ALAS-2016-728


Amazon Linux 1 Security Advisory: ALAS-2016-728
Advisory Release Date: 2016-08-01 13:30 Pacific
Advisory Updated Date: 2016-08-17 13:30 Pacific
Severity: Medium

Issue Overview:

A stack consumption vulnerability in GD in PHP allows remote attackers to cause a denial of service via a crafted imagefilltoborder call. (CVE-2015-8874)

An integer overflow, leading to a heap-based buffer overflow was found in the imagecreatefromgd2() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted GD2 image. (CVE-2016-5766)

An integer overflow, leading to a heap-based buffer overflow was found in the gdImagePaletteToTrueColor() function of PHP's gd extension. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application, using gd via a specially crafted image buffer. (CVE-2016-5767)

A double free flaw was found in the mb_ereg_replace_callback() function of php which is used to perform regex search. This flaw could possibly cause a PHP application to crash. (CVE-2016-5768)

The mcrypt_generic() and mdecrypt_generic() functions are prone to integer overflows, resulting in a heap-based overflow. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5769)

A type confusion issue was found in the SPLFileObject fread() function. A remote attacker able to submit a specially crafted input to a PHP application, which uses this function, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application. (CVE-2016-5770)

A use-after-free vulnerability that can occur when calling unserialize() on untrusted input was discovered. A remote attacker could use this flaw to crash a PHP application or execute arbitrary code with the privileges of the user running that PHP application if the application unserializes untrusted input. (CVE-2016-5771, CVE-2016-5773)

A double free can occur in wddx_deserialize() when trying to deserialize malicious XML input from user's request. This flaw could possibly cause a PHP application to crash. (CVE-2016-5772)

It was discovered that PHP did not properly protect against the HTTP_PROXY variable name clash. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a PHP script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5385)

(Updated on 2016-08-17: CVE-2016-5385 was fixed in this release but was not previously part of this errata)


Affected Packages:

php55, php56


Issue Correction:
Run yum update php55 to update your system.
Run yum update php56 to update your system.

New Packages:
i686:
    php55-mbstring-5.5.38-1.116.amzn1.i686
    php55-tidy-5.5.38-1.116.amzn1.i686
    php55-cli-5.5.38-1.116.amzn1.i686
    php55-xmlrpc-5.5.38-1.116.amzn1.i686
    php55-pdo-5.5.38-1.116.amzn1.i686
    php55-debuginfo-5.5.38-1.116.amzn1.i686
    php55-opcache-5.5.38-1.116.amzn1.i686
    php55-odbc-5.5.38-1.116.amzn1.i686
    php55-recode-5.5.38-1.116.amzn1.i686
    php55-enchant-5.5.38-1.116.amzn1.i686
    php55-dba-5.5.38-1.116.amzn1.i686
    php55-fpm-5.5.38-1.116.amzn1.i686
    php55-embedded-5.5.38-1.116.amzn1.i686
    php55-gmp-5.5.38-1.116.amzn1.i686
    php55-soap-5.5.38-1.116.amzn1.i686
    php55-mcrypt-5.5.38-1.116.amzn1.i686
    php55-pgsql-5.5.38-1.116.amzn1.i686
    php55-imap-5.5.38-1.116.amzn1.i686
    php55-pspell-5.5.38-1.116.amzn1.i686
    php55-snmp-5.5.38-1.116.amzn1.i686
    php55-5.5.38-1.116.amzn1.i686
    php55-ldap-5.5.38-1.116.amzn1.i686
    php55-xml-5.5.38-1.116.amzn1.i686
    php55-devel-5.5.38-1.116.amzn1.i686
    php55-bcmath-5.5.38-1.116.amzn1.i686
    php55-mysqlnd-5.5.38-1.116.amzn1.i686
    php55-common-5.5.38-1.116.amzn1.i686
    php55-process-5.5.38-1.116.amzn1.i686
    php55-mssql-5.5.38-1.116.amzn1.i686
    php55-gd-5.5.38-1.116.amzn1.i686
    php55-intl-5.5.38-1.116.amzn1.i686
    php56-5.6.24-1.126.amzn1.i686
    php56-embedded-5.6.24-1.126.amzn1.i686
    php56-intl-5.6.24-1.126.amzn1.i686
    php56-cli-5.6.24-1.126.amzn1.i686
    php56-gd-5.6.24-1.126.amzn1.i686
    php56-soap-5.6.24-1.126.amzn1.i686
    php56-fpm-5.6.24-1.126.amzn1.i686
    php56-tidy-5.6.24-1.126.amzn1.i686
    php56-snmp-5.6.24-1.126.amzn1.i686
    php56-enchant-5.6.24-1.126.amzn1.i686
    php56-mbstring-5.6.24-1.126.amzn1.i686
    php56-debuginfo-5.6.24-1.126.amzn1.i686
    php56-gmp-5.6.24-1.126.amzn1.i686
    php56-dbg-5.6.24-1.126.amzn1.i686
    php56-mssql-5.6.24-1.126.amzn1.i686
    php56-bcmath-5.6.24-1.126.amzn1.i686
    php56-pspell-5.6.24-1.126.amzn1.i686
    php56-opcache-5.6.24-1.126.amzn1.i686
    php56-ldap-5.6.24-1.126.amzn1.i686
    php56-common-5.6.24-1.126.amzn1.i686
    php56-imap-5.6.24-1.126.amzn1.i686
    php56-process-5.6.24-1.126.amzn1.i686
    php56-recode-5.6.24-1.126.amzn1.i686
    php56-pgsql-5.6.24-1.126.amzn1.i686
    php56-devel-5.6.24-1.126.amzn1.i686
    php56-mcrypt-5.6.24-1.126.amzn1.i686
    php56-xmlrpc-5.6.24-1.126.amzn1.i686
    php56-odbc-5.6.24-1.126.amzn1.i686
    php56-pdo-5.6.24-1.126.amzn1.i686
    php56-xml-5.6.24-1.126.amzn1.i686
    php56-dba-5.6.24-1.126.amzn1.i686
    php56-mysqlnd-5.6.24-1.126.amzn1.i686

src:
    php55-5.5.38-1.116.amzn1.src
    php56-5.6.24-1.126.amzn1.src

x86_64:
    php55-odbc-5.5.38-1.116.amzn1.x86_64
    php55-mysqlnd-5.5.38-1.116.amzn1.x86_64
    php55-cli-5.5.38-1.116.amzn1.x86_64
    php55-soap-5.5.38-1.116.amzn1.x86_64
    php55-mssql-5.5.38-1.116.amzn1.x86_64
    php55-pgsql-5.5.38-1.116.amzn1.x86_64
    php55-gmp-5.5.38-1.116.amzn1.x86_64
    php55-xmlrpc-5.5.38-1.116.amzn1.x86_64
    php55-mcrypt-5.5.38-1.116.amzn1.x86_64
    php55-opcache-5.5.38-1.116.amzn1.x86_64
    php55-5.5.38-1.116.amzn1.x86_64
    php55-ldap-5.5.38-1.116.amzn1.x86_64
    php55-enchant-5.5.38-1.116.amzn1.x86_64
    php55-process-5.5.38-1.116.amzn1.x86_64
    php55-fpm-5.5.38-1.116.amzn1.x86_64
    php55-mbstring-5.5.38-1.116.amzn1.x86_64
    php55-tidy-5.5.38-1.116.amzn1.x86_64
    php55-xml-5.5.38-1.116.amzn1.x86_64
    php55-devel-5.5.38-1.116.amzn1.x86_64
    php55-pdo-5.5.38-1.116.amzn1.x86_64
    php55-intl-5.5.38-1.116.amzn1.x86_64
    php55-dba-5.5.38-1.116.amzn1.x86_64
    php55-gd-5.5.38-1.116.amzn1.x86_64
    php55-recode-5.5.38-1.116.amzn1.x86_64
    php55-imap-5.5.38-1.116.amzn1.x86_64
    php55-debuginfo-5.5.38-1.116.amzn1.x86_64
    php55-snmp-5.5.38-1.116.amzn1.x86_64
    php55-common-5.5.38-1.116.amzn1.x86_64
    php55-pspell-5.5.38-1.116.amzn1.x86_64
    php55-bcmath-5.5.38-1.116.amzn1.x86_64
    php55-embedded-5.5.38-1.116.amzn1.x86_64
    php56-ldap-5.6.24-1.126.amzn1.x86_64
    php56-gmp-5.6.24-1.126.amzn1.x86_64
    php56-odbc-5.6.24-1.126.amzn1.x86_64
    php56-common-5.6.24-1.126.amzn1.x86_64
    php56-xml-5.6.24-1.126.amzn1.x86_64
    php56-mbstring-5.6.24-1.126.amzn1.x86_64
    php56-intl-5.6.24-1.126.amzn1.x86_64
    php56-opcache-5.6.24-1.126.amzn1.x86_64
    php56-snmp-5.6.24-1.126.amzn1.x86_64
    php56-mssql-5.6.24-1.126.amzn1.x86_64
    php56-xmlrpc-5.6.24-1.126.amzn1.x86_64
    php56-embedded-5.6.24-1.126.amzn1.x86_64
    php56-5.6.24-1.126.amzn1.x86_64
    php56-pdo-5.6.24-1.126.amzn1.x86_64
    php56-pgsql-5.6.24-1.126.amzn1.x86_64
    php56-soap-5.6.24-1.126.amzn1.x86_64
    php56-bcmath-5.6.24-1.126.amzn1.x86_64
    php56-cli-5.6.24-1.126.amzn1.x86_64
    php56-tidy-5.6.24-1.126.amzn1.x86_64
    php56-recode-5.6.24-1.126.amzn1.x86_64
    php56-debuginfo-5.6.24-1.126.amzn1.x86_64
    php56-pspell-5.6.24-1.126.amzn1.x86_64
    php56-imap-5.6.24-1.126.amzn1.x86_64
    php56-mcrypt-5.6.24-1.126.amzn1.x86_64
    php56-dba-5.6.24-1.126.amzn1.x86_64
    php56-dbg-5.6.24-1.126.amzn1.x86_64
    php56-process-5.6.24-1.126.amzn1.x86_64
    php56-fpm-5.6.24-1.126.amzn1.x86_64
    php56-enchant-5.6.24-1.126.amzn1.x86_64
    php56-gd-5.6.24-1.126.amzn1.x86_64
    php56-mysqlnd-5.6.24-1.126.amzn1.x86_64
    php56-devel-5.6.24-1.126.amzn1.x86_64