Multiple vulnerabilities has been discovered and corrected in php:
It was discovered that the file utility contains a flaw in the handling
of indirect magic rules in the libmagic library, which leads to an
infinite recursion when trying to determine the file type of certain
files (CVE-2014-1943).
A flaw was found in the way the file utility determined the type of
Portable Executable (PE) format files, the executable format used on
Windows. A malicious PE file could cause the file utility to crash or,
potentially, execute arbitrary code (CVE-2014-2270).
The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).
PHP FPM in PHP versions before 5.4.28 and 5.5.12 uses a UNIX domain
socket with world-writable permissions by default, which allows any
local user to connect to it and execute PHP scripts as the apache user
(CVE-2014-0185).
A flaw was found in the way file’s Composite Document Files (CDF)
format parser handle CDF files with many summary info entries.
The cdf_unpack_summary_info() function unnecessarily repeatedly read
the info from the same offset. This led to many file_printf() calls in
cdf_file_property_info(), which caused file to use an excessive amount
of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files. A property entry with 0 elements
triggers an infinite loop (CVE-2014-0238).
The unserialize() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue related to the SPL ArrayObject and SPLObjectStorage
Types (CVE-2014-3515).
It was discovered that PHP is vulnerable to a heap-based buffer
overflow in the DNS TXT record parsing. A malicious server or
man-in-the-middle attacker could possibly use this flaw to execute
arbitrary code as the PHP interpreter if a PHP application uses
dns_get_record() to perform a DNS query (CVE-2014-4049).
A flaw was found in the way file parsed property information from
Composite Document Files (CDF) files, where the mconvert() function did
not correctly compute the truncated pascal string size (CVE-2014-3478).
Multiple flaws were found in the way file parsed property information
from Composite Document Files (CDF) files, due to insufficient boundary
checks on buffers (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480,
CVE-2014-3487).
The phpinfo() function in PHP before 5.4.30 and 5.5.14 has a Type
Confusion issue that can cause it to leak arbitrary process memory
(CVE-2014-4721).
Use-after-free vulnerability in ext/spl/spl_array.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact via
crafted ArrayIterator usage within applications in certain web-hosting
environments (CVE-2014-4698).
Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL
component in PHP through 5.5.14 allows context-dependent attackers to
cause a denial of service or possibly have unspecified other impact
via crafted iterator usage within applications in certain web-hosting
environments (CVE-2014-4670).
file before 5.19 does not properly restrict the amount of data read
during a regex search, which allows remote attackers to cause a
denial of service (CPU consumption) via a crafted file that triggers
backtracking during processing of an awk rule, due to an incomplete
fix for CVE-2013-7345 (CVE-2014-3538).
Integer overflow in the cdf_read_property_info function in cdf.c
in file through 5.19, as used in the Fileinfo component in PHP
before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to
cause a denial of service (application crash) via a crafted CDF
file. NOTE: this vulnerability exists because of an incomplete fix
for CVE-2012-1571 (CVE-2014-3587).
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash)
or possibly execute arbitrary code via a crafted DNS record, related
to the dns_get_record function and the dn_expand function. NOTE:
this issue exists because of an incomplete fix for CVE-2014-4049
(CVE-2014-3597).
An integer overflow flaw in PHP’s unserialize() function was
reported. If unserialize() were used on untrusted data, this
issue could lead to a crash or potentially information disclosure
(CVE-2014-3669).
A heap corruption issue was reported in PHP’s exif_thumbnail()
function. A specially-crafted JPEG image could cause the PHP
interpreter to crash or, potentially, execute arbitrary code
(CVE-2014-3670).
If client-supplied input was passed to PHP’s cURL client as a URL to
download, it could return local files from the server due to improper
handling of null bytes (PHP#68089).
An out-of-bounds read flaw was found in file’s donote() function in the
way the file utility determined the note headers of a elf file. This
could possibly lead to file executable crash (CVE-2014-3710).
A use-after-free flaw was found in PHP unserialize(). An untrusted
input could cause PHP interpreter to crash or, possibly, execute
arbitrary code when processed using unserialize() (CVE-2014-8142).
Double free vulnerability in the zend_ts_hash_graceful_destroy function
in zend_ts_hash.c in the Zend Engine in PHP before 5.5.21 allows remote
attackers to cause a denial of service or possibly have unspecified
other impact via unknown vectors (CVE-2014-9425).
sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when
mmap is used to read a .php file, does not properly consider the
mapping’s length during processing of an invalid file that begins
with a # character and lacks a newline character, which causes an
out-of-bounds read and might allow remote attackers to obtain sensitive
information from php-cgi process memory by leveraging the ability to
upload a .php file or trigger unexpected code execution if a valid
PHP script is present in memory locations adjacent to the mapping
(CVE-2014-9427).
Use after free vulnerability in unserialize() in PHP before 5.5.21
(CVE-2015-0231).
Free called on an uninitialized pointer in php-exif in PHP before
5.5.21 (CVE-2015-0232).
The readelf.c source file has been removed from PHP’s bundled copy of
file’s libmagic, eliminating exposure to denial of service issues in
ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620
and CVE-2014-9621 in PHP’s fileinfo module.
S. Paraschoudis discovered that PHP incorrectly handled memory in
the enchant binding. A remote attacker could use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2014-9705).
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2015-0273).
It was discovered that PHP incorrectly handled memory in the phar
extension. A remote attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code (CVE-2015-2301).
Use-after-free vulnerability in the process_nested_data function in
ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before
5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute
arbitrary code via a crafted unserialize call that leverages improper
handling of duplicate numerical keys within the serialized properties
of an object. NOTE: this vulnerability exists because of an incomplete
fix for CVE-2014-8142 (CVE-2015-0231).
The exif_process_unicode function in ext/exif/exif.c in PHP before
5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote
attackers to execute arbitrary code or cause a denial of service
(uninitialized pointer free and application crash) via crafted EXIF
data in a JPEG image (CVE-2015-0232).
An integer overflow flaw, leading to a heap-based buffer overflow,
was found in the way libzip, which is embedded in PHP, processed
certain ZIP archives. If an attacker were able to supply a specially
crafted ZIP archive to an application using libzip, it could cause
the application to crash or, possibly, execute arbitrary code
(CVE-2015-2331).
It was discovered that the PHP opcache component incorrectly handled
memory. A remote attacker could possibly use this issue to cause
PHP to crash, resulting in a denial of service, or possibly execute
arbitrary code (CVE-2015-1351).
It was discovered that the PHP PostgreSQL database extension
incorrectly handled certain pointers. A remote attacker could possibly
use this issue to cause PHP to crash, resulting in a denial of service,
or possibly execute arbitrary code (CVE-2015-1352).
PHP contains a bundled copy of the file utility’s libmagic library,
so it was vulnerable to the libmagic issues.
The updated php packages have been patched and upgraded to the 5.5.23
version which is not vulnerable to these issues. The libzip packages
has been patched to address the CVE-2015-2331 flaw.
A bug in the php zip extension that could cause a crash has been fixed
(mga#13820)
Additionally the jsonc and timezonedb packages has been upgraded to
the latest versions and the PECL packages which requires so has been
rebuilt for php-5.5.23.