A format string vulnerability was found in php_snmp_error() in ext/snmp/snmp.c, possibly leading to code execution. snmp_object->snmp_errstr is passed directly to zend_throw_exception_ex() without a "%s". Upstream bug: https://bugs.php.net/bug.php?id=71704 Upstream patch: https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060ce9c9269bbdcf8
Created php tracking bugs for this issue: Affects: fedora-all [bug 1323112]
php-5.6.20-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
php-5.6.20-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
SNMP is usually only used within LANs, which limits the attack vector. Additionally, this is only an issue if exception processing is enabled for the SNMP object- Mitigation: Do not enable exceptions when using the SNMP object.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2016:2750 https://rhn.redhat.com/errata/RHSA-2016-2750.html