TTCSIRT-150.072718: TT-CSIRT Advisory – PHP Security Updates
PHP has released a security update stating that the following vulnerabilities have been found in PHP 7:
Ver 7.2.8
Bug #71848 – Getimagesize with $imageinfo returns false
Bug #73342 – Vulnerability in php-fpm by changing stdin to non-blocking
Bug #74670 – Integer underflow when unserializing GMP and possible other classes
Bug #75231 – ReflectionProperty#getValue() incorrectly works with inherited classes
Bug #76409 – Heap use after free in _php_stream_free
Bug #76423 – Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Bug #76459 – Windows linkinfo lacks openbasedir check
Bug #76461 – OPSYS_Z_CPM defined instead of OPSYS_CPM
Bug #76462 – Undefined property: DateInterval::$f
Bug #76477 – Opcache causes empty return value
Bug #76502 – Chain of mixed exceptions and errors does not serialize properly
Bug #76505 – Array_merge_recursive() is duplicating sub-array keys
Bug #76520 – Object creation leaks memory when executed over HTTP
Bug #76532 – Integer overflow and excessive memory usage in mb_strimwidth
Bug #76534 – PHP hangs on ‘illegal string offset on string references with an error handler
Ver 7.1.20
Bug #71848 – getimagesize with $imageinfo returns false
Bug #73342 – Vulnerability in php-fpm by changing stdin to non-blocking
Bug #74670 – Integer Underflow when unserializing GMP and possible other classes
Bug #75231 – ReflectionProperty#getValue() incorrectly works with inherited classes
Bug #76423 – Int Overflow lead to Heap OverFlow in exif_thumbnail_extract of exif.c
Bug #76459 – windows linkinfo lacks openbasedir check
Bug #76462 – Undefined property: DateInterval::$f
Bug #76502 – Chain of mixed exceptions and errors does not serialize properly
Bug #76505 – array_merge_recursive() is duplicating sub-array keys
Bug #76532 – Integer overflow and excessive memory usage in mb_strimwidth
Bug #76534 – PHP hangs on ‘illegal string offset on string references with an error handler
Bug #76536 – PHP crashes with core dump when throwing exception in error handler
Bug #76548 – Pg_fetch_result did not fetch the next row
Bug #76556 – Get_debug_info handler for BreakIterator shows wrong type
Bug #76557 – Heap-buffer-overflow (READ of size 48) while reading exif data
Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.
| Further information on these vulnerabilities and how they can be mitigated can be found on the TTCSIRT Website at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-083/ |