Debian-LTS alert DLA-341-1 (php5)
| From: | Thorsten Alteholz <debian@alteholz.de> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 341-1] php5 security update | |
| Date: | Sun, 8 Nov 2015 19:51:20 +0100 (CET) | |
| Message-ID: | <alpine.DEB.2.02.1511081950130.11641@jupiter.server.alteholz.net> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : php5 Version : 5.3.3.1-7+squeeze28 CVE ID : CVE-2015-6831 CVE-2015-6832 CVE-2015-6833 CVE-2015-6834 CVE-2015-6836 CVE-2015-6837 CVE-2015-6838 CVE-2015-7803 CVE-2015-7804 * CVE-2015-6831 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. * CVE-2015-6832 Dangling pointer in the unserialization of ArrayObject items. * CVE-2015-6833 Files extracted from archive may be placed outside of destination directory * CVE-2015-6834 Use after free vulnerability was found in unserialize() function. We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. * CVE-2015-6836 A type confusion occurs within SOAP serialize_function_call due to an insufficient validation of the headers field. In the SoapClient's __call method, the verify_soap_headers_array check is applied only to headers retrieved from zend_parse_parameters; problem is that a few lines later, soap_headers could be updated or even replaced with values from the __default_headers object fields. * CVE-2015-6837 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. * CVE-2015-6838 The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that. * CVE-2015-7803 A NULL pointer dereference flaw was found in the way PHP's Phar extension parsed Phar archives. A specially crafted archive could cause PHP to crash. * CVE-2015-7804 An uninitialized pointer use flaw was found in the phar_make_dirstream() function of PHP's Phar extension. A specially crafted phar file in the ZIP format with a directory entry with a file name "/ZIP" could cause a PHP application function to crash. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQJ8BAEBCgBmBQJWP5moXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5 NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHsRIQAMAW1tvfqL0Y29nvUkYwiht6 XVDVoTxfpa8BfpmJR3WfIMbC+YoseEU/RjyKfThoPEZIClMRE794R6VdquHqNs0j ENDE9L4UTvEX7WEIJ1QEtGSegUH5gbdVCFQUD7AL5KR/qaNt+qk4tflLuSN2QUkP 7k/7Nq2Xhekd+wNgIA9kCSYQ6DGpkMk2CKNacwIzw1I3s1esfZee/m6fdG5BbYLU NjFEcYHXo1EevUZYPjSPVUfCqILGNB1ws85wQiaMOxzL3ZtyNnbigd7pTdOOCwgH qob04VyBucaBLak29wGGVfHMOaTxKT/olrCpEaS8drSlliZNxs8UaDvrJ4KAsGjI dzhx0YXQskeuODEiaFnw27Hpg5ZzzWRiTUkho0jHTtkCE7p9f+lmyjFy4+2C7Gvr t9m1mtw9k4MNpXaR+ZEoiTjSHbFchmDkuL5mDJ/H88ly28MwP+RvKw2q6qeqyYA6 LklRPQYDwyXQv0EQGYBmH/tCaM0/DSgRdy77YO3EhAW5ZFD5LrMICiHbkMRb5hlP WyVFaBOR2Kced35jnxqoOGl1Irfok173hdunDRfYTPX7focd/j4tKUEfbtu6r6yf xDqSF3ZXSMvNjhLSPW4OvFbZHIqVCdImX1wrKjvZ7TgFy+uqdJIlEOOa6bxny4SY sU4sOVUF7zJItxFH+aY8 =lJgA -----END PGP SIGNATURE-----