TTCSIRT-150.072718: TT-CSIRT Advisory – PHP Security Updates

TTCSIRT-150.072718: TT-CSIRT Advisory – PHP Security Updates

PHP has released a security update stating that the following vulnerabilities have been found in PHP 7:

Ver 7.2.8

Bug #71848 – Getimagesize with $imageinfo returns false
Bug #73342 – Vulnerability in php-fpm by changing stdin to non-blocking
Bug #74670 – Integer underflow when unserializing GMP and possible other classes
Bug #75231 – ReflectionProperty#getValue() incorrectly works with inherited classes
Bug #76409 – Heap use after free in _php_stream_free
Bug #76423 – Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Bug #76459 – Windows linkinfo lacks openbasedir check
Bug #76461 – OPSYS_Z_CPM defined instead of OPSYS_CPM
Bug #76462 – Undefined property: DateInterval::$f
Bug #76477 – Opcache causes empty return value
Bug #76502 – Chain of mixed exceptions and errors does not serialize properly
Bug #76505 – Array_merge_recursive() is duplicating sub-array keys
Bug #76520 – Object creation leaks memory when executed over HTTP
Bug #76532 – Integer overflow and excessive memory usage in mb_strimwidth
Bug #76534 – PHP hangs on ‘illegal string offset on string references with an error handler

Ver 7.1.20

Bug #71848 – getimagesize with $imageinfo returns false
Bug #73342 – Vulnerability in php-fpm by changing stdin to non-blocking
Bug #74670 – Integer Underflow when unserializing GMP and possible other classes
Bug #75231 – ReflectionProperty#getValue() incorrectly works with inherited classes
Bug #76423 – Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Bug #76459 – windows linkinfo lacks openbasedir check
Bug #76462 – Undefined property: DateInterval::$f
Bug #76502 – Chain of mixed exceptions and errors does not serialize properly
Bug #76505 – array_merge_recursive() is duplicating sub-array keys
Bug #76532 – Integer overflow and excessive memory usage in mb_strimwidth
Bug #76534 – PHP hangs on ‘illegal string offset on string references with an error handler
Bug #76536 – PHP crashes with core dump when throwing exception in error handler
Bug #76548 – Pg_fetch_result did not fetch the next row
Bug #76556 – Get_debug_info handler for BreakIterator shows wrong type
Bug #76557 – Heap-buffer-overflow (READ of size 48) while reading exif data

Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.

Further information on these vulnerabilities and how they can be mitigated can be found on the TTCSIRT Website at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-083/