Versions of PHP 5.4.x prior to 5.4.45, 5.5.x prior to 5.5.29, or 5.6.x prior to 5.6.13 are vulnerable to the following issues :
- A use-after-free error exists in the unserialize() function in ‘ext/spl/spl_observer.c’. The issue is triggered as user-supplied input is not sanitized. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw affects the serialize_function_call() function in ‘ext/soap/soap.c’. The issue is triggered when handling input passed via the header field. This may allow a remote attacker to execute arbitrary code.
- A use-after-free error affects the object_custom() function in ‘ext/standard/var_unserializer.c’. The issue is triggered when handling user-supplied input. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error affects the unserialize() function in ‘ext/spl/spl_dllist.c’. The issue is triggered during the deserialization of user-supplied input. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds read flaw in the exif_process_IFD_TAG() function in ‘ext/exif/exif.c’ that is triggered when handling TIFF IFD tags. This may allow a context-dependent attacker to crash an application linked against PHP or potentially disclose memory contents.
- An overflow condition exists in the php_pcre_match_impl() function in ‘ext/pcre/php_pcre.c’. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- A flaw exists in the php_pcre_split_impl() function in ‘ext/pcre/php_pcre.c’. The flaw is triggered during the handling of offsets that consist of a start and end position within the subject string, which can cause an exhaustion of memory resources. This may allow a remote attacker to exhaust available memory.
- An overflow condition affects the php_pcre_replace_impl() function in ‘ext/pcre/php_pcre.c’. The issue is triggered as user-supplied input is not properly validated when handling offsets. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- A use-after-free error exists in the php_var_unserialize() function of the session deserializer (php_binary/php_serialize). The issue is triggered when deserializing multiple forms of data. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A NULL pointer dereference flaw exists in the xsl_ext_function_php() function in ‘ext/xsl/xsltprocessor.c’ that is triggered as checks are not properly performed on user-supplied input. This may allow a remote attacker to cause a denial of service.
- A flaw exists that allows traversing outside of a restricted path. The issue is due to the php_zip_extract_file() function in ‘ext/zip/php_zip.c’ not properly sanitizing user input, specifically path traversal style attacks (e.g. ‘…/’) passed to the ZipArchive::extractTo() method. This may allow a remote attacker to create arbitrary directories.