MGASA-2014-0367

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2014-0367.html

Import Source

https://advisories.mageia.org/MGASA-2014-0367.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2014-0367

Related

CVE-2014-3587
CVE-2014-3597
CVE-2014-5120

Published

2014-09-05T09:07:37Z

Modified

2014-09-05T08:34:50Z

Summary

Updated php packages fix multiple security vulnerabilities

Details

Updated php packages fix security vulnerabilities:

Integer overflow in the cdfreadproperty_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1571 (CVE-2014-3587).

Multiple buffer overflows in the phpparserr function in ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow remote DNS servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted DNS record, related to the dnsgetrecord function and the dnexpand function. NOTE: this issue exists because of an incomplete fix for CVE-2014-4049 (CVE-2014-3597).

gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack \%00 sequences, which might allow remote attackers to overwrite arbitrary files via crafted input to an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif, (4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function (CVE-2014-5120).

The php packages have been updated to 5.4.32 for Mageia 3 and 5.5.16 for Mageia 4, fixing these issues and several other bugs.

Note that the CVE-2014-5120 issue is only relevant for the php-gd-bundled package in Mageia 3.

Also, php-apc has been rebuilt against the updated php packages.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:3 / php

Package

Name: php
Purl: pkg:rpm/mageia/php?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.32-1.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-apc

Package

Name: php-apc
Purl: pkg:rpm/mageia/php-apc?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.14-7.12.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:3 / php-gd-bundled

Package

Name: php-gd-bundled
Purl: pkg:rpm/mageia/php-gd-bundled?distro=mageia-3

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.32-1.mga3

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / php

Package

Name: php
Purl: pkg:rpm/mageia/php?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.5.16-1.mga4

Ecosystem specific

{
    "section": "core"
}

Mageia:4 / php-apc

Package

Name: php-apc
Purl: pkg:rpm/mageia/php-apc?distro=mageia-4

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.15-4.7.mga4

Ecosystem specific

{
    "section": "core"
}