Versions of PHP 7.0.x prior to 7.0.15 and 7.1.x prior to 7.1.1 are affected by multiple vulnerabilities :
- An out-of-bounds read flaw exists in the ‘phar_parse_pharfile()’ function in ‘ext/phar/phar.c’ that is triggered when handling phar archives. This may allow a remote attacker to cause a denial of service.
- A floating pointer exception flaw exists in the ‘exif_convert_any_to_int()’ function in ‘ext/exif/exif.c’ that is triggered when handling TIFF and JPEG image tags. This may allow a remote attacker to cause a crash.
- A NULL pointer dereference flaw exists in the ‘php_wddx_pop_element()’ function in ‘ext/wddx/wddx.c’ that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a crash.
- An off-by-one overflow condition exists in the ‘phar_parse_pharfile()’ function in ‘ext/phar/phar.c’ that is triggered when parsing phar archives. This may allow a remote attacker to cause a limited buffer overflow, resulting in a crash.
- An integer overflow condition exists in the ‘_zend_hash_init()’ function in ‘Zend/zend_hash.c’. The issue is triggered as certain input is not properly validated when handling unserialized objects. This may allow a remote attacker to potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the ‘finish_nested_data()’ function in ‘ext/standard/var_unserializer.c’ that is triggered when handling unserialized data. This may allow a remote attacker to crash a process built with the language or potentially disclose memory contents.
- An integer overflow condition exists in the ‘phar_parse_pharfile()’ function in ‘ext/phar/phar.c’. The issue is triggered as certain input is not properly validated when handling phar archives. This may allow a context-dependent attacker to crash a process built with the language.
- A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. This may allow a remote attacker to crash a process utilizing the language.
- A type confusion flaw exists that is triggered when deserializing ZVAL objects. This may allow a remote attacker to potentially execute arbitrary code.
- An unspecified signed integer overflow condition exists in ‘gd_io.c’. The issue is triggered as certain input is not properly validated. This may allow an attacker to have an unspecified impact. No further details have been provided.