CVE-2016-5773

Published: 24 June 2016

php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.

Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream
Released (5.6.23)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.19)
Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f6aef68089221c5ea047d4a74224ee3deead99a6
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.8)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.8-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f6aef68089221c5ea047d4a74224ee3deead99a6

Notes

AuthorNote
mdeslaur
Applications should never deserialize unauthenticated data.
precise needs backported fix
we will not be fixing this in Ubuntu 12.04 LTS. We recommend
validating untrusted data before unserializing.

References

Bugs