Though it seem like it was just yesterday that PHP 7 was first released (it was actually December 17, 2015), today the seventh incremental update is being released with PHP 7.0.7.
As is the case with a .xy update, this is mostly a bug fix update, with at least 28 different issues being fixed in an effort to make PHP 7.x more stable. Though the PHP project hasn’t identified any specific security vulnerabilities that are fixed in the update, I see at least one with bug #72162.
Use after free condition can be triggered by simple script attached below. It’s caused by call zend_string_release():
#1 0xea66f0 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
#2 0xf72839 in zend_string_release /home/shm/src/php-7.0.6/Zend/zend_string.h:271
#3 0xf773cc in zif_error_reporting /home/shm/src/php-7.0.6/Zend/zend_builtin_functions.c:730
in error_reporting function in case when DateTimeImmutable is supplied to the function. This can be turned in code execution.
That’s kinda/sorta serious and i can see how an attacker could make use of that flaw in chain that could do…bad things. As always, it’s a good move to update, that is if you’re actually running PHP 7.x, which is still fairly new. Many organization I know are waiting for PHP 7.1 before they make the jump.
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist