[SECURITY] [DLA 307-1] php5 security update

Package : php5
Version : 5.3.3.1-7+squeeze27
CVE ID : CVE-2015-3307 CVE-2015-3411 CVE-2015-3412 CVE-2015-4021
CVE-2015-4022 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147
CVE-2015-4148 CVE-2015-4598 CVE-2015-4599 CVE-2015-4600
CVE-2015-4601 CVE-2015-4602 CVE-2015-4604 CVE-2015-4605
CVE-2015-4643 CVE-2015-4644 CVE-2015-5589 CVE-2015-5590

• CVE-2015-3307
  The phar_parse_metadata function in ext/phar/phar.c in PHP before
  5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote
  attackers to cause a denial of service (heap metadata corruption)
  or possibly have unspecified other impact via a crafted tar archive.
• CVE-2015-3411 + CVE-2015-3412
  Fixed bug #69353 (Missing null byte checks for paths in various
  PHP extensions)
• CVE-2015-4021
  The phar_parse_tarfile function in ext/phar/tar.c in PHP
  before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
  does not verify that the first character of a filename is
  different from the \0 character, which allows remote attackers
  to cause a denial of service (integer underflow and memory
  corruption) via a crafted entry in a tar archive.
• CVE-2015-4022
  Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP
  before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows
  remote FTP servers to execute arbitrary code via a long reply to a
  LIST command, leading to a heap-based buffer overflow.
• CVE-2015-4025
  PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
  truncates a pathname upon encountering a \x00 character in certain
  situations, which allows remote attackers to bypass intended
  extension restrictions and access files or directories with
  unexpected names via a crafted argument to (1) set_include_path,
  (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability
  exists because of an incomplete fix for CVE-2006-7243.
• CVE-2015-4026
  The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before
  5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering
  a \x00 character, which might allow remote attackers to bypass
  intended extension restrictions and execute files with unexpected
  names via a crafted first argument. NOTE: this vulnerability exists
  because of an incomplete fix for CVE-2006-7243.
• CVE-2015-4147
  The SoapClient::__call method in ext/soap/soap.c in PHP before
  5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not
  verify that __default_headers is an array, which allows remote
  attackers to execute arbitrary code by providing crafted
  serialized data with an unexpected data type, related to a "type
  confusion" issue.
• CVE-2015-4148
  The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39,
  5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that
  the uri property is a string, which allows remote attackers to
  obtain sensitive information by providing crafted serialized data
  with an int data type, related to a "type confusion" issue.
• CVE-2015-4598
  Incorrect handling of paths with NULs
• CVE-2015-4599
  Type confusion vulnerability in exception::getTraceAsString
• CVE-2015-4600 + CVE-2015-4601
  Added type checks
• CVE-2015-4602
  Type Confusion Infoleak Vulnerability in unserialize() with SoapFault
• CVE-2015-4604 + CVE-2015-4605
  denial of service when processing a crafted file with Fileinfo
  (already fixed in CVE-2015-temp-68819.patch)
• CVE-2015-4643
  Improved fix for bug #69545 (Integer overflow in ftp_genlist()
  resulting in heap overflow)
• CVE-2015-4644
  Fixed bug #69667 (segfault in php_pgsql_meta_data)
• CVE-2015-5589
  Segfault in Phar::convertToData on invalid file
• CVE-2015-5590
  Buffer overflow and stack smashing error in phar_fix_filepath