PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18
namespace conflicts and therefore does not protect applications from the
presence of untrusted client data in the HTTP_PROXY environment variable,
which might allow remote attackers to redirect an application's outbound
HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an
HTTP request, as demonstrated by (1) an application that makes a
getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an
This issue has been fixed in 5.6.24, 5.5.38, and 7.0.9.
*** Bug 589744 has been marked as a duplicate of this bug. ***
(In reply to Hanno Boeck from comment #0)
> The latest PHP updates fix a worrying number of security issues.
> These from the zpstream changelog sound like being security relevant (for
> 7.0.9, but most issues affect all three version trees):
> Fixed bug #72513 (Stack-based buffer overflow vulnerability in
> Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
> Fixed bug #72541 (size_t overflow lead to heap corruption).
> Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
> Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
> Fixed bug #72519 (imagegif/output out-of-bounds access).
> Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
> Fixed bug #72482 (Ilegal write/read access caused by gdImageAALine overflow).
> Fixed bug #72494 (imagecropauto out-of-bounds access).
> Fixed bug #72533 (locale_accept_from_http out-of-bounds access).
> Fixed bug #72405 (mb_ereg_replace - mbc_to_code (oniguruma) - oob read
> Fixed bug #72399 (Use-After-Free in MBString (search_re)).
> Fixed bug #72551, bug #72552 (Incorrect casting from size_t to int lead to
> heap overflow in mdecrypt_generic).
> Fixed bug #72306 (Heap overflow through proc_open and $env parameter).
> Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow).
> Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
> Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
> Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn
> Fixed bug #72520 (Stack-based buffer overflow vulnerability in
> This one
> got a bit more public attention.
> Please bump. Not sure if 5.5.x should still be bumped or just declared to be
> deprecated, as it won't receive any further security updates.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
I had some unrelated changes staged that collided with this fix. I've pushed them as dev-lang/php-5.6.24-r1, which you SHOULD NOT stabilize as part of this bug. Brian's dev-lang/php-5.6.24 (no -r1) is safer.
Stable for PPC64.
Stable for HPPA.
Stable on alpha.
PHP 5.5 was removed from the visibility of this bug due to commit c34a770c53d85ea5cd446c2d20af39f33107775b which masked the version:
> # Brian Evans <email@example.com> (22 Aug 2016)
> # PHP 5.5 has reached end of life and will no longer receive security updates.
> # Also include associated packages which do not work on newer versions
> # Removal in 90 days
PHP 5.5 is masked per Thomas' comments and all vulnerable versions removed.
Removing stabilization dependency.