[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 341-1] php5 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : php5
Version        : 5.3.3.1-7+squeeze28
CVE ID         : CVE-2015-6831 CVE-2015-6832 CVE-2015-6833 CVE-2015-6834
                 CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 CVE-2015-7803
                 CVE-2015-7804

   * CVE-2015-6831
     Use after free vulnerability was found in unserialize() function.
     We can create ZVAL and free it via Serializable::unserialize.
     However the unserialize() will still allow to use R: or r: to set
     references to that already freed memory. It is possible to
     use-after-free attack and execute arbitrary code remotely.
   * CVE-2015-6832
     Dangling pointer in the unserialization of ArrayObject items.
   * CVE-2015-6833
     Files extracted from archive may be placed outside of destination
     directory
   * CVE-2015-6834
     Use after free vulnerability was found in unserialize() function.
     We can create ZVAL and free it via Serializable::unserialize.
     However the unserialize() will still allow to use R: or r: to set
     references to that already freed memory. It is possible to
     use-after-free attack and execute arbitrary code remotely.
   * CVE-2015-6836
     A type confusion occurs within SOAP serialize_function_call due
     to an insufficient validation of the headers field.
     In the SoapClient's __call method, the verify_soap_headers_array
     check is applied only to headers retrieved from
     zend_parse_parameters; problem is that a few lines later,
     soap_headers could be updated or even replaced with values from
     the __default_headers object fields.
   * CVE-2015-6837
     The XSLTProcessor class misses a few checks on the input from the
     libxslt library. The valuePop() function call is able to return
     NULL pointer and php does not check that.
   * CVE-2015-6838
     The XSLTProcessor class misses a few checks on the input from the
     libxslt library. The valuePop() function call is able to return
     NULL pointer and php does not check that.
   * CVE-2015-7803
     A NULL pointer dereference flaw was found in the way PHP's Phar
     extension parsed Phar archives. A specially crafted archive could
     cause PHP to crash.
   * CVE-2015-7804
     An uninitialized pointer use flaw was found in the
     phar_make_dirstream() function of PHP's Phar extension.
     A specially crafted phar file in the ZIP format with a directory
     entry with a file name "/ZIP" could cause a PHP application
     function to crash.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQJ8BAEBCgBmBQJWP5moXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHsRIQAMAW1tvfqL0Y29nvUkYwiht6
XVDVoTxfpa8BfpmJR3WfIMbC+YoseEU/RjyKfThoPEZIClMRE794R6VdquHqNs0j
ENDE9L4UTvEX7WEIJ1QEtGSegUH5gbdVCFQUD7AL5KR/qaNt+qk4tflLuSN2QUkP
7k/7Nq2Xhekd+wNgIA9kCSYQ6DGpkMk2CKNacwIzw1I3s1esfZee/m6fdG5BbYLU
NjFEcYHXo1EevUZYPjSPVUfCqILGNB1ws85wQiaMOxzL3ZtyNnbigd7pTdOOCwgH
qob04VyBucaBLak29wGGVfHMOaTxKT/olrCpEaS8drSlliZNxs8UaDvrJ4KAsGjI
dzhx0YXQskeuODEiaFnw27Hpg5ZzzWRiTUkho0jHTtkCE7p9f+lmyjFy4+2C7Gvr
t9m1mtw9k4MNpXaR+ZEoiTjSHbFchmDkuL5mDJ/H88ly28MwP+RvKw2q6qeqyYA6
LklRPQYDwyXQv0EQGYBmH/tCaM0/DSgRdy77YO3EhAW5ZFD5LrMICiHbkMRb5hlP
WyVFaBOR2Kced35jnxqoOGl1Irfok173hdunDRfYTPX7focd/j4tKUEfbtu6r6yf
xDqSF3ZXSMvNjhLSPW4OvFbZHIqVCdImX1wrKjvZ7TgFy+uqdJIlEOOa6bxny4SY
sU4sOVUF7zJItxFH+aY8
=lJgA
-----END PGP SIGNATURE-----


Reply to: