Patch your PHP: Security fixes released for all branches

PHP fixed a handful of memory leak and buffer overflow flaws that could result in remote code execution

Patch your PHP: Security fixes released for all branches
Jason A G (Creative Commons BY or BY-SA)

PHP developers, take note of the latest updates: Versions 7.0.2, 5.6.17, and 5.5.31 are now available and feature a multitude of security bug fixes.

Version 7.0.2 fixed 31 bugs, including six security vulnerabilities, in PHP 7, while version 5.6.17 fixed 14 bugs. PHP 5.5.31 closed five vulnerabilities in PHP 5.5, which is in security support mode until July 2016.

PHP 5.4 reached its end of life in October with 5.4.45 and is no longer maintained. Developers still on PHP 5.4 are strongly recommended to upgrade to a maintained version, to PHP 5.6 or PHP 7. Considering how many Web applications run PHP and how frequently they come under attack, using outdated versions makes it easier for attackers to exploit vulnerabilities.

PHP 7 was released a month ago, and the majority of the bug fixes in 7.0.2 address segmentation faults in Core and various application crash errors. Version 7.0.2 fixed 14 bugs in PHP Core; one each in CURL, DBA, Filter, FTP, FPM, GD, Mbstring, Opcache, PCRE, Readline, Session, Standard, and XMLRPC; and two in SPL and WDDX.

The updates also addressed a four-year-old bug report, giving an option that forces PHP to ignore the passive FTP address (55651). Servers sometimes return the internal IP address, (such as 10.x.x.x) in response to a PASV command, and PHP saves the IP address for future connections. However, PHP applications trying to communicate with a server behind NAT won't be able to connect with passive FTP. This has been addressed in both 5.6 and 7.0 branches.

PHP 7 also now handles -0 (negative 0) with a new fix in Core (52355). Other languages have both positive 0 and negative 0, and PHP 7.0.2 now handles it correctly so that it can properly do floating point calculations.

Security fixes across all branches

Most of the vulnerabilities appear to be low priority, although a few could result in remote code execution. For example, PHP fixed a heap buffer overflow in Standard. While the details of the bug report were not available, a look at the fix itself indicated that the condition would exist if someone tried to pass a string longer than 1 billion characters to escapeshellarg(). "It's a theoretical buffer overflow," according to a post on Reddit by user nikic.

A memory read error in the GD graphics library (70976) would have allowed attackers to read large contiguous chunks of memory by passing a large number that exceeds the color palette array to ImageRotate. Another memory leak error in FPM, the FastCGI Process Manager, is also a limited buffer overflow bug (70755). When a long token, such as a HTTP request with long query string, is added to the end of the access.format option of FPM, it attempts to write outside of the compiled buffer. Several conditions have to exist before it can be exploited, so the severity is low.

The user-after-free vulnerability in WDDX, the Web Distributed Data eXchange interface (70661), could be exploited to remotely execute arbitrary code. During packet deserialization, even though the value is freed from memory, a maliciously crafted recordset can still use the freed memory, according to the bug report.

A type confusion vulnerability in WDDX (70741) is vulnerable to remote code execution. In this case, an attacker can deserialize a string type and create a fake hash table. Another type confusion vulnerability in XMLRPC-EPI, the XML-RPC protocol for PHP (70728), can let an attacker lookup an arbitrary memory address. Successful exploitation would result in leaking arbitrary memory blocks or crash PHP.

Since these new versions offer security fixes for the 5.5, 5.6 and 7.0 branches, updating is strongly recommended. Even if the vulnerabilities aren't high priority, a few of them can result in attackers being able to execute arbitrary code remotely on the PHP application. Don't leave that door open for attack.

Copyright © 2016 IDG Communications, Inc.

How to choose a low-code development platform