PHP 5.4.x < 5.4.43 / 5.5.x < 5.5.27 / 5.6.x < 5.6.11 Multiple Vulnerabilities (BACKRONYM)

Versions of PHP 5.4.x earlier than 5.4.43, 5.5.x earlier than 5.5.27, or 5.6.x earlier than 5.6.11 are subject to the following issues :

• A flaw exists in the phar_convert_to_other() function in ‘ext/phar/phar_object.c’ that is triggered during the conversion of invalid TAR files. This may allow a remote attacker to crash an application utilizing PHP. (CVE-2015-5589)
• The ‘!’ character is not treated as a special character when delayed variable substitution is enabled. The functions escapeshellcmd() and escapeshellarg() are unable to properly sanitize arguments containing ‘!’. An attacker can exploit this to execute arbitrary commands.
• A flaw exists in the phar_fix_filepath() function, allowing a buffer overflow that could causes a crash or execution of arbitrary code.