Debian Security Advisory

DLA-341-1 php5 -- LTS security update

Date Reported:
08 Nov 2015
Affected Packages:
php5
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-6831, CVE-2015-6832, CVE-2015-6833, CVE-2015-6834, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838, CVE-2015-7803, CVE-2015-7804.
More information:
  • CVE-2015-6831

    Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

  • CVE-2015-6832

    Dangling pointer in the unserialization of ArrayObject items.

  • CVE-2015-6833

    Files extracted from archive may be placed outside of destination directory

  • CVE-2015-6834

    Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

  • CVE-2015-6836

    A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields.

  • CVE-2015-6837

    The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.

  • CVE-2015-6838

    The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.

  • CVE-2015-7803

    A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash.

  • CVE-2015-7804

    An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash.