PublicDateAtUSN: 2015-06-09
Candidate: CVE-2015-4021
PublicDate: 2015-06-09 18:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4021
 http://www.openwall.com/lists/oss-security/2015/05/17/2
 http://www.openwall.com/lists/oss-security/2015/05/18/2
 https://ubuntu.com/security/notices/USN-2658-1
Description:
 The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41,
 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first
 character of a filename is different from the \0 character, which allows
 remote attackers to cause a denial of service (integer underflow and memory
 corruption) via a crafted entry in a tar archive.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.php.net/bug.php?id=69453
Priority: low
Discovered-by: Emmanuel Law
Assigned-to: mdeslaur
CVSS: 

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=c27f012b7a447e59d4a704688971cbfa7dddaa74 (5.4-5.6)
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=e2bbf0a2df2cd864fa86d613eb316b249811a6f6 (5.4-5.6)
upstream_php5: released (5.4.41,5.5.25,5.6.9)
precise_php5: released (5.3.10-1ubuntu3.19)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.11)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.11)
utopic_php5: released (5.5.12+dfsg-2ubuntu4.6)
vivid_php5: released (5.6.4+dfsg-4ubuntu6.2)
devel_php5: released (5.6.9+dfsg-1ubuntu1)