Headline
CVE-2015-2301: use after free in phar_object.c
Use-after-free vulnerability in the phar_rename_archive function in phar_object.c in PHP before 5.5.22 and 5.6.x before 5.6.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted renaming of a Phar archive to the name of an existing file.
Sec Bug #68901
use after free in phar_object.c
Submitted:
2015-01-24 18:44 UTC
Modified:
2015-03-18 12:12 UTC
From:
bugreports at internot dot info
Assigned:
laruence (profile)
Status:
Closed
Package:
PHAR related
PHP Version:
5.5.21
OS:
Linux Ubuntu 14.04
Private report:
No
CVE-ID:
2015-2301
[2015-01-24 18:44 UTC] bugreports at internot dot info
Description:
Hi,
In /ext/phar/phar_object.c: 2131 newpath = oldpath; but then:
2142 efree(oldpath); 2143 zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, “phar \"%s\” exists and must be unlinked prior to conversion", newpath);
Patches
Add a Patch
Pull Requests
Add a Pull Request
History
AllCommentsChangesGit/SVN commitsRelated reports
[2015-01-28 16:15 UTC] [email protected]
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
[2015-01-28 18:17 UTC] [email protected]
-Summary: use after free +Summary: use after free in phar_object.c
Related news
spl_array.c in the SPL extension in PHP before 5.5.37 and 5.6.x before 5.6.23 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data.
The cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data, which allows remote attackers to cause a denial of service (application crash) via a crafted stream offset in a CDF file.