Arch Linux Security Advisory ASA-201609-16 ========================================== Severity: Critical Date : 2016-09-18 CVE-ID : CVE-2016-7411 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418 Package : php Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package php before version 7.0.11-1 is vulnerable to multiple issues that can lead to arbitrary code execution and denial of service. Resolution ========== Upgrade to 7.0.11-1. # pacman -Syu "php>=7.0.11-1" The problems have been fixed upstream in version 7.0.11. Workaround ========== None. Description =========== - CVE-2016-7411 (arbitrary code execution) A memory Corruption vulnerability was found in php's unserialize method. This happened during the deserialized-object Destruction. - CVE-2016-7412 (arbitrary code execution) Php's mysqlnd extension assumes the `flags` returned for a BIT field necessarily contains UNSIGNED_FLAG; this might not be the case, with a rogue mysql server, or a MITM attack. A malicious mysql server or MITM can return field metadata for BIT fields that does not contain the UNSIGNED_FLAG, which leads to a heap overflow. - CVE-2016-7413 (arbitrary code execution) When WDDX tries to deserialize "recordset" element, use after free happens if close tag for the field is not found. This happens only when field names are set. - CVE-2016-7414 (arbitrary code execution) The entry.uncompressed_filesize* method does not properly verify the input parameters. An attacker can create a signature.bin with size less than 8, when this value is passed to phar_verify_signature as sig_len a heap buffer overflow occurs. - CVE-2016-7416 (arbitrary code execution) Big locale string causes stack based overflow inside libicu. - CVE-2016-7417 (insufficient validation) The return value of spl_array_get_hash_table is not properly checked and used on spl_array_get_dimension_ptr_ptr. - CVE-2016-7418 (denial of service) An attacker can trigger an Out-Of-Bounds Read in php_wddx_push_element of wddx.c. A DoS (null pointer dereference) vulnerability can be triggered in the wddx_deserialize function by providing a maliciously crafted XML string. Impact ====== A remote attacker can execute arbitrary code or cause a denial of service on the affected host through different attack vectors. References ========== http://www.openwall.com/lists/oss-security/2016/09/15/10 https://bugs.php.net/bug.php?id=73052 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7411 https://bugs.php.net/bug.php?id=72293 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7412 https://bugs.php.net/bug.php?id=72860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7413 https://bugs.php.net/bug.php?id=72928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7414 https://bugs.php.net/bug.php?id=73007 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7416 https://bugs.php.net/bug.php?id=73029 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7417 https://bugs.php.net/bug.php?id=73065 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7418