[SECURITY] [DLA 341-1] php5 security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : php5
Version : 5.3.3.1-7+squeeze28
CVE ID : CVE-2015-6831 CVE-2015-6832 CVE-2015-6833 CVE-2015-6834
CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 CVE-2015-7803
CVE-2015-7804
* CVE-2015-6831
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
* CVE-2015-6832
Dangling pointer in the unserialization of ArrayObject items.
* CVE-2015-6833
Files extracted from archive may be placed outside of destination
directory
* CVE-2015-6834
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
* CVE-2015-6836
A type confusion occurs within SOAP serialize_function_call due
to an insufficient validation of the headers field.
In the SoapClient's __call method, the verify_soap_headers_array
check is applied only to headers retrieved from
zend_parse_parameters; problem is that a few lines later,
soap_headers could be updated or even replaced with values from
the __default_headers object fields.
* CVE-2015-6837
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
* CVE-2015-6838
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
* CVE-2015-7803
A NULL pointer dereference flaw was found in the way PHP's Phar
extension parsed Phar archives. A specially crafted archive could
cause PHP to crash.
* CVE-2015-7804
An uninitialized pointer use flaw was found in the
phar_make_dirstream() function of PHP's Phar extension.
A specially crafted phar file in the ZIP format with a directory
entry with a file name "/ZIP" could cause a PHP application
function to crash.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQJ8BAEBCgBmBQJWP5moXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHsRIQAMAW1tvfqL0Y29nvUkYwiht6
XVDVoTxfpa8BfpmJR3WfIMbC+YoseEU/RjyKfThoPEZIClMRE794R6VdquHqNs0j
ENDE9L4UTvEX7WEIJ1QEtGSegUH5gbdVCFQUD7AL5KR/qaNt+qk4tflLuSN2QUkP
7k/7Nq2Xhekd+wNgIA9kCSYQ6DGpkMk2CKNacwIzw1I3s1esfZee/m6fdG5BbYLU
NjFEcYHXo1EevUZYPjSPVUfCqILGNB1ws85wQiaMOxzL3ZtyNnbigd7pTdOOCwgH
qob04VyBucaBLak29wGGVfHMOaTxKT/olrCpEaS8drSlliZNxs8UaDvrJ4KAsGjI
dzhx0YXQskeuODEiaFnw27Hpg5ZzzWRiTUkho0jHTtkCE7p9f+lmyjFy4+2C7Gvr
t9m1mtw9k4MNpXaR+ZEoiTjSHbFchmDkuL5mDJ/H88ly28MwP+RvKw2q6qeqyYA6
LklRPQYDwyXQv0EQGYBmH/tCaM0/DSgRdy77YO3EhAW5ZFD5LrMICiHbkMRb5hlP
WyVFaBOR2Kced35jnxqoOGl1Irfok173hdunDRfYTPX7focd/j4tKUEfbtu6r6yf
xDqSF3ZXSMvNjhLSPW4OvFbZHIqVCdImX1wrKjvZ7TgFy+uqdJIlEOOa6bxny4SY
sU4sOVUF7zJItxFH+aY8
=lJgA
-----END PGP SIGNATURE-----
Reply to: