CVE-2015-6831
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
CVE-2015-6832
Dangling pointer in the unserialization of ArrayObject items.
CVE-2015-6833
Files extracted from archive may be placed outside of destination
directory
CVE-2015-6834
Use after free vulnerability was found in unserialize() function.
We can create ZVAL and free it via Serializable::unserialize.
However the unserialize() will still allow to use R: or r: to set
references to that already freed memory. It is possible to
use-after-free attack and execute arbitrary code remotely.
CVE-2015-6836
A type confusion occurs within SOAP serialize_function_call due
to an insufficient validation of the headers field.
In the SoapClient’s __call method, the verify_soap_headers_array
check is applied only to headers retrieved from
zend_parse_parameters; problem is that a few lines later,
soap_headers could be updated or even replaced with values from
the __default_headers object fields.
CVE-2015-6837
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
CVE-2015-6838
The XSLTProcessor class misses a few checks on the input from the
libxslt library. The valuePop() function call is able to return
NULL pointer and php does not check that.
CVE-2015-7803
A NULL pointer dereference flaw was found in the way PHP’s Phar
extension parsed Phar archives. A specially crafted archive could
cause PHP to crash.
CVE-2015-7804
An uninitialized pointer use flaw was found in the
phar_make_dirstream() function of PHP’s Phar extension.
A specially crafted phar file in the ZIP format with a directory
entry with a file name “/ZIP” could cause a PHP application
function to crash.