Security update for php7

Announcement ID:	SUSE-SU-2017:0534-1
Rating:	important
References:	bsc#1008026 bsc#1019547 bsc#1019550 bsc#1019568 bsc#1019570 bsc#1022219 bsc#1022255 bsc#1022257 bsc#1022260 bsc#1022262 bsc#1022263 bsc#1022264 bsc#1022265
Cross-References:	CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161 CVE-2016-10162 CVE-2016-10166 CVE-2016-10167 CVE-2016-10168 CVE-2016-7478 CVE-2016-7479 CVE-2016-7480 CVE-2016-9138 CVE-2017-5340
CVSS scores:	CVE-2016-10158 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10159 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10159 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10160 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-10160 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-10161 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10162 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-10166 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-10167 ( NVD ): 5.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVE-2016-10168 ( NVD ): 7.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2016-7478 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-7479 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7480 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-7480 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-9138 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-5340 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-5340 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2017-5340 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE Linux Enterprise Software Development Kit 12 12-SP2 SUSE Linux Enterprise Software Development Kit 12 SP1 Web and Scripting Module 12

An update that solves 13 vulnerabilities can now be installed.

Description:

This update for php7 fixes the following security issues:

• CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP did not verify that a key is an object, which allowed remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. (bsc#1019568)
• CVE-2017-5340: Zend/zend_hash.c in PHP mishandled certain cases that require large array allocations, which allowed remote attackers to execute arbitrary code or cause a denial of service (integer overflow, uninitialized memory access, and use of arbitrary destructor function pointers) via crafted serialized data. (bsc#1019570)
• CVE-2016-7479: In all versions of PHP 7, during the unserialization process, resizing the 'properties' hash table of a serialized object may have lead to use-after-free. A remote attacker may exploit this bug to gain arbitrary code execution. (bsc#1019547)
• CVE-2016-7478: Zend/zend_exceptions.c in PHP allowed remote attackers to cause a denial of service (infinite loop) via a crafted Exception object in serialized data, a related issue to CVE-2015-8876. (bsc#1019550)
• CVE-2016-10159: Integer overflow in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory consumption or application crash) via a truncated manifest entry in a PHAR archive. (bsc#1022255)
• CVE-2016-10160: Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch. (bsc#1022257)
• CVE-2016-10161: The object_common1 function in ext/standard/var_unserializer.c in PHP allowed remote attackers to cause a denial of service (buffer over-read and application crash) via crafted serialized data that is mishandled in a finish_nested_data call. (bsc#1022260)
• CVE-2016-10162: The php_wddx_pop_element function in ext/wddx/wddx.c in PHP 7 allowed remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an inapplicable class name in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. (bsc#1022262)
• CVE-2016-10166: A potential unsigned underflow in gd interpolation functions could lead to memory corruption in the PHP gd module (bsc#1022263)
• CVE-2016-10167: A denial of service problem in gdImageCreateFromGd2Ctx() could lead to php out of memory even on small files. (bsc#1022264)
• CVE-2016-10168: A signed integer overflow in the gd module could lead to memory corruption (bsc#1022265)
• CVE-2016-9138: PHP mishandled property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup. (bsc#1008026)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Web and Scripting Module 12
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2017-277=1
• SUSE Linux Enterprise Software Development Kit 12 SP1
  zypper in -t patch SUSE-SLE-SDK-12-SP1-2017-277=1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2
  zypper in -t patch SUSE-SLE-SDK-12-SP2-2017-277=1

Package List:

• Web and Scripting Module 12 (aarch64 ppc64le s390x x86_64)
  • php7-sockets-7.0.7-35.1
  • php7-openssl-7.0.7-35.1
  • php7-posix-7.0.7-35.1
  • php7-shmop-debuginfo-7.0.7-35.1
  • php7-ctype-7.0.7-35.1
  • php7-gmp-debuginfo-7.0.7-35.1
  • php7-debuginfo-7.0.7-35.1
  • apache2-mod_php7-debuginfo-7.0.7-35.1
  • php7-dom-debuginfo-7.0.7-35.1
  • php7-xmlwriter-debuginfo-7.0.7-35.1
  • php7-posix-debuginfo-7.0.7-35.1
  • php7-gd-7.0.7-35.1
  • php7-opcache-7.0.7-35.1
  • php7-gettext-7.0.7-35.1
  • php7-dom-7.0.7-35.1
  • php7-pgsql-7.0.7-35.1
  • php7-xsl-7.0.7-35.1
  • php7-7.0.7-35.1
  • php7-ftp-debuginfo-7.0.7-35.1
  • php7-tokenizer-debuginfo-7.0.7-35.1
  • php7-ldap-debuginfo-7.0.7-35.1
  • php7-xmlreader-debuginfo-7.0.7-35.1
  • php7-pspell-7.0.7-35.1
  • php7-sysvshm-debuginfo-7.0.7-35.1
  • php7-fpm-debuginfo-7.0.7-35.1
  • php7-mbstring-debuginfo-7.0.7-35.1
  • php7-exif-7.0.7-35.1
  • php7-calendar-debuginfo-7.0.7-35.1
  • php7-fastcgi-debuginfo-7.0.7-35.1
  • php7-zip-7.0.7-35.1
  • php7-debugsource-7.0.7-35.1
  • php7-zip-debuginfo-7.0.7-35.1
  • php7-sysvshm-7.0.7-35.1
  • php7-iconv-debuginfo-7.0.7-35.1
  • php7-odbc-debuginfo-7.0.7-35.1
  • php7-pgsql-debuginfo-7.0.7-35.1
  • php7-pdo-debuginfo-7.0.7-35.1
  • php7-sysvmsg-debuginfo-7.0.7-35.1
  • php7-curl-7.0.7-35.1
  • php7-enchant-debuginfo-7.0.7-35.1
  • php7-fastcgi-7.0.7-35.1
  • php7-shmop-7.0.7-35.1
  • php7-imap-debuginfo-7.0.7-35.1
  • php7-bcmath-7.0.7-35.1
  • php7-sqlite-debuginfo-7.0.7-35.1
  • php7-gd-debuginfo-7.0.7-35.1
  • php7-tokenizer-7.0.7-35.1
  • php7-pcntl-7.0.7-35.1
  • php7-sysvsem-debuginfo-7.0.7-35.1
  • php7-sysvsem-7.0.7-35.1
  • php7-ldap-7.0.7-35.1
  • php7-zlib-debuginfo-7.0.7-35.1
  • php7-odbc-7.0.7-35.1
  • php7-pcntl-debuginfo-7.0.7-35.1
  • php7-opcache-debuginfo-7.0.7-35.1
  • php7-intl-debuginfo-7.0.7-35.1
  • php7-curl-debuginfo-7.0.7-35.1
  • php7-pdo-7.0.7-35.1
  • php7-ctype-debuginfo-7.0.7-35.1
  • php7-xmlrpc-debuginfo-7.0.7-35.1
  • php7-dba-7.0.7-35.1
  • php7-json-debuginfo-7.0.7-35.1
  • php7-soap-debuginfo-7.0.7-35.1
  • php7-mcrypt-debuginfo-7.0.7-35.1
  • php7-wddx-debuginfo-7.0.7-35.1
  • php7-gmp-7.0.7-35.1
  • php7-dba-debuginfo-7.0.7-35.1
  • php7-snmp-debuginfo-7.0.7-35.1
  • php7-mysql-debuginfo-7.0.7-35.1
  • php7-wddx-7.0.7-35.1
  • php7-openssl-debuginfo-7.0.7-35.1
  • php7-calendar-7.0.7-35.1
  • php7-fpm-7.0.7-35.1
  • php7-pspell-debuginfo-7.0.7-35.1
  • php7-imap-7.0.7-35.1
  • php7-bz2-debuginfo-7.0.7-35.1
  • php7-bcmath-debuginfo-7.0.7-35.1
  • php7-mcrypt-7.0.7-35.1
  • php7-iconv-7.0.7-35.1
  • php7-phar-debuginfo-7.0.7-35.1
  • php7-json-7.0.7-35.1
  • php7-gettext-debuginfo-7.0.7-35.1
  • php7-intl-7.0.7-35.1
  • php7-xmlreader-7.0.7-35.1
  • apache2-mod_php7-7.0.7-35.1
  • php7-mbstring-7.0.7-35.1
  • php7-xmlrpc-7.0.7-35.1
  • php7-phar-7.0.7-35.1
  • php7-fileinfo-7.0.7-35.1
  • php7-enchant-7.0.7-35.1
  • php7-ftp-7.0.7-35.1
  • php7-mysql-7.0.7-35.1
  • php7-bz2-7.0.7-35.1
  • php7-soap-7.0.7-35.1
  • php7-zlib-7.0.7-35.1
  • php7-xmlwriter-7.0.7-35.1
  • php7-xsl-debuginfo-7.0.7-35.1
  • php7-exif-debuginfo-7.0.7-35.1
  • php7-sysvmsg-7.0.7-35.1
  • php7-sqlite-7.0.7-35.1
  • php7-fileinfo-debuginfo-7.0.7-35.1
  • php7-snmp-7.0.7-35.1
  • php7-sockets-debuginfo-7.0.7-35.1
• Web and Scripting Module 12 (noarch)
  • php7-pear-7.0.7-35.1
  • php7-pear-Archive_Tar-7.0.7-35.1
• SUSE Linux Enterprise Software Development Kit 12 SP1 (ppc64le s390x x86_64)
  • php7-devel-7.0.7-35.1
  • php7-debuginfo-7.0.7-35.1
  • php7-debugsource-7.0.7-35.1
• SUSE Linux Enterprise Software Development Kit 12 12-SP2 (aarch64 ppc64le s390x x86_64)
  • php7-devel-7.0.7-35.1
  • php7-debuginfo-7.0.7-35.1
  • php7-debugsource-7.0.7-35.1

References:

• https://www.suse.com/security/cve/CVE-2016-10158.html
• https://www.suse.com/security/cve/CVE-2016-10159.html
• https://www.suse.com/security/cve/CVE-2016-10160.html
• https://www.suse.com/security/cve/CVE-2016-10161.html
• https://www.suse.com/security/cve/CVE-2016-10162.html
• https://www.suse.com/security/cve/CVE-2016-10166.html
• https://www.suse.com/security/cve/CVE-2016-10167.html
• https://www.suse.com/security/cve/CVE-2016-10168.html
• https://www.suse.com/security/cve/CVE-2016-7478.html
• https://www.suse.com/security/cve/CVE-2016-7479.html
• https://www.suse.com/security/cve/CVE-2016-7480.html
• https://www.suse.com/security/cve/CVE-2016-9138.html
• https://www.suse.com/security/cve/CVE-2017-5340.html
• https://bugzilla.suse.com/show_bug.cgi?id=1008026
• https://bugzilla.suse.com/show_bug.cgi?id=1019547
• https://bugzilla.suse.com/show_bug.cgi?id=1019550
• https://bugzilla.suse.com/show_bug.cgi?id=1019568
• https://bugzilla.suse.com/show_bug.cgi?id=1019570
• https://bugzilla.suse.com/show_bug.cgi?id=1022219
• https://bugzilla.suse.com/show_bug.cgi?id=1022255
• https://bugzilla.suse.com/show_bug.cgi?id=1022257
• https://bugzilla.suse.com/show_bug.cgi?id=1022260
• https://bugzilla.suse.com/show_bug.cgi?id=1022262
• https://bugzilla.suse.com/show_bug.cgi?id=1022263
• https://bugzilla.suse.com/show_bug.cgi?id=1022264
• https://bugzilla.suse.com/show_bug.cgi?id=1022265