php: multiple vulnerabilities

The package php before version 7.0.11-1 is vulnerable to multiple issues that can lead to arbitrary code execution and denial of service.

- CVE-2016-7411 (arbitrary code execution): A memory Corruption vulnerability was found in php's unserialize method. This happened during the deserialized-object Destruction.

- CVE-2016-7412 (arbitrary code execution): Php's mysqlnd extension assumes the `flags` returned for a BIT field necessarily contains UNSIGNED_FLAG; this might not be the case, with a rogue mysql server, or a MITM attack. A malicious mysql server or MITM can return field metadata for BIT fields that does not contain the UNSIGNED_FLAG, which leads to a heap overflow.

- CVE-2016-7413 (arbitrary code execution): When WDDX tries to deserialize "recordset" element, use after free happens if close tag for the field is not found. This happens only when field names are set.

- CVE-2016-7414 (arbitrary code execution): The entry.uncompressed_filesize* method does not properly verify the input parameters. An attacker can create a signature.bin with size less than 8, when this value is passed to phar_verify_signature as sig_len a heap buffer overflow occurs.

- CVE-2016-7416 (arbitrary code execution): Big locale string causes stack based overflow inside libicu.

- CVE-2016-7417 (insufficient validation): The return value of spl_array_get_hash_table is not properly checked and used on spl_array_get_dimension_ptr_ptr.

- CVE-2016-7418 (denial of service): An attacker can trigger an Out-Of-Bounds Read in php_wddx_push_element of wddx.c. A DoS (null pointer dereference) vulnerability can be triggered in the wddx_deserialize function by providing a maliciously crafted XML string.