CVE-2015-4604

Priority
Description
The mget function in softmagic.c in file 5.x, as used in the Fileinfo
component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
5.6.8, does not properly maintain a certain pointer relationship, which
allows remote attackers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted string that is mishandled by
a "Python script text executable" rule.
Notes
 mdeslaur> introduced by http://git.php.net/?p=php-src.git;a=commit;h=eeaec70
 mdeslaur> can't reproduce with file
Assigned-to
mdeslaur
Package
Source: file (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.9+dfsg-1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (5.5.9+dfsg-1ubuntu4.9)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=f938112c495b0d26572435c0be73ac0bfe642ecd (5.4-5.6)
More Information

Updated: 2019-03-19 12:19:22 UTC (commit 15472795df7e9de45b82f2d36b8b419b939f97b2)