Release: PHP 7.0.15, 7.1.1, 5.6.30

PHP has released security updates for versions 7, 7.1, and 5.6. Since these are security releases it is HIGHLY recommended you update to them. I also heavily recommend you update to them as there are some odd bugs fixed in earlier versions for rare cases that could cause hangs or segfaults (crashes) in some cases where minor coding errors are made.

Highlights for Version 5.6.30

  • An issue was fixed where a TIFF or JPEG with malicious or invalid metadata tag can cause PHP to terminate prematurely on Intel CPUs (not necessarily a security issue but could break some code)
  • Use-after-free memory access for images passed as an input argument to a GD image output function
  • Fixed a DOS vulnerability in gdImageCreateFromGd2Ctx()
  • Fixed integer overflow in gd_io.c
  • Fixed an issue where a hostile or corrupt compressed PHAR file could leak memory, corrupt memory, or crash PHP
  • Fixed issue where, under certain cases, a hostile serialized string could be used to access freed memory (use-after-free)
  • Fixed an issue where a hostile serialized string can read out-of-bounds memory

While some of these issues require specific cases, there also appears to be some easily utilized security issues where proper input sanitization is not met as well as some possible image upload security issues.

http://php.net/ChangeLog-5.php#5.6.30

Highlights for Version 7.0.15

  • Fixed a few of the same serialized string issues fixed in version 5.6.30
  • Fixed issue where for each value parameter passed back as reference where no reference exists causes a crash
  • Fixed issue where unpacked arrays do not properly advance using next()
  • Fixed null pointer dereference under certain conditions when unpacking serialized object
  • Fixed an issue where, with maliciously crafted code, a read-after-free can occur with the properties storage table when unserializing objects which could allow an attacker to execute arbitrary code
  • Fixed the same GD and EXIF metadata issues that were fixed in version 5.6.30
  • Fixed memory leak in preg_*() regular expression functions
  • Fixed same PHAR issues that were fixed in version 5.6.30
  • Fixed reflection class stored as object property not being properly freed/destroyed when the class is destroyed (memory leak)
  • Fixed crash where object with __sleep() method is serialized
  • Fixed issue where get_browser() runs slow/longer under certain conditions or loading browsercap.ini uses a lot of memory at startup
  • Fixed issue where get_defined_functions() returned functions that were disabled via settings/php.ini

Essentially, __wakeup and serialized strings and objects have become a target for hostile intent. This is a fairly large security issue since many libraries and CMSes use serialized data and many pieces of code utilize the wakeup method – even if hostile intent needs to be done under certain conditions which many not occur very often.

http://php.net/ChangeLog-7.php#7.0.15

Highlights for Version 7.1.1

  • Majority of the same issues fixed in 7.0.15 were also fixed in this version

Since 7.1 shares a very similar codebase to 7.0.x, there were not any additional bugs that stood out to me other than those that were fixed as part of version 7.0.15 that were also fixed in this version.

http://php.net/ChangeLog-7.php#7.1.1

Leave a Reply

Your email address will not be published. Required fields are marked *