Debian Security Update - php5 AlienVault ID: ENG-107845 Description: An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process. CVE ID: CVE-2018-10545 CVSS: 3.7 Debian Security Update - php5 AlienVault ID: ENG-107845 Description: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. An infinite loop exists in ext/iconv/iconv.c because the iconv stream filter does not reject invalid multibyte sequences. CVE ID: CVE-2018-10546 CVSS: 3.7 Debian Security Update - php5 AlienVault ID: ENG-107845 Description: An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712. CVE ID: CVE-2018-10547 CVSS: 3.2 Debian Security Update - php5 AlienVault ID: ENG-107845 Description: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. ext/ldap/ldap.c allows remote LDAP servers to cause a denial of service (NULL pointer dereference and application crash) because of mishandling of the ldap_get_dn return value. CVE ID: CVE-2018-10548 CVSS: 3.7 Debian Security Update - php5 AlienVault ID: ENG-107845 Description: An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character. CVE ID: CVE-2018-10549 CVSS: 5.0 Debian Security Update - php5 AlienVault ID: ENG-107845 Description: In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string. CVE ID: CVE-2018-7584 CVSS: 6.2 Debian Security Update - libgcrypt20 AlienVault ID: ENG-107857 Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE ID: CVE-2018-0495 CVSS: 1.4 Debian Security Update - tiff AlienVault ID: ENG-107838 Description: In LibTIFF 4.0.8, there is a denial of service vulnerability in the TIFFOpen function. A crafted input will lead to a denial of service attack. During the TIFFOpen process, td_imagelength is not checked. The value of td_imagelength can be directly controlled by an input file. In the ChopUpSingleUncompressedStrip function, the _TIFFCheckMalloc function is called based on td_imagelength. If we set the value of td_imagelength close to the amount of system memory, it will hang the system or trigger the OOM killer. CVE ID: CVE-2017-11613 CVSS: 4.3 Debian Security Update - tiff AlienVault ID: ENG-107838 Description: The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF through 4.0.9 allows remote attackers to cause a denial of service (assertion failure and application crash) via a crafted file, a different vulnerability than CVE-2017-13726.= CVE ID: CVE-2018-10963 CVSS: 4.3 Debian Security Update - tiff AlienVault ID: ENG-107838 Description: In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the TIFFSetDirectory function of tif_dir.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted tif file. This occurs because the declared number of directory entries is not validated against the actual number of directory entries. CVE ID: CVE-2018-5784 CVSS: 4.3 Debian Security Update - tiff AlienVault ID: ENG-107838 Description: A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in tif_print.c in LibTIFF 4.0.9 when using the tiffinfo tool to print crafted TIFF information, a different vulnerability than CVE-2017-18013. (This affects an earlier part of the TIFFPrintDirectory function that was not addressed by the CVE-2017-18013 patch.) CVE ID: CVE-2018-7456 CVSS: 4.3 Debian Security Update - tiff AlienVault ID: ENG-107838 Description: In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function LZWDecodeCompat in tif_lzw.c via a crafted TIFF file, as demonstrated by tiff2ps.\ CVE ID: CVE-2018-8905 CVSS: 5.0 Debian Security Update - libsoup2.4 AlienVault ID: ENG-107846 Description: The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname CVE ID: CVE-2018-12910 CVSS: 6.4 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE ID: CVE-2017-5715 CVSS: 4.2 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. CVE ID: CVE-2017-5753 CVSS: 4.2 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: ** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles an SG_IO ioctl on /dev/sg0 with dxfer_direction=SG_DXFER_FROM_DEV and an empty 6-byte cmdp. This may lead to copying up to 1000 kernel heap pages to the userspace. This has been fixed upstream in https://github.com/torvalds/linux/commit/a45b599ad808c3c982fdcdc12b0b8611c2f92824 already. The problem has limited scope, as users don't usually have permissions to access SCSI devices. On the other hand, e.g. the Nero user manual suggests doing `chmod o+r+w /dev/sg*` to make the devices accessible. NOTE: third parties dispute the relevance of this report, noting that the requirement for an attacker to have both the CAP_SYS_ADMIN and CAP_SYS_RAWIO capabilities makes it "virtually impossible to exploit." CVE ID: CVE-2018-1000204 CVSS: 6.3 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: The Linux kernel before version 4.11 is vulnerable to a NULL pointer dereference in fs/cifs/cifsencrypt.c:setup_ntlmv2_rsp() that allows an attacker controlling a CIFS server to kernel panic a client that has this server mounted, because an empty TargetInfo field in an NTLMSSP setup negotiation response is mishandled during session recovery. CVE ID: CVE-2018-1066 CVSS: 5.9 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: A flaw was found in the way Linux kernel KVM hypervisor before 4.18 emulated instructions such as sgdt/sidt/fxsave/fxrstor. It did not check current privilege(CPL) level while emulating unprivileged instructions. An unprivileged guest user/process could use this flaw to potentially escalate privileges inside guest. CVE ID: CVE-2018-10853 CVSS: RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the Linux kernel through 4.15.15 allows attackers to cause a denial of service (out-of-bounds read and system crash) via a crafted ext4 image because balloc.c and ialloc.c do not validate bitmap block numbers. CVE ID: CVE-2018-1093 CVSS: 5.3 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the Linux kernel before 4.16.6 allows local attackers to use a incorrect bounds check in the CDROM driver CDROM_MEDIA_CHANGED ioctl to read out kernel memory. CVE ID: CVE-2018-10940 CVSS: AlienVault Note: Not affected. Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: Linux kernel before version 4.16-rc7 is vulnerable to a null pointer dereference in dccp_write_xmit() function in net/dccp/output.c in that allows a local user to cause a denial of service by a number of certain crafted system calls. CVE ID: CVE-2018-1130 CVSS: 3.6 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: The sr_do_ioctl function in drivers/scsi/sr_ioctl.c in the Linux kernel through 4.16.12 allows local users to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact because sense buffers have different sizes at the CDROM layer and the SCSI layer, as demonstrated by a CDROMREADMODE2 ioctl call. CVE ID: CVE-2018-11506 CVSS: 5.3 Debian Security Update - Linux(Kernel) AlienVault ID: ENG-107854 Description: In the ea_get function in fs/jfs/xattr.c in the Linux kernel through 4.17.1, a memory corruption bug in JFS can be triggered by calling setxattr twice with two different extended attribute names on the same file.