Integer overflow in the NumberFormatter::getSymbol (aka numfmt_get_symbol) function in PHP 5.3.3 and earlier allows context-dependent attackers to cause a denial of service (application crash) via an invalid argument.

Specially crafted strings could cause a buffer overflow in icu (CVE-2011-4599).

An integer overflow in the getSymbol() function could crash applications using icu (CVE-2010-4409)

This update is rereleased because some architectures were missed on the first try. It fixes the following security issues :

  - Specially crafted strings could cause a buffer overflow     in icu. (CVE-2011-4599)

  - An integer overflow in the getSymbol() function could     crash applications using icu (CVE-2010-4409)

According to the web server's banner, the version of HP System Management Homepage (SMH) hosted on the remote host is earlier than 7.0.  As such, it is reportedly affected by the following vulnerabilities :

 - An error exists in the 'generate-id' function in the    bundled libxslt library that can allow disclosure of    heap memory addresses. (CVE-2011-0195)

 - An unspecified input validation error exists and can    allow cross-site request forgery attacks. (CVE-2011-3846)

 - Unspecified errors can allow attackers to carry out    denial of service attacks via unspecified vectors.
   (CVE-2012-0135, CVE-2012-1993)

 - The bundled version of PHP contains multiple    vulnerabilities. (CVE-2010-3436, CVE-2010-4409,    CVE-2010-4645, CVE-2011-1148, CVE-2011-1153,    CVE-2011-1464, CVE-2011-1467, CVE-2011-1468,    CVE-2011-1470, CVE-2011-1471, CVE-2011-1938,    CVE-2011-2202, CVE-2011-2483, CVE-2011-3182,    CVE-2011-3189, CVE-2011-3267, CVE-2011-3268)

 - The bundled version of Apache contains multiple    vulnerabilities. (CVE-2010-1452, CVE-2010-1623,    CVE-2010-2068,  CVE-2010-2791, CVE-2011-0419,    CVE-2011-1928, CVE-2011-3192, CVE-2011-3348,    CVE-2011-3368, CVE-2011-3639)

 - OpenSSL libraries are contained in several of the    bundled components and contain multiple vulnerabilities.
   (CVE-2011-0014, CVE-2011-1468, CVE-2011-1945,    CVE-2011-3207,CVE-2011-3210)

 - Curl libraries are contained in several of the bundled    components and contain multiple vulnerabilities.
   (CVE-2009-0037, CVE-2010-0734, CVE-2011-2192)

The following bug has been fixed :

  - An integer overflow in the getSymbol() function could     crash applications using icu. (CVE-2010-4409)

The following bugs have been fixed :

  - Specially crafted strings could cause a buffer overflow     in icu. (CVE-2011-4599)

  - An integer overflow in the getSymbol() function could     crash applications using icu (CVE-2010-4409)

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.7.

Mac OS X 10.6.7 contains security fixes for the following products :

  - AirPort
  - Apache
  - AppleScript
  - ATS
  - bzip2
  - CarbonCore
  - ClamAV
  - CoreText
  - File Quarantine
  - HFS
  - ImageIO
  - Image RAW
  - Installer
  - Kerberos
  - Kernel
  - Libinfo
  - libxml
  - Mailman
  - PHP
  - QuickLook
  - QuickTime
  - Ruby
  - Samba
  - Subversion
  - Terminal
  - X11

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11
IAVB Reference : 2010-B-0083
STIG Finding Severity : Category II

Versions of Mac OS X 10.6 earlier than 10.6.7 are potentially affected by a security issue.  Mac OS X 10.6.7 contains a security fix for the following products :

  - Airport

  - Apache

  - AppleScript

  - ATS

  - bzip2

  - CarbonCore

  - ClamAV

  - CoreText

  - HFS

  - ImageIO

  - Image RAW

  - Installer

  - Kerberos

  - Kernel

  - Libinfo

  - libxml

  - Mailman

  - PHP

  - QuickLook

  - QuickTime

  - Ruby

  - Samba

  - Subversion

  - Terminal

  - X11

It was discovered that an integer overflow in the XML UTF-8 decoding code could allow an attacker to bypass cross-site scripting (XSS) protections. This issue only affected Ubuntu 6.06 LTS, Ubuntu 8.04 LTS, and Ubuntu 9.10. (CVE-2009-5016)

It was discovered that the XML UTF-8 decoding code did not properly handle non-shortest form UTF-8 encoding and ill-formed subsequences in UTF-8 data, which could allow an attacker to bypass cross-site scripting (XSS) protections. (CVE-2010-3870)

It was discovered that attackers might be able to bypass open_basedir() restrictions by passing a specially crafted filename.
(CVE-2010-3436)

Maksymilian Arciemowicz discovered that a NULL pointer derefence in the ZIP archive handling code could allow an attacker to cause a denial of service through a specially crafted ZIP archive. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3709)

It was discovered that a stack consumption vulnerability in the filter_var() PHP function when in FILTER_VALIDATE_EMAIL mode, could allow a remote attacker to cause a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-3710)

It was discovered that the mb_strcut function in the Libmbfl library within PHP could allow an attacker to read arbitrary memory within the application process. This issue only affected Ubuntu 10.10.
(CVE-2010-4156)

Maksymilian Arciemowicz discovered that an integer overflow in the NumberFormatter::getSymbol function could allow an attacker to cause a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 10.10. (CVE-2010-4409)

Rick Regan discovered that when handing PHP textual representations of the largest subnormal double-precision floating-point number, the zend_strtod function could go into an infinite loop on 32bit x86 processors, allowing an attacker to cause a denial of service.
(CVE-2010-4645).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Enhancements and Fixes in PHP 5.3.4 :

  - Fixed crash in zip extract method (possible CWE-170).

    - Paths with NULL in them (foo\0bar.txt) are now       considered as invalid (CVE-2006-7243).

    - Fixed a possible double free in imap extension       (Identified by Mateusz Kocielski). (CVE-2010-4150).

    - Fixed NULL pointer dereference in       ZipArchive::getArchiveComment. (CVE-2010-3709).

    - Fixed possible flaw in open_basedir (CVE-2010-3436).

    - Fixed MOPS-2010-24, fix string validation.
      (CVE-2010-2950).

    - Fixed symbolic resolution support when the target is a       DFS share.

    - Fixed bug #52929 (Segfault in filter_var with       FILTER_VALIDATE_EMAIL with large amount of data)       (CVE-2010-3710).

Key Bug Fixes in PHP 5.3.4 include :

  - Added stat support for zip stream.

    - Added follow_location (enabled by default) option for       the http stream support.

    - Added a 3rd parameter to get_html_translation_table.
      It now takes a charset hint, like htmlentities et al.

    - Implemented FR #52348, added new constant       ZEND_MULTIBYTE to detect zend multibyte at runtime.

Full upstream Changelog : http://www.php.net/ChangeLog-5.php#5.3.4

This update also provides php-eaccelerator and maniadrive packages rebuild against update php.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is a maintenance and security update that upgrades php to 5.3.4 for 2010.0/2010.1.

Security Enhancements and Fixes in PHP 5.3.4 :

  - Paths with NULL in them (foo\0bar.txt) are now     considered as invalid (CVE-2006-7243).

  - Fixed bug #53512 (NumberFormatter::setSymbol crash on     bogus values) (CVE-2010-4409)

Please note that CVE-2010-4150, CVE-2010-3870, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710 were fixed in previous advisories.

Key Bug Fixes in PHP 5.3.4 include :

  - Added stat support for zip stream.

    - Added follow_location (enabled by default) option for       the http stream support.

  - Added a 3rd parameter to get_html_translation_table. It     now takes a charset hint, like htmlentities et al.

  - Implemented FR #52348, added new constant ZEND_MULTIBYTE     to detect zend multibyte at runtime.

  - Multiple improvements to the FPM SAPI.

    - Over 100 other bug fixes.

Additional post 5.3.4 fixes :

  - Fixed bug #53517 (segfault in pgsql_stmt_execute() when     postgres is down).

  - Fixed bug #53541 (format string bug in ext/phar).

Additionally some of the PECL extensions has been upgraded and/or rebuilt for the new php version.

According to its banner, the version of PHP 5.3 installed on the remote host is older than 5.3.4.  Such versions may be affected by several security issues :

  - A crash in the zip extract method.

  - A stack-based buffer overflow in impagepstext()     of the GD extension.

  - An unspecified vulnerability related to     symbolic resolution when using a DFS share.

  - A security bypass vulnerability related     to using pathnames containing NULL bytes.
    (CVE-2006-7243)

  - Multiple format string vulnerabilities.
    (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability     in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in     ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email().
    (CVE-2010-3710)

  - An input validation vulnerability in     xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension.
    (CVE-2010-4150)

  - An information disclosure vulnerability in     'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'.
    (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when     a '__set()', '__get()', '__isset()' or '__unset()'     method is called can allow for a denial of service     attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the     'imagepstext()' function in the GD extension. (Bug     #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv     extension fails to properly handle encodings that are     not recognized by the iconv and mbstring     implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the     MySQLi extension is used does not properly interact     with the 'mysqli_fetch_assoc()' function. (Bug #52221 /     CVE-2010-4700)

  - A race condition exists in the PCNTL extension.
    (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP     Library extension does not properly detect symbolic     links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function.
    (CVE-2011-0755)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.

  - A stack buffer overflow in impagepstext() of the GD extension.

  - An unspecified vulnerability related to symbolic resolution when using a DFS share.

  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)

  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)

  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)

  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)

  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)

  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)

  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)

  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)

  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)

  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)

  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)

  - A race condition exists in the PCNTL extension. (CVE-2011-0753)

  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)

  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

According to its banner the version of PHP installed on the remote host is 5.3.x earlier than 5.3.4.  Such versions are potentially affected by multiple vulnerabilities :

  - A crash in the zip extract method.
  - A stack buffer overflow in impagepstext() of the GD extension.
  - An unspecified vulnerability related to symbolic resolution when using a DFS share.
  - A security bypass vulnerability related to using pathnames containing NULL bytes. (CVE-2006-7243)
  - Multiple format string vulnerabilities. (CVE-2010-2094, CVE-2010-2950)
  - An unspecified security bypass vulnerability in open_basedir(). (CVE-2010-3436)
  - A NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709)
  - Memory corruption in php_filter_validate_email(). (CVE-2010-3710)
  - An input validation vulnerability in xml_utf8_decode(). (CVE-2010-3870)
  - A possible double free in the IMAP extension. (CVE-2010-4150)
  - An information disclosure vulnerability in 'mb_strcut()'. (CVE-2010-4156)
  - An integer overflow vulnerability in 'getSymbol()'. (CVE-2010-4409)
  - A use-after-free vulnerability in the Zend engine when a '__set()', '__get()', '__isset()' or '__unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)
  - A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug #53492 / CVE-2010-4698)
  - The 'iconv_mime_decode_headers()' function in the iconv extension fails to properly handle encodings that are not recognized by the iconv and mbstring implementations. (Bug #52941 / CVE-2010-4699)
  - The 'set_magic_quotes_runtime()' function when the MySQLi extension is used does not properly interact with the 'mysqli_fetch_assoc()' function. (Bug #52221 / CVE-2010-4700)
  - A race condition exists in the PCNTL extension. (CVE-2011-0753)
  - The SplFileInfo::getType function in the Standard PHP Library extension does not properly detect symbolic links. (CVE-2011-0754)
  - An integer overflow exists in the mt_rand function. (CVE-2011-0755)

ID	Name	Product	Family	Severity
75866	openSUSE Security Update : icu (openSUSE-SU-2012:0100-1)	Nessus	SuSE Local Security Checks	high
75530	openSUSE Security Update : icu (openSUSE-SU-2012:0100-1)	Nessus	SuSE Local Security Checks	high
74743	openSUSE Security Update : icu (openSUSE-2012-57)	Nessus	SuSE Local Security Checks	medium
64157	SuSE 11.2 Security Update : icu (SAT Patch Number 7204)	Nessus	SuSE Local Security Checks	high
58811	HP System Management Homepage < 7.0 Multiple Vulnerabilities	Nessus	Web Servers	critical
57614	SuSE 10 Security Update : icu (ZYPP Patch Number 7928)	Nessus	SuSE Local Security Checks	medium
57613	SuSE 11.1 Security Update : icu (SAT Patch Number 5653)	Nessus	SuSE Local Security Checks	high
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
52754	Mac OS X 10.6.x < 10.6.7 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
800796	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	high
5826	Mac OS X 10.6 < 10.6.7 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
51502	Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : php5 vulnerabilities (USN-1042-1)	Nessus	Ubuntu Local Security Checks	medium
51413	Fedora 13 : maniadrive-1.2-23.fc13 / php-5.3.4-1.fc13.1 / php-eaccelerator-0.9.6.1-3.fc13 (2010-19011)	Nessus	Fedora Local Security Checks	medium
51412	Fedora 14 : maniadrive-1.2-23.fc14 / php-5.3.4-1.fc14.1 / php-eaccelerator-0.9.6.1-3.fc14 (2010-18976)	Nessus	Fedora Local Security Checks	medium
51196	Mandriva Linux Security Advisory : php (MDVSA-2010:254)	Nessus	Mandriva Local Security Checks	medium
51140	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Nessus	CGI abuses	medium
801074	PHP 5.3 < 5.3.4 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
5732	PHP 5.3.x < 5.3.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high

Detections

Analytics

CVE-2010-4409

high

Tenable Plugins

high

high

medium

high

critical

medium

high

critical

high

high

critical

medium

medium

medium

medium

medium

high

high