CVE-2015-3307
The phar_parse_metadata function in ext/phar/phar.c in PHP before
5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote
attackers to cause a denial of service (heap metadata corruption)
or possibly have unspecified other impact via a crafted tar archive.
CVE-2015-3411 + CVE-2015-3412
Fixed bug #69353 (Missing null byte checks for paths in various
PHP extensions).
CVE-2015-4021
The phar_parse_tarfile function in ext/phar/tar.c in PHP
before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
does not verify that the first character of a filename is
different from the \0 character, which allows remote attackers
to cause a denial of service (integer underflow and memory
corruption) via a crafted entry in a tar archive.
CVE-2015-4022
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP
before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows
remote FTP servers to execute arbitrary code via a long reply to a
LIST command, leading to a heap-based buffer overflow.
CVE-2015-4025
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9
truncates a pathname upon encountering a \x00 character in certain
situations, which allows remote attackers to bypass intended
extension restrictions and access files or directories with
unexpected names via a crafted argument to (1) set_include_path,
(2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability
exists because of an incomplete fix for CVE-2006-7243.
CVE-2015-4026
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before
5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering
a \x00 character, which might allow remote attackers to bypass
intended extension restrictions and execute files with unexpected
names via a crafted first argument. NOTE: this vulnerability exists
because of an incomplete fix for CVE-2006-7243.
CVE-2015-4147
The SoapClient::__call method in ext/soap/soap.c in PHP before
5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not
verify that __default_headers is an array, which allows remote
attackers to execute arbitrary code by providing crafted
serialized data with an unexpected data type, related to a type
confusion issue.
CVE-2015-4148
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39,
5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that
the uri property is a string, which allows remote attackers to
obtain sensitive information by providing crafted serialized data
with an int data type, related to a type confusion issue.
CVE-2015-4598
Incorrect handling of paths with NULs.
CVE-2015-4599
Type confusion vulnerability in exception::getTraceAsString.