Operating System:

[RedHat]

Published:

07 November 2016

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2016.2622 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2622
                 Moderate: php security and bug fix update
                              7 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           php
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5768 CVE-2016-5767 CVE-2016-5766
                   CVE-2016-5399  

Reference:         ESB-2016.2574
                   ESB-2016.2454
                   ESB-2016.1820
                   ESB-2016.1757
                   ESB-2016.1747

Original Bulletin: 
   https://rhn.redhat.com/errata/RHSA-2016-2598.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: php security and bug fix update
Advisory ID:       RHSA-2016:2598-02
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2016-2598.html
Issue date:        2016-11-03
CVE Names:         CVE-2016-5399 CVE-2016-5766 CVE-2016-5767 
                   CVE-2016-5768 
=====================================================================

1. Summary:

An update for php is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client Optional (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64

3. Description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

Security Fix(es):

* A flaw was found in the way certain error conditions were handled by
bzread() function in PHP. An attacker could use this flaw to upload a
specially crafted bz2 archive which, when parsed via the vulnerable
function, could cause the application to crash or execute arbitrary code
with the permissions of the user running the PHP application.
(CVE-2016-5399)

* An integer overflow flaw, leading to a heap-based buffer overflow was
found in the imagecreatefromgd2() function of PHP's gd extension. A remote
attacker could use this flaw to crash a PHP application or execute
arbitrary code with the privileges of the user running that PHP application
using gd via a specially crafted GD2 image. (CVE-2016-5766)

* An integer overflow flaw, leading to a heap-based buffer overflow was
found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A
remote attacker could use this flaw to crash a PHP application or execute
arbitrary code with the privileges of the user running that PHP application
using gd via a specially crafted image buffer. (CVE-2016-5767)

* A double free flaw was found in the mb_ereg_replace_callback() function
of php which is used to perform regex search. This flaw could possibly
cause a PHP application to crash. (CVE-2016-5768)

Red Hat would like to thank Hans Jerry Illikainen for reporting
CVE-2016-5399.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted
for the update to take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1073388 - ext/openssl: default_md algo is MD5
1131979 - Segfault running ZendFramework test suite (php_wddx_serialize_var)
1289457 - httpd segfault in php_module_shutdown when opcache loaded twice
1291667 - No TLS1.1 or TLS1.2 support for php curl module
1297179 - PHP crashes with [core:notice] [pid 3864] AH00052: child pid 95199 exit signal Segmentation fault (11)
1344578 - Segmentation fault while header_register_callback
1351068 - CVE-2016-5766 gd: Integer Overflow in _gd2GetHeader() resulting in heap overflow
1351069 - CVE-2016-5767 gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
1351168 - CVE-2016-5768 php: Double free in _php_mb_regex_ereg_replace_exec
1358395 - CVE-2016-5399 php: Improper error handling in bzread()

6. Package List:

Red Hat Enterprise Linux Client Optional (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

aarch64:
php-5.4.16-42.el7.aarch64.rpm
php-cli-5.4.16-42.el7.aarch64.rpm
php-common-5.4.16-42.el7.aarch64.rpm
php-debuginfo-5.4.16-42.el7.aarch64.rpm
php-gd-5.4.16-42.el7.aarch64.rpm
php-ldap-5.4.16-42.el7.aarch64.rpm
php-mysql-5.4.16-42.el7.aarch64.rpm
php-odbc-5.4.16-42.el7.aarch64.rpm
php-pdo-5.4.16-42.el7.aarch64.rpm
php-pgsql-5.4.16-42.el7.aarch64.rpm
php-process-5.4.16-42.el7.aarch64.rpm
php-recode-5.4.16-42.el7.aarch64.rpm
php-soap-5.4.16-42.el7.aarch64.rpm
php-xml-5.4.16-42.el7.aarch64.rpm
php-xmlrpc-5.4.16-42.el7.aarch64.rpm

ppc64:
php-5.4.16-42.el7.ppc64.rpm
php-cli-5.4.16-42.el7.ppc64.rpm
php-common-5.4.16-42.el7.ppc64.rpm
php-debuginfo-5.4.16-42.el7.ppc64.rpm
php-gd-5.4.16-42.el7.ppc64.rpm
php-ldap-5.4.16-42.el7.ppc64.rpm
php-mysql-5.4.16-42.el7.ppc64.rpm
php-odbc-5.4.16-42.el7.ppc64.rpm
php-pdo-5.4.16-42.el7.ppc64.rpm
php-pgsql-5.4.16-42.el7.ppc64.rpm
php-process-5.4.16-42.el7.ppc64.rpm
php-recode-5.4.16-42.el7.ppc64.rpm
php-soap-5.4.16-42.el7.ppc64.rpm
php-xml-5.4.16-42.el7.ppc64.rpm
php-xmlrpc-5.4.16-42.el7.ppc64.rpm

ppc64le:
php-5.4.16-42.el7.ppc64le.rpm
php-cli-5.4.16-42.el7.ppc64le.rpm
php-common-5.4.16-42.el7.ppc64le.rpm
php-debuginfo-5.4.16-42.el7.ppc64le.rpm
php-gd-5.4.16-42.el7.ppc64le.rpm
php-ldap-5.4.16-42.el7.ppc64le.rpm
php-mysql-5.4.16-42.el7.ppc64le.rpm
php-odbc-5.4.16-42.el7.ppc64le.rpm
php-pdo-5.4.16-42.el7.ppc64le.rpm
php-pgsql-5.4.16-42.el7.ppc64le.rpm
php-process-5.4.16-42.el7.ppc64le.rpm
php-recode-5.4.16-42.el7.ppc64le.rpm
php-soap-5.4.16-42.el7.ppc64le.rpm
php-xml-5.4.16-42.el7.ppc64le.rpm
php-xmlrpc-5.4.16-42.el7.ppc64le.rpm

s390x:
php-5.4.16-42.el7.s390x.rpm
php-cli-5.4.16-42.el7.s390x.rpm
php-common-5.4.16-42.el7.s390x.rpm
php-debuginfo-5.4.16-42.el7.s390x.rpm
php-gd-5.4.16-42.el7.s390x.rpm
php-ldap-5.4.16-42.el7.s390x.rpm
php-mysql-5.4.16-42.el7.s390x.rpm
php-odbc-5.4.16-42.el7.s390x.rpm
php-pdo-5.4.16-42.el7.s390x.rpm
php-pgsql-5.4.16-42.el7.s390x.rpm
php-process-5.4.16-42.el7.s390x.rpm
php-recode-5.4.16-42.el7.s390x.rpm
php-soap-5.4.16-42.el7.s390x.rpm
php-xml-5.4.16-42.el7.s390x.rpm
php-xmlrpc-5.4.16-42.el7.s390x.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
php-bcmath-5.4.16-42.el7.aarch64.rpm
php-dba-5.4.16-42.el7.aarch64.rpm
php-debuginfo-5.4.16-42.el7.aarch64.rpm
php-devel-5.4.16-42.el7.aarch64.rpm
php-embedded-5.4.16-42.el7.aarch64.rpm
php-enchant-5.4.16-42.el7.aarch64.rpm
php-fpm-5.4.16-42.el7.aarch64.rpm
php-intl-5.4.16-42.el7.aarch64.rpm
php-mbstring-5.4.16-42.el7.aarch64.rpm
php-mysqlnd-5.4.16-42.el7.aarch64.rpm
php-pspell-5.4.16-42.el7.aarch64.rpm
php-snmp-5.4.16-42.el7.aarch64.rpm

ppc64:
php-bcmath-5.4.16-42.el7.ppc64.rpm
php-dba-5.4.16-42.el7.ppc64.rpm
php-debuginfo-5.4.16-42.el7.ppc64.rpm
php-devel-5.4.16-42.el7.ppc64.rpm
php-embedded-5.4.16-42.el7.ppc64.rpm
php-enchant-5.4.16-42.el7.ppc64.rpm
php-fpm-5.4.16-42.el7.ppc64.rpm
php-intl-5.4.16-42.el7.ppc64.rpm
php-mbstring-5.4.16-42.el7.ppc64.rpm
php-mysqlnd-5.4.16-42.el7.ppc64.rpm
php-pspell-5.4.16-42.el7.ppc64.rpm
php-snmp-5.4.16-42.el7.ppc64.rpm

ppc64le:
php-bcmath-5.4.16-42.el7.ppc64le.rpm
php-dba-5.4.16-42.el7.ppc64le.rpm
php-debuginfo-5.4.16-42.el7.ppc64le.rpm
php-devel-5.4.16-42.el7.ppc64le.rpm
php-embedded-5.4.16-42.el7.ppc64le.rpm
php-enchant-5.4.16-42.el7.ppc64le.rpm
php-fpm-5.4.16-42.el7.ppc64le.rpm
php-intl-5.4.16-42.el7.ppc64le.rpm
php-mbstring-5.4.16-42.el7.ppc64le.rpm
php-mysqlnd-5.4.16-42.el7.ppc64le.rpm
php-pspell-5.4.16-42.el7.ppc64le.rpm
php-snmp-5.4.16-42.el7.ppc64le.rpm

s390x:
php-bcmath-5.4.16-42.el7.s390x.rpm
php-dba-5.4.16-42.el7.s390x.rpm
php-debuginfo-5.4.16-42.el7.s390x.rpm
php-devel-5.4.16-42.el7.s390x.rpm
php-embedded-5.4.16-42.el7.s390x.rpm
php-enchant-5.4.16-42.el7.s390x.rpm
php-fpm-5.4.16-42.el7.s390x.rpm
php-intl-5.4.16-42.el7.s390x.rpm
php-mbstring-5.4.16-42.el7.s390x.rpm
php-mysqlnd-5.4.16-42.el7.s390x.rpm
php-pspell-5.4.16-42.el7.s390x.rpm
php-snmp-5.4.16-42.el7.s390x.rpm

x86_64:
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
php-5.4.16-42.el7.src.rpm

x86_64:
php-5.4.16-42.el7.x86_64.rpm
php-cli-5.4.16-42.el7.x86_64.rpm
php-common-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-gd-5.4.16-42.el7.x86_64.rpm
php-ldap-5.4.16-42.el7.x86_64.rpm
php-mysql-5.4.16-42.el7.x86_64.rpm
php-odbc-5.4.16-42.el7.x86_64.rpm
php-pdo-5.4.16-42.el7.x86_64.rpm
php-pgsql-5.4.16-42.el7.x86_64.rpm
php-process-5.4.16-42.el7.x86_64.rpm
php-recode-5.4.16-42.el7.x86_64.rpm
php-soap-5.4.16-42.el7.x86_64.rpm
php-xml-5.4.16-42.el7.x86_64.rpm
php-xmlrpc-5.4.16-42.el7.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

x86_64:
php-bcmath-5.4.16-42.el7.x86_64.rpm
php-dba-5.4.16-42.el7.x86_64.rpm
php-debuginfo-5.4.16-42.el7.x86_64.rpm
php-devel-5.4.16-42.el7.x86_64.rpm
php-embedded-5.4.16-42.el7.x86_64.rpm
php-enchant-5.4.16-42.el7.x86_64.rpm
php-fpm-5.4.16-42.el7.x86_64.rpm
php-intl-5.4.16-42.el7.x86_64.rpm
php-mbstring-5.4.16-42.el7.x86_64.rpm
php-mysqlnd-5.4.16-42.el7.x86_64.rpm
php-pspell-5.4.16-42.el7.x86_64.rpm
php-snmp-5.4.16-42.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-5399
https://access.redhat.com/security/cve/CVE-2016-5766
https://access.redhat.com/security/cve/CVE-2016-5767
https://access.redhat.com/security/cve/CVE-2016-5768
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.3_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYGv0TXlSAg2UNWIIRAp5HAJ9klb3/2rtiS6x3SPaFdGuYWwxEegCfafaI
5XgUajtsAnxecqRTeRWw5H4=
=G7qP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWB/Xrox+lLeg9Ub1AQg0Tw//Ry5IdzosO82GdY0ksevvjIUu6bEDU3+F
SyKFcWdcBZfJn0wqHTaFGLq8NmwSziw0dpY/kCug+082/nJnONGIXY0rJOpG8Yjo
CsASzrqC4B5Xj+b+f+Mm7XTdsDjFy2bdPTntlmL5EWPlgfzzEBvK+78AjvkBF/qL
UVFoF4o7YE19V9Cio5zzT11zUI8DoDMsXNLMkLvth7zvQbSSz8rPpxlK3lnRFZJG
emkFsK8WLsO3ggOTZqKk0lgftfhWoDBvqAofdcz9ccKYi5pXcyLioLDQs1ySgIPR
3tIXF8H/pU8YeyHpsTaw6SrlUVm/4DlWmceIZkbAyWhjQ4cctoF524Vi2zlwDmhT
MCbv5PiYikEUCmo3qH5XaWJXI6n7sokLXj8kY5R1bENclUW57Os+/rR+xd7wrk6U
Exfhl6qK2rDCt/2I5nOdN9WLWuzhCHSv3g4aWI0mkyLbmrfRVQdIP9uw+xZAYqmF
CYIMoN0S/EMITfFygUP6ldF6lRqonwN2hNEeFNDLzfsZkLQMmJ65UnZmTystnZ5g
yFq/UDSEKY+Cpgsjtzzn4YXmiUY7EheWq6f7kZmDyh9Z+ZWIBaS8dtrpyLEHTopH
HmEyYsN0nWgBrHnOlUYt5GN0e7d1Tp04JOSWhCODDWBo2yKzwJEI/nimSEhPUkqg
MakcQN0JlHU=
=Uuv+
-----END PGP SIGNATURE-----