[arch-security] [ASA-201601-10] php: multiple issues

Levente Polyak anthraxx at archlinux.org
Thu Jan 14 21:32:39 UTC 2016 

Arch Linux Security Advisory ASA-201601-10
==========================================

Severity: Medium
Date    : 2016-01-14
CVE-ID  : CVE-2016-1903 CVE-2016-1904
Package : php
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package php before version 7.0.2-1 is vulnerable to multiple issues
including information disclosure and heap buffer overflow that is
leading to denial of service or possibly arbitrary code execution.

Resolution
==========

Upgrade to 7.0.2-1.

# pacman -Syu "php>=7.0.2-1"

The problems have been fixed upstream in version 7.0.2.

Workaround
==========

None.

Description
===========

- CVE-2016-1903 (information disclosure)

An out-of-bounds vulnerability has been discovered in
ext/gd/libgd/gd_interpolation.c in the gdImageRotateInterpolated
function. The background color of an image is passed in as an integer
that represents an index to the color palette. As there is a lack of
validation of that parameter, one can pass in a large number that
exceeds the color palette array. This reads memory beyond the color
palette. Information of the memory leak can then be obtained via the
background color after the image has been rotated.

- CVE-2016-1904 (arbitrary code execution)

A not further specified integer overflow vulnerability has been
discovered in ext/standard/exec.c (in the php_escape_shell_cmd function
and the php_escape_shell_arg function). This issue results in a heap
buffer overflow that is leading to a denial of service or possibly
arbitrary code execution.

Impact
======

A remote attacker is able to disclose information via a memory leak,
perform a denial of service attack or possibly execute arbitrary code.

References
==========

http://seclists.org/oss-sec/2016/q1/100
https://secure.php.net/ChangeLog-7.php#7.0.2
https://bugs.php.net/bug.php?id=70976
https://github.com/php/php-src/commit/2871c70efaaaa0f

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160114/eb43b586/attachment.asc>

More information about the arch-security mailing list