TTCSIRT-195.011119: TT-CSIRT Advisory – PHP Security Updates

TTCSIRT-195.011119: TT-CSIRT Advisory – PHP Security Updates

PHP has released a security update stating that the following vulnerabilities have been discovered in the following versions of PHP:

Version 5.6.40

Bug #77242 (heap out of bounds read in xmlrpc_decode()).
Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Bug #77269 (efree() on uninitialized Heap data in imagescale leads to
Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Bug #77370 (buffer overflow on mb regex functions – fetch_token).
Bug #77371 (heap buffer overflow in mb regex functions – compile_string_node).
Bug #77380 (global out of bounds read in xmlrpc base64 code).
Bug #77381 (heap buffer overflow in multibyte match_at).
Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Bug #77385 (buffer overflow in fetch_token).
Bug #77394 (buffer overflow in multibyte case folding – unicode).
Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.1.26

Bug #77020 (null pointer dereference in imap_mail).
Bug #77242 (heap out of bounds read in xmlrpc_decode()).
Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Bug #77369 (memcpy with negative length via crafted DNS response).
Bug #77370 (buffer overflow on mb regex functions – fetch_token).
Bug #77371 (heap buffer overflow in mb regex functions – compile_string_node).
Bug #77380 (global out of bounds read in xmlrpc base64 code).
Bug #77381 (heap buffer overflow in multibyte match_at).
Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Bug #77385 (buffer overflow in fetch_token).
Bug #77394 (buffer overflow in multibyte case folding – unicode).
Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.2.14

Bug #71041 (zend_signal_startup() needs ZEND_API).
Bug #76046 (PHP generates “FE_FREE” opcode on the wrong line).
Bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
Bug #77020 (null pointer dereference in imap_mail).
Bug #77051 (Issue with re-binding on SQLite3).
Bug #77097 (DateTime::diff gives wrong diff when the actual diff is less than 1 second).
Bug #77136 (Unsupported IPV6_RECVPKTINFO constants on macOS).
Bug #77177 (serializing or unserializing COM objects crashes).
Bug #77184 (unsigned rational numbers are written out as signed rationals).
Bug #77195 (incorrect error handling of imagecreatefromjpeg()).
Bug #77198 (auto cropping has insufficient precision).
Bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
Bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
Bug #77242 (heap out of bounds read in xmlrpc_decode()).
Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Bug #77369 (memcpy with negative length via crafted DNS response).
Bug #77370 (buffer overflow on mb regex functions – fetch_token).
Bug #77371 (heap buffer overflow in mb regex functions – compile_string_node).
Bug #77380 (global out of bounds read in xmlrpc base64 code).
Bug #77381 (heap buffer overflow in multibyte match_at).
Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Bug #77385 (buffer overflow in fetch_token).
Bug #77394 (buffer overflow in multibyte case folding – unicode).
Bug #77418 (heap overflow in utf32be_mbc_to_code).

Version 7.3.1

Bug #71041 (zend_signal_startup() needs ZEND_API).
Bug #76046 (PHP generates “FE_FREE” opcode on the wrong line).
Bug #76654 (build failure on Mac OS X on 32-bit Intel).
Bug #76804 (oci_pconnect with OCI_CRED_EXT not working).
Bug #77051 (Issue with re-binding on SQLite3).
Bug #77088 (segfault when using SoapClient with null options).
Bug #77136 (unsupported IPV6_RECVPKTINFO constants on macOS).
Bug #77177 (serializing or unserializing COM objects crashes).
Bug #77184 (unsigned rational numbers are written out as signed rationals).
Bug #77193 (infinite loop in preg_replace_callback).
Bug #77195 (incorrect error handling of imagecreatefromjpeg()).
Bug #77198 (auto cropping has insufficient precision).
Bug #77200 (imagecropauto(…, GD_CROP_SIDES) crops left but not right).
Bug #77215 (CFG assertion failure on multiple finalizing switch frees in one block).
Bug #77242 (heap out of bounds read in xmlrpc_decode()).
Bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext).
Bug #77264 (curl_getinfo returning microseconds not seconds).
Bug #77269 (efree() on uninitialized Heap data in imagescale leads to use-after-free).
Bug #77270 (imagecolormatch Out Of Bounds Write on Heap).
Bug #77275 (OPcache optimization problem for ArrayAccess->offsetGet).
Bug #77291 (magic methods inherited from a trait may be ignored).
Bug #77297 (SodiumException segfaults on PHP 7.3).
Bug #77359 (spl_autoload causes segfault).
Bug #77360 (class_uses causes segfault).
Bug #77367 (negative size parameter in mb_split).
Bug #77370 (buffer overflow on mb regex functions – fetch_token).
Bug #77371 (heap buffer overflow in mb regex functions – compile_string_node).
Bug #77380 (global out of bounds read in xmlrpc base64 code).
Bug #77381 (heap buffer overflow in multibyte match_at).
Bug #77382 (heap buffer overflow due to incorrect length in expand_case_fold_string).
Bug #77385 (buffer overflow in fetch_token).
Bug #77394 (buffer overflow in multibyte case folding – unicode).
Bug #77418 (heap overflow in utf32be_mbc_to_code).

Further information on these vulnerabilities and how they can be mitigated can be found at https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2019-005/