CVE-2015-3307

Publication date 9 June 2015

Last updated 24 July 2024

The phar_parse_metadata function in ext/phar/phar.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (heap metadata corruption) or possibly have unspecified other impact via a crafted tar archive.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	15.04 vivid	Not affected
	14.10 utopic	Not affected
	14.04 LTS trusty	Not affected
	12.04 LTS precise	Not affected

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

The two first commits may have also been used to fix CVE-2015-2783

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=12d3bdee3dfa6605024a72080d8a17c165c5ed24 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=cee97220285fd7b955a58617b3e0300ec104ed87 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=be504995c351a2582e82b52bd4e0383e9e27783d

Package

Patch details

php5

Upstream: http://git.php.net/?p=php-src.git;a=commit;h=17cbd0b5b78a7500f185b3781a2149881bfff8ae
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=12d3bdee3dfa6605024a72080d8a17c165c5ed24
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=cee97220285fd7b955a58617b3e0300ec104ed87
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=be504995c351a2582e82b52bd4e0383e9e27783d

References

MITRE
NVD
Launchpad
Debian

Other references

http://seclists.org/oss-sec/2015/q2/477
https://www.cve.org/CVERecord?id=CVE-2015-3307