CVE-2014-9767

Published: 31 December 2014

Directory traversal vulnerability in the ZipArchive::extractTo function in ext/zip/php_zip.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13 and ext/zip/ext_zip.cpp in HHVM before 3.12.1 allows remote attackers to create arbitrary empty directories via a crafted ZIP archive.

Priority

Low

CVSS 3 base score: 4.3

Status

Package Release Status
hhvm
Launchpad, Ubuntu, Debian
Upstream
Released (3.12.1+dfsg-1)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.12.11+dfsg-1build1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/facebook/hhvm/commit/65c95a01541dd2fbc9c978ac53bed235b5376686
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.13+dfsg-1)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.16)
Patches:
Upstream: https://git.php.net/?p=php-src.git;a=commitdiff;h=f9c2bf73adb2ede0a486b0db466c264f2b27e0bb
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=906f19f1365488f90f7473e833a7a13f2c1387ac
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.0)
Ubuntu 21.10 (Impish Indri) Does not exist

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(7.0.4-5ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist