Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-307-1 php5

Debian Security Advisory

DLA-307-1 php5 -- LTS security update

Date Reported:

07 Sep 2015

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-3307, CVE-2015-3411, CVE-2015-3412, CVE-2015-4021, CVE-2015-4022, CVE-2015-4025, CVE-2015-4026, CVE-2015-4147, CVE-2015-4148, CVE-2015-4598, CVE-2015-4599, CVE-2015-4600, CVE-2015-4601, CVE-2015-4602, CVE-2015-4604, CVE-2015-4605, CVE-2015-4643, CVE-2015-4644, CVE-2015-5589, CVE-2015-5590.

More information:

• CVE-2015-3307

  The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive.

• CVE-2015-3411 + CVE-2015-3412

  Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions).

• CVE-2015-4021

  The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.

• CVE-2015-4022

  Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow.

• CVE-2015-4025

  PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

• CVE-2015-4026

  The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.

• CVE-2015-4147

  The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a type confusion issue.

• CVE-2015-4148

  The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a type confusion issue.

• CVE-2015-4598

  Incorrect handling of paths with NULs.

• CVE-2015-4599

  Type confusion vulnerability in exception::getTraceAsString.

• CVE-2015-4600 + CVE-2015-4601

  Added type checks.

• CVE-2015-4602

  Type Confusion Infoleak Vulnerability in unserialize() with SoapFault.

• CVE-2015-4604 + CVE-2015-4605

  denial of service when processing a crafted file with Fileinfo (already fixed in CVE-2015-temp-68819.patch).

• CVE-2015-4643

  Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in heap overflow).

• CVE-2015-4644

  Fixed bug #69667 (segfault in php_pgsql_meta_data).

• CVE-2015-5589

  Segfault in Phar::convertToData on invalid file.

• CVE-2015-5590

  Buffer overflow and stack smashing error in phar_fix_filepath.