MGASA-2015-0040

See a problem?
Please try reporting it to the source first.
Source
https://advisories.mageia.org/MGASA-2015-0040.html
Import Source
https://advisories.mageia.org/MGASA-2015-0040.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2015-0040
Related
Published
2015-01-27T21:08:29Z
Modified
2015-01-27T20:59:46Z
Summary
Updated php packages fix security vulnerabilities
Details

Updated php and libgd packages fix security vulnerabilities:

Double free vulnerability in the zendtshashgracefuldestroy function in zendtshash.c in the Zend Engine in PHP before 5.5.21 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors (CVE-2014-9425).

sapi/cgi/cgi_main.c in the CGI component in PHP before 5.5.21, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping (CVE-2014-9427).

Use after free vulnerability in unserialize() in PHP before 5.5.21 (CVE-2015-0231).

Free called on an uninitialized pointer in php-exif in PHP before 5.5.21 (CVE-2015-0232).

The readelf.c source file has been removed from PHP's bundled copy of file's libmagic, eliminating exposure to denial of service issues in ELF file parsing such as CVE-2014-8116, CVE-2014-8117, CVE-2014-9620 and CVE-2014-9621 in PHP's fileinfo module.

A buffer read overflow in gdgifin.c in the php#68601 bug referenced in the PHP 5.5.21 ChangeLog has been fixed in the libgd package.

The php package has been updated to version 5.5.21 to fix these issues and other bugs. Please see the upstream ChangeLog for more information.

References
Credits

Affected packages

Mageia:4 / php

Package

Name
php
Purl
pkg:rpm/mageia/php?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.5.21-1.mga4

Ecosystem specific 

{
    "section": "core"
}

Mageia:4 / php-apc

Package

Name
php-apc
Purl
pkg:rpm/mageia/php-apc?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.15-4.11.mga4

Ecosystem specific 

{
    "section": "core"
}

Mageia:4 / libgd

Package

Name
libgd
Purl
pkg:rpm/mageia/libgd?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.0-3.2.mga4

Ecosystem specific 

{
    "section": "core"
}