PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.
According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.
One of the security bugs, CVE-2014-3669, is a high-severity integer overflow vulnerability in PHP’s “unserialize()” function. When the function is used on untrusted data, the flaw could lead to a crash or information disclosure. It’s unclear at this point if arbitrary code execution is also possible, says an advisory for this bug published on the Red Hat Bugzilla website. The issue only affects 32-bit systems.
Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2014-3668. The medium-severity security hole, which is caused by an out-of-bounds read flaw in the “mkgmtime()” function, could lead to a crash of the PHP interpreter.
CVE-2014-3669 and CVE-2014-3668 were reported to PHP in September by a researcher from Geneva, Switzerland-based IT security firm High-Tech Bridge.
Otto Ebeling, a software engineer at Facebook, reported a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. This heap corruption affecting the “exif_thumbnail()” function has been assigned CVE-2014-3670.
“PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file,” Ebeling wrote in his report. “Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption.”
“To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked,” the expert explained.
According to Ebeling, the affected code is also included in the open-source virtual machine HHVM.
PHP 5.4, 5.5 and 5.6 users are advised to update their installations as soon as possible. Additional information on the fixes is available in the changelogs.
