CVE-2015-2331

Published: 30 March 2015

Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.

Priority

Medium

Status

Package Release Status
libzip
Launchpad, Ubuntu, Debian
Upstream
Released (0.11.2-1.2)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(1.0.1-0ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(0.10.1-1.2)
Patches:
Upstream: http://hg.nih.at/libzip/rev/9f11d54f692e
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(5.5.9+dfsg-1ubuntu4.7)
Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=4a8d8b4154334b1714e19b82b061201d41dc87d6

Notes

AuthorNote
mdeslaur
libzip in trusty and earlier doesn't support ZIP64, so doesn't
look vulnerable.
php5 in utopic and earlier doesn't support ZIP64 either.
sbeattie
fixed in libzip 1.0 release

References

Bugs