[v3.1] php: multiple issues (CVE-2015-4021, CVE-2015-4022, CVE-2015-4024, CVE-2015-4025, CVE-2015-4026)
CVE-2015-4021
The phar_parse_tarfile function in ext/phar/tar.c in PHP before
5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that
the first character of a filename is different from the \0 character,
which allows remote attackers to cause a denial of service (integer
underflow and memory corruption) via a crafted entry in a tar archive.
CVE-2015-4022
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP
before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote
FTP servers to execute arbitrary code via a long reply to a LIST
command, leading to a heap-based buffer overflow.
CVE-2015-4024
Algorithmic complexity vulnerability in the multipart_buffer_headers
function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25,
and 5.6.x before 5.6.9 allows remote attackers to cause a denial of
service (CPU consumption) via crafted form data that triggers an
improper order-of-growth outcome.
CVE-2015-4025
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates
a pathname upon encountering a \x00 character in certain situations,
which allows remote attackers to bypass intended extension restrictions
and access files or directories with unexpected names via a crafted
argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4)
readlink. NOTE: this vulnerability exists because of an incomplete fix
for CVE-2006-7243.
CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before
5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a
\x00 character, which might allow remote attackers to bypass intended
extension restrictions and execute files with unexpected names via a
crafted first argument. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2006-7243.
(from redmine: issue id 4313, created on 2015-06-12, closed on 2015-06-16)
- Relations:
- parent #4310 (closed)
- Changesets:
- Revision 41fe7d1c by Natanael Copa on 2015-06-15T09:58:54Z:
main/php: security upgrade to 5.6.10 (various CVEs)
Fixed in 5.6.9:
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
Fixed in 5.6.10:
CVE-2015-2325
CVE-2015-2326
CVE-2015-3414
CVE-2015-3415
CVE-2015-3416
fixes #4313