[Secure-testing-team] Bug#835032: hhvm: Various CVEs (CVE-2014-9709 CVE-2015-8865 CVE-2016-1903 CVE-2016-4070 CVE-2016-4539 CVE-2016-6870 CVE-2016-6871 CVE-2016-6872 CVE-2016-6873 CVE-2016-6874 CVE-2016-6875)

[Salvatore Bonaccorso]

Source: hhvm
Version: 3.12.1+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerabilities were published for hhvm. The respective
upstream commits can be found in the security-tracker references.

CVE-2014-9709[0]:
| The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used
| in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers
| to cause a denial of service (buffer over-read and application crash)
| via a crafted GIF image that is improperly handled by the
| gdImageCreateFromGif function.

CVE-2015-8865[1]:
| The file_check_mem function in funcs.c in file before 5.23, as used in
| the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and
| 7.x before 7.0.5, mishandles continuation-level jumps, which allows
| context-dependent attackers to cause a denial of service (buffer
| overflow and application crash) or possibly execute arbitrary code via
| a crafted magic file.

CVE-2016-1903[2]:
| The gdImageRotateInterpolated function in
| ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before
| 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain
| sensitive information or cause a denial of service (out-of-bounds read
| and application crash) via a large bgd_color argument to the
| imagerotate function.

CVE-2016-4070[3]:
| ** DISPUTED ** Integer overflow in the php_raw_url_encode function in
| ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x
| before 7.0.5 allows remote attackers to cause a denial of service
| (application crash) via a long string to the rawurlencode function.
| NOTE: the vendor says "Not sure if this qualifies as security issue
| (probably not)."

CVE-2016-4539[4]:
| The xml_parse_into_struct function in ext/xml/xml.c in PHP before
| 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote
| attackers to cause a denial of service (buffer under-read and
| segmentation fault) or possibly have unspecified other impact via
| crafted XML data in the second argument, leading to a parser level of
| zero.

CVE-2016-6870[5]:
incorrect use of strndup

CVE-2016-6871[6]:
Fix buffer overrun due to integer overflow in bcmath

CVE-2016-6872[7]:
Fix integer overflow in StringUtil::implode

CVE-2016-6873[8]:
Fix self recursion in compact

CVE-2016-6874[9]:
Fix recursion checks in array_*_recursive

CVE-2016-6875[10]:
Fix infinite recursion in wddx

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9709
[1] https://security-tracker.debian.org/tracker/CVE-2015-8865
[2] https://security-tracker.debian.org/tracker/CVE-2016-1903
[3] https://security-tracker.debian.org/tracker/CVE-2016-4070
[4] https://security-tracker.debian.org/tracker/CVE-2016-4539
[5] https://security-tracker.debian.org/tracker/CVE-2016-6870
[6] https://security-tracker.debian.org/tracker/CVE-2016-6871
[7] https://security-tracker.debian.org/tracker/CVE-2016-6872
[8] https://security-tracker.debian.org/tracker/CVE-2016-6873
[9] https://security-tracker.debian.org/tracker/CVE-2016-6874
[10] https://security-tracker.debian.org/tracker/CVE-2016-6875

Regards,
Salvatore