Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-341-1 php5

Debian Security Advisory

DLA-341-1 php5 -- LTS security update

Date Reported:

08 Nov 2015

Affected Packages:

php5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-6831, CVE-2015-6832, CVE-2015-6833, CVE-2015-6834, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838, CVE-2015-7803, CVE-2015-7804.

More information:

• CVE-2015-6831

  Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

• CVE-2015-6832

  Dangling pointer in the unserialization of ArrayObject items.

• CVE-2015-6833

  Files extracted from archive may be placed outside of destination directory

• CVE-2015-6834

  Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely.

• CVE-2015-6836

  A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields.

• CVE-2015-6837

  The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.

• CVE-2015-6838

  The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.

• CVE-2015-7803

  A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash.

• CVE-2015-7804

  An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash.