CVE-2016-4543
published 2016-05-22CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which…
PriorityP344critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.18%
95.6th percentile
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fedoraproject | fedora | — | — |
| hp | system_management_homepage | <= 7.5.5.6 | — |
| opensuse | leap | — | — |
| php | php | <= 5.5.34 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2016-05-24·CVSS 7.3
CVE-2015-8865 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP Fileinfo component incorrectly handled
certain magic files. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)
Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly
handled certain malformed Zip archives. A remote attacker could use this
issue to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-3078)
It was discovered that PHP incorrectly handled invalid indexes in the
SplDoublyLinkedList class. An attacker could use this issue to cause
Red Hat
php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
vendor_redhat·2016-04-24·CVSS 9.8
CVE-2016-4543 [CRITICAL] CWE-125 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php54-php (Red Hat Software Collections) - Will not fix
Package: php55-php (Red Hat Software Collections) - Will not fix
GHSA
GHSA-rq9w-g95x-fggp: The exif_process_IFD_in_JPEG function in ext/exif/exif
ghsa_unreviewed·2022-05-14
CVE-2016-4543 [CRITICAL] CWE-119 GHSA-rq9w-g95x-fggp: The exif_process_IFD_in_JPEG function in ext/exif/exif
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
OSV
php5, php7.0 vulnerabilities
osv·2016-05-24·CVSS 7.3
CVE-2015-8865 [HIGH] php5, php7.0 vulnerabilities
php5, php7.0 vulnerabilities
It was discovered that the PHP Fileinfo component incorrectly handled
certain magic files. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or possibly execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-8865)
Hans Jerry Illikainen discovered that the PHP Zip extension incorrectly
handled certain malformed Zip archives. A remote attacker could use this
issue to cause PHP to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 16.04 LTS.
(CVE-2016-3078)
It was discovered that PHP incorrectly handled invalid indexes in the
SplDoublyLinkedList class. An attacker could use this issue to cause PHP to
crash, resulting in a denial of service, or
OSV
CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif
osv·2016-05-06·CVSS 9.8
CVE-2016-4543 [CRITICAL] CVE-2016-4543: The exif_process_IFD_in_JPEG function in ext/exif/exif
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-4537 CVE-2016-4538 CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: various flaws [fedora-all]
bugzilla·2016-05-04·CVSS 9.8
CVE-2016-4537 [CRITICAL] CVE-2016-4537 CVE-2016-4538 CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: various flaws [fedora-all]
CVE-2016-4537 CVE-2016-4538 CVE-2016-4539 CVE-2016-4540 CVE-2016-4541 CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
Bugzilla
CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
bugzilla·2016-05-04·CVSS 9.8
CVE-2016-4542 [CRITICAL] CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
CVE-2016-4542 CVE-2016-4543 CVE-2016-4544 php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input
It was found that malformed input to function exif_read_data() can cause out-of-bounds heap memory read access.
Upstream bug:
https://bugs.php.net/bug.php?id=72094
Upstream patch:
https://git.php.net/?p=php-src.git;a=commit;h=1366c0362f1fa85e82bde9c0b393bd3bb3d32892
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1332882]
---
As per CVE assignment:
http://seclists.org/oss-sec/2016/q2/259
Use CVE-2016-4542 for the issue associated with the spprintf call.
Use CVE-2016-4543 for both issues in which "Illegal IFD size" validation was added.
Use CVE-2016-4544 for the issue in which "Invalid TIFF start" validation was added.
---
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183736.htmlhttp://lists.opensuse.org/opensuse-updates/2016-05/msg00086.htmlhttp://lists.opensuse.org/opensuse-updates/2016-06/msg00027.htmlhttp://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.debian.org/security/2016/dsa-3602http://www.openwall.com/lists/oss-security/2016/05/05/21http://www.securityfocus.com/bid/89844https://bugs.php.net/bug.php?id=72094https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=082aecfc3a753ad03be82cf14f03ac065723ec92https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201611-22http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183736.htmlhttp://lists.opensuse.org/opensuse-updates/2016-05/msg00086.htmlhttp://lists.opensuse.org/opensuse-updates/2016-06/msg00027.htmlhttp://php.net/ChangeLog-5.phphttp://php.net/ChangeLog-7.phphttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.debian.org/security/2016/dsa-3602http://www.openwall.com/lists/oss-security/2016/05/05/21http://www.securityfocus.com/bid/89844https://bugs.php.net/bug.php?id=72094https://git.php.net/?p=php-src.git%3Ba=commit%3Bh=082aecfc3a753ad03be82cf14f03ac065723ec92https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://security.gentoo.org/glsa/201611-22
2016-05-22
Published