the libxslt output extension. * CVE-2012-0831: PHP did not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which made it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c. * CVE-2011-4153: PHP did not always check the return value of the zend_strndup function, which might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that performs strndup operations on untrusted string data, as demonstrated by the define function in zend_builtin_functions.c, and unspecified functions in ext/soap/php_sdl.c, ext/standard/syslog.c, ext/standard/browscap.c, ext/oci8/oci8.c, ext/com_dotnet/com_typeinfo.c, and main/php_open_temporary_file.c. * CVE-2012-0781: The tidy_diagnose function in PHP might have allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted input to an application that attempts to perform Tidy::diagnose operations on invalid objects, a different vulnerability than CVE-2011-4153. * CVE-2012-0788: The PDORow implementation in PHP did not properly interact with the session feature, which allowed remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server. * CVE-2012-0789: Memory leak in the timezone functionality in PHP allowed remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which were not properly handled by the php_date_parse_tzfile cache. * CVE-2011-4885: PHP computed hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allowed remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. We added a max_input_vars directive to prevent attacks based on hash collisions. * CVE-2011-4566: Integer overflow in the exif_process_IFD_TAG function in exif.c in the exif extension in PHP allowed remote attackers to read the contents of arbitrary memory locations or cause a denial of service via a crafted offset_val value in an EXIF header in a JPEG file, a different vulnerability than CVE-2011-0708. * CVE-2011-3182: PHP did not properly check the return values of the malloc, calloc, and realloc library functions, which allowed context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function. * CVE-2011-1466: Integer overflow in the SdnToJulian function in the Calendar extension in PHP allowed context-dependent attackers to cause a denial of service (application crash) via a large integer in the first argument to the cal_from_jd function. * CVE-2011-1072: The installer in PEAR allowed local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519. * CVE-2011-2202: The rfc1867_post_handler function in main/rfc1867.c in PHP did not properly restrict filenames in multipart/form-data POST requests, which allowed remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a "file path injection vulnerability." Bugfixes: * fixed php bug #43200 (Interface implementation / inheritence not possible in abstract classes) [bnc#783239] * use FilesMatch with 'SetHandler' rather than 'AddHandler' [bnc#775852] * fixed unpredictable unpack()/pack() behaviour [bnc#753778] * memory corruption in parse_ini_string() [bnc#742806] * amend README.SUSE to discourage using apache module with apache2-worker [bnc#728671] * allow uploading files bigger than 2GB for 64bit systems [bnc#709549] Security Issue references: * CVE-2011-1072 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1072
* CVE-2011-1398 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1398
* CVE-2011-1466 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1466
* CVE-2011-2202 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
* CVE-2011-3182 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182
* CVE-2011-4153 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153
* CVE-2011-4388 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4388
* CVE-2011-4566 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566
* CVE-2011-4885 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885
* CVE-2012-0057 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057
* CVE-2012-0781 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0781
* CVE-2012-0788 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0788
* CVE-2012-0789 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789
* CVE-2012-0807 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
* CVE-2012-0830 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
* CVE-2012-0831 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831
* CVE-2012-1172 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1172
* CVE-2012-1823 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823
* CVE-2012-2311 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311
* CVE-2012-2335 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335
* CVE-2012-2336 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336
* CVE-2012-2688 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688
* CVE-2012-3365 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365
* CVE-2013-1635 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
* CVE-2013-1643 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
* CVE-2013-4113 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4113
* CVE-2013-4635 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4635
Package List: - SUSE Linux Enterprise Server 10 SP3 LTSS (i586 s390x x86_64) [New Version: 5.2.14]: apache2-mod_php5-5.2.14-0.42.1 php5-5.2.14-0.42.1 php5-bcmath-5.2.14-0.42.1 php5-bz2-5.2.14-0.42.1 php5-calendar-5.2.14-0.42.1 php5-ctype-5.2.14-0.42.1 php5-curl-5.2.14-0.42.1 php5-dba-5.2.14-0.42.1 php5-dbase-5.2.14-0.42.1 php5-devel-5.2.14-0.42.1 php5-dom-5.2.14-0.42.1 php5-exif-5.2.14-0.42.1 php5-fastcgi-5.2.14-0.42.1 php5-ftp-5.2.14-0.42.1 php5-gd-5.2.14-0.42.1 php5-gettext-5.2.14-0.42.1 php5-gmp-5.2.14-0.42.1 php5-hash-5.2.14-0.42.1 php5-iconv-5.2.14-0.42.1 php5-imap-5.2.14-0.42.1 php5-json-5.2.14-0.42.1 php5-ldap-5.2.14-0.42.1 php5-mbstring-5.2.14-0.42.1 php5-mcrypt-5.2.14-0.42.1 php5-mhash-5.2.14-0.42.1 php5-mysql-5.2.14-0.42.1 php5-ncurses-5.2.14-0.42.1 php5-odbc-5.2.14-0.42.1 php5-openssl-5.2.14-0.42.1 php5-pcntl-5.2.14-0.42.1 php5-pdo-5.2.14-0.42.1 php5-pear-5.2.14-0.42.1 php5-pgsql-5.2.14-0.42.1 php5-posix-5.2.14-0.42.1 php5-pspell-5.2.14-0.42.1 php5-shmop-5.2.14-0.42.1 php5-snmp-5.2.14-0.42.1 php5-soap-5.2.14-0.42.1 php5-sockets-5.2.14-0.42.1 php5-sqlite-5.2.14-0.42.1 php5-suhosin-5.2.14-0.42.1 php5-sysvmsg-5.2.14-0.42.1 php5-sysvsem-5.2.14-0.42.1 php5-sysvshm-5.2.14-0.42.1 php5-tokenizer-5.2.14-0.42.1 php5-wddx-5.2.14-0.42.1 php5-xmlreader-5.2.14-0.42.1 php5-xmlrpc-5.2.14-0.42.1 php5-xsl-5.2.14-0.42.1 php5-zlib-5.2.14-0.42.1 References: http://support.novell.com/security/cve/CVE-2011-1072.html http://support.novell.com/security/cve/CVE-2011-1398.html http://support.novell.com/security/cve/CVE-2011-1466.html http://support.novell.com/security/cve/CVE-2011-2202.html http://support.novell.com/security/cve/CVE-2011-3182.html http://support.novell.com/security/cve/CVE-2011-4153.html http://support.novell.com/security/cve/CVE-2011-4388.html http://support.novell.com/security/cve/CVE-2011-4566.html http://support.novell.com/security/cve/CVE-2011-4885.html http://support.novell.com/security/cve/CVE-2012-0057.html http://support.novell.com/security/cve/CVE-2012-0781.html http://support.novell.com/security/cve/CVE-2012-0788.html http://support.novell.com/security/cve/CVE-2012-0789.html http://support.novell.com/security/cve/CVE-2012-0807.html http://support.novell.com/security/cve/CVE-2012-0830.html http://support.novell.com/security/cve/CVE-2012-0831.html http://support.novell.com/security/cve/CVE-2012-1172.html http://support.novell.com/security/cve/CVE-2012-1823.html http://support.novell.com/security/cve/CVE-2012-2311.html http://support.novell.com/security/cve/CVE-2012-2335.html http://support.novell.com/security/cve/CVE-2012-2336.html http://support.novell.com/security/cve/CVE-2012-2688.html http://support.novell.com/security/cve/CVE-2012-3365.html http://support.novell.com/security/cve/CVE-2013-1635.html http://support.novell.com/security/cve/CVE-2013-1643.html http://support.novell.com/security/cve/CVE-2013-4113.html http://support.novell.com/security/cve/CVE-2013-4635.html https://bugzilla.novell.com/699711 https://bugzilla.novell.com/709549 https://bugzilla.novell.com/713652 https://bugzilla.novell.com/728671 https://bugzilla.novell.com/733590 https://bugzilla.novell.com/735613 https://bugzilla.novell.com/736169 https://bugzilla.novell.com/738221 https://bugzilla.novell.com/741520 https://bugzilla.novell.com/741859 https://bugzilla.novell.com/742273 https://bugzilla.novell.com/742806 https://bugzilla.novell.com/743308 https://bugzilla.novell.com/744966 https://bugzilla.novell.com/746661 https://bugzilla.novell.com/749111 https://bugzilla.novell.com/752030 https://bugzilla.novell.com/753778 https://bugzilla.novell.com/760536 https://bugzilla.novell.com/761631 https://bugzilla.novell.com/772580 https://bugzilla.novell.com/772582 https://bugzilla.novell.com/775852 https://bugzilla.novell.com/778003 https://bugzilla.novell.com/783239 https://bugzilla.novell.com/807707 https://bugzilla.novell.com/828020 https://bugzilla.novell.com/829207 http://download.novell.com/patch/finder/?keywords=052a65bd8d851aef0dd6767bb9... -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org