The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability announce CVE-2013-7456 CVE-2016-4343 CVE-2016-5093

PHP 5: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PHP 5.
Vulnerable systems: Mac OS X, Debian, BIG-IP Hardware, TMOS, Fedora, openSUSE, openSUSE Leap, PHP, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this threat: 2/4.
Consequences of an attack: privileged access/rights, denial of service on server, denial of service on service.
Pirate's origin: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 26/05/2016.
Références of this weakness: 71331, 72114, 72135, 72227, 72241, CERTFR-2016-AVI-195, CVE-2013-7456, CVE-2016-4343, CVE-2016-5093, CVE-2016-5094, CVE-2016-5095, CVE-2016-5096, DLA-499-1, DLA-533-1, DSA-3602-1, FEDORA-2016-65f1ffdc0c, FEDORA-2016-6b1938566f, HT206903, K43449212, K51390683, openSUSE-SU-2016:1553-1, openSUSE-SU-2016:1688-1, RHSA-2016:2750-01, SOL43449212, SOL51390683, SSA:2016-148-03, SUSE-SU-2016:1581-1, SUSE-SU-2016:1638-1, USN-3030-1, USN-3045-1, VIGILANCE-VUL-19712.

Description of the vulnerability

Several vulnerabilities were announced in PHP 5.

An attacker can generate an integer overflow via fread, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72114, CVE-2016-5096]

An attacker can generate an integer overflow via php_html_entities, in order to trigger a denial of service, and possibly to run code. [severity:2/4; 72135, CVE-2016-5094, CVE-2016-5095]

An attacker can force a read at an invalid address via imagescale, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 72227, CVE-2013-7456]

An attacker can force a read at an invalid address via get_icu_value_internal, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 72241, CVE-2016-5093]

An attacker can force a read at an invalid address via phar_make_dirstream(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; 71331, CVE-2016-4343]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The technology watch team tracks security threats targeting the computer system.