PHP 7.0.30 and 7.2.5 released

[todeveni]

7.0.30 and 7.2.5

Thanks!

[todeveni]

Also 7.1.17

[apotek]

This is in fact a critical security update to 7.x versions and 5.6x. I suggest editing the subject line to include that fact, and also to include that the 5.6 branch is also vulnerable.

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-046/

OVERVIEW:

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.
THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

PHP 7.2 prior to 7.2.5
PHP 7.1 prior to 7.1.17
PHP 7.0 prior to 7.0.30
PHP 5.0 prior to 5.6.36

...

RECOMENDATIONS:

We recommend the following actions be taken:

Upgrade to the latest version of PHP immediately, after appropriate testing.
Verify no unauthorized system modifications have occurred on system before applying patch.
Apply the principle of Least Privilege to all systems and services.
Remind users not to visit websites or follow links provided by unknown or untrusted sources.

[oerdnj]

The only issue that can be remotely triggered is the th exif bug in crafted JPGs. And you would need to run a site that process user uploaded JPGs. The impact seems to be limited to me.

Nothing else is even remotely close to critical.

[kwidholm-tm]

Thank you for the clarification @oerdnj . I trust your analysis on this, and am not sure why the cisecurity.org alert would label these as critical releases.

By going through the changeset, I did seem to feel that most of the other issues (some memory issues and buffer overflow type things) seemed less problematic than labelled.

I appreciate you responding and I will assume the priority on updating the packages will not be high.

Thanks again.

[pesselbach]

This is critical. Many forums and gallery scripts are actually using exif_read_data() to get additional data from user uploaded images.

[oerdnj]

I am quite sure it’s not: https://nvd.nist.gov/vuln-metrics/cvss
I even doubt it’s HIGH, but I not going to make the assessment just to make the point.

I’ll update the packages when I have the time.

[oerdnj]

This is critical. Many forums and gallery scripts are actually using exif_read_data() to get additional data from user uploaded images.

Also this is not a stack-smashing, just OOB read, so definitely not critical.

[oerdnj]

All PHP packages should be updated now.

Sorry for the unusual delay, but it's too beautiful outside to be sitting at the computer :)

[apotek]

Thank you @oerdnj . I appreciate your efforts so much. 💯