Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-7414

Published: 17 September 2016

The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
upstream
Released (5.6.26)
precise
Released (5.3.10-1ubuntu3.25)
trusty
Released (5.5.9+dfsg-1ubuntu4.20)
xenial Does not exist

Patches:
upstream: http://git.php.net/?p=php-src.git;a=commit;h=223266e4e46b9188353db93771369078c2e94353


php7.0
Launchpad, Ubuntu, Debian
upstream
Released (7.0.11)
precise Does not exist

trusty Does not exist

xenial
Released (7.0.8-0ubuntu0.16.04.3)
Patches:

upstream: http://git.php.net/?p=php-src.git;a=commit;h=0bfb970f43acd1e81d11be1154805f86655f15d5
upstream: http://git.php.net/?p=php-src.git;a=commit;h=223266e4e46b9188353db93771369078c2e94353