Summary: | <dev-lang/php-{5.4.39,5.5.23,5.6.7}: Multiple vulnerabilities (CVE-2015-{0231,2305,2331,2348,2787,4147,4148}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tomáš Mózes <hydrapolic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | php-bugs, toto |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://php.net/archive/2015.php#id2015-03-20-1 | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tomáš Mózes
2015-03-23 06:29:52 UTC
@php team: could we stabilize? (In reply to Agostino Sarubbo from comment #1) > @php team: could we stabilize? Yep. Terribly sorry for not notifying about this when I made the bump. Arches, please test and mark stable: =dev-lang/php-5.4.39 =dev-lang/php-5.5.23 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable Stable for HPPA. x86 stable sparc stable alpha stable ppc64 stable arm stable CVE-2015-2331 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2331): Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. CVE-2015-2305 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2305): Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow. CVE-2015-0231 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0231): Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. Ping on stabilization for ia64 and ppc. ia64 stable ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. cleanup done Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. CVE-2015-4148 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4148): The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue. CVE-2015-4147 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4147): The SoapClient::__call method in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that __default_headers is an array, which allows remote attackers to execute arbitrary code by providing crafted serialized data with an unexpected data type, related to a "type confusion" issue. CVE-2015-2787 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2787): Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. CVE-2015-2348 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2348): The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243. This issue was resolved and addressed in GLSA 201606-10 at https://security.gentoo.org/glsa/201606-10 by GLSA coordinator Kristian Fiskerstrand (K_F). |