PublicDateAtUSN: 2015-06-18
Candidate: CVE-2015-4643
PublicDate: 2016-05-16 10:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4643
 http://www.openwall.com/lists/oss-security/2015/06/18/3
 https://ubuntu.com/security/notices/USN-2658-1
Description:
 Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before
 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP
 servers to execute arbitrary code via a long reply to a LIST command,
 leading to a heap-based buffer overflow.  NOTE: this vulnerability exists
 because of an incomplete fix for CVE-2015-4022.
Ubuntu-Description:
Notes:
 mdeslaur> improved fix for CVE-2015-4022
Bugs:
 https://bugs.php.net/bug.php?id=69545
Priority: medium
Discovered-by: Max Spelsberg
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 (5.4-5.6)
upstream_php5: released (5.4.42,5.5.26,5.6.10)
precise_php5: released (5.3.10-1ubuntu3.19)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.11)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.11)
utopic_php5: released (5.5.12+dfsg-2ubuntu4.6)
vivid_php5: released (5.6.4+dfsg-4ubuntu6.2)
devel_php5: released (5.6.9+dfsg-1ubuntu1)