Greetings all,
I have finished preparing an LTS upload of php5 (5.4.45-0+deb7u7) and
your assistance with testing these packages before upload would be most
welcome. Please try these out and let me know if you encounter any
issues.
Here are the relevant links:
.changes file:
https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.changes
build log:
https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7_amd64.build
source:
https://people.debian.org/~roberto/php5_5.4.45-0+deb7u7.dsc
debdiff against previous version:
https://people.debian.org/~roberto/php5_5.4.45-0+deb7u6_5.4.45-0+deb7u7.diff
Here is the advisory text I plan to publish after the upload:
**********************************************************************
*DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT*
**********************************************************************
Package : php5
Version : 5.4.45-0+deb7u7
CVE ID : CVE-2016-2554 CVE-2016-3141 CVE-2016-3142 CVE-2016-4342
CVE-2016-9934 CVE-2016-9935 CVE-2016-10158
CVE-2016-10159 CVE-2016-10160 CVE-2016-10161
PHP-Bugs : 71323 70979 71039 71459 71391 71335
Several issues have been discovered in PHP (recursive acronym for PHP:
Hypertext Preprocessor), a widely-used open source general-purpose
scripting language that is especially suited for web development and can
be embedded into HTML.
* CVE-2016-2554
Stack-based buffer overflow in ext/phar/tar.c allows remote
attackers to cause a denial of service (application crash) or
possibly have unspecified other impact via a crafted TAR archive.
* CVE-2016-3141
Use-after-free vulnerability in wddx.c in the WDDX extension allows
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact by
triggering a wddx_deserialize call on XML data containing a crafted
var element.
* CVE-2016-3142
The phar_parse_zipfile function in zip.c in the PHAR extension in
PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to
obtain sensitive information from process memory or cause a denial
of service (out-of-bounds read and application crash) by placing a
PK\x05\x06 signature at an invalid location.
* CVE-2016-4342
ext/phar/phar_object.c in PHP before 5.5.32, 5.6.x before 5.6.18,
and 7.x before 7.0.3 mishandles zero-length uncompressed data, which
allows remote attackers to cause a denial of service (heap memory
corruption) or possibly have unspecified other impact via a crafted
(1) TAR, (2) ZIP, or (3) PHAR archive.
* CVE-2016-9934
ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows
remote attackers to cause a denial of service (NULL pointer
dereference) via crafted serialized data in a wddxPacket XML
document, as demonstrated by a PDORow string.
* CVE-2016-9935
The php_wddx_push_element function in ext/wddx/wddx.c in PHP before
5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a
denial of service (out-of-bounds read and memory corruption) or
possibly have unspecified other impact via an empty boolean element
in a wddxPacket XML document.
* CVE-2016-10158
The exif_convert_any_to_int function in ext/exif/exif.c in PHP
before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows
remote attackers to cause a denial of service (application crash)
via crafted EXIF data that triggers an attempt to divide the minimum
representable negative integer by -1.
* CVE-2016-10159
Integer overflow in the phar_parse_pharfile function in
ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
remote attackers to cause a denial of service (memory consumption or
application crash) via a truncated manifest entry in a PHAR archive.
* CVE-2016-10160
Off-by-one error in the phar_parse_pharfile function in
ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows
remote attackers to cause a denial of service (memory corruption) or
possibly execute arbitrary code via a crafted PHAR archive with an
alias mismatch.
* CVE-2016-10161
The object_common1 function in ext/standard/var_unserializer.c in
PHP before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1
allows remote attackers to cause a denial of service (buffer
over-read and application crash) via crafted serialized data that is
mishandled in a finish_nested_data call.
* BUG-71323.patch
Output of stream_get_meta_data can be falsified by its input
* BUG-70979.patch
Crash on bad SOAP request
* BUG-71039.patch
exec functions ignore length but look for NULL termination
* BUG-71459.patch
Integer overflow in iptcembed()
* BUG-71391.patch
NULL Pointer Dereference in phar_tar_setupmetadata()
* BUG-71335.patch
Type confusion vulnerability in WDDX packet deserialization
For Debian 7 "Wheezy", these problems have been fixed in version
5.4.45-0+deb7u7.
We recommend that you upgrade your php5 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
**********************************************************************
*DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT**DRAFT*
**********************************************************************
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
Attachment:
signature.asc
Description: Digital signature