TTCSIRT-167.092018: TT-CSIRT Advisory – PHP Security Updates

PHP has released a security update stating that the following vulnerabilities have been discovered in PHP ver 7.2.10 & Version 7.1.22:

a) Bug #55146 – (iconv_mime_decode_headers() skips some headers)

b) Bug #60494 – (iconv_mime_decode does ignore special characters)

c) Bug #63839 – (iconv_mime_decode_headers function is skipping headers)

d) Bug #65988 – (Zlib version check fails when an include/zlib/ style dir is passed to the –with-zlib configure option)

e) Bug #68175 – (RegexIterator pregFlags are NULL instead of 0)

f) Bug #68180 – (iconv_mime_decode can return extra characters in a header)

g) Bug #68825 – (Exception in DirectoryIterator::getLinkTarget())

h) Bug #72443 – (Generate enabled extension)

i) Bug #74484 – (MessageFormatter::formatMessage memory corruption with 11+ named placeholders)

j) Bug #76517 – (incorrect restoring of LDFLAGS)

k) Bug #76582 – (Apache bucket brigade sometimes becomes invalid)

l) Bug #76595 – (phpdbg man page contains outdated information)

m) Bug #76704 – (mb_detect_order return value varies based on argument type)

n) Bug #76705 – (unusable ssl => peer_fingerprint in stream_context_create())

o) Bug #76709 – (Minimal required zlib library is 1.2.0.4)

p) Bug #76747 – (Opcache treats path containing “test.pharma.tld” as a phar file)

q) Bug #76754 – (parent private constant in extends class memory leak)

r) Bug #76777 – (“public id” parameter of libxml_set_external_entity_loader callback undefined)

s) Bug #76778 – (array_reduce leaks memory if callback throws exception)

Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application.