Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

PHP 5 Updates Fix Several Security Vulnerabilities

PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.

According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.

PHP released last week versions 5.6.2, 5.5.18 and 5.4.34 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.

According to the PHP development team, a total of four vulnerabilities have been fixed in PHP 5.6 and PHP 5.5, and six flaws in PHP 5.4.

One of the security bugs, CVE-2014-3669, is a high-severity integer overflow vulnerability in PHP’s “unserialize()” function. When the function is used on untrusted data, the flaw could lead to a crash or information disclosure. It’s unclear at this point if arbitrary code execution is also possible, says an advisory for this bug published on the Red Hat Bugzilla website. The issue only affects 32-bit systems.

Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2014-3668. The medium-severity security hole, which is caused by an out-of-bounds read flaw in the “mkgmtime()” function, could lead to a crash of the PHP interpreter.

CVE-2014-3669 and CVE-2014-3668 were reported to PHP in September by a researcher from Geneva, Switzerland-based IT security firm High-Tech Bridge.

Otto Ebeling, a software engineer at Facebook, reported a bug that causes heap corruption when parsing the thumbnail of a specially crafted .jpg image. This heap corruption affecting the “exif_thumbnail()” function has been assigned CVE-2014-3670.

“PHP provides APIs such as exif_thumbnail that can be used to extract embedded thumbnails from various image formats. In the process of extracting a TIFF-formatted EXIF thumbnail from a JPEG image, PHP re-encodes most IFD tags present in the thumbnail directory and prepends them to the thumbnail image in order to produce a standalone TIFF file,” Ebeling wrote in his report. “Individual values are re-encoded using the exif_ifd_make_value function. If this function is asked to write out an array of floating point values (single or double precision), it erroneously uses the size of the whole array when copying individual elements using memmove, leading to heap corruption.”

“To exploit a target application that uses this API (or exif_read_data with suitable parameters), a malicious user can trigger this condition by supplying a tag that contains an array of floating-point values, and futher tags that indicate the presence of a TIFF thumbnail. The image itself need not be valid as long as the exif_ifd_make_value gets invoked,” the expert explained.

According to Ebeling, the affected code is also included in the open-source virtual machine HHVM.

PHP 5.4, 5.5 and 5.6 users are advised to update their installations as soon as possible.  Additional information on the fixes is available in the changelogs.

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.