CVE-2016-4343

Priority
Description
The phar_make_dirstream function in ext/phar/dirstream.c in PHP before
5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which
allows remote attackers to cause a denial of service (uninitialized pointer
dereference) or possibly have unspecified other impact via a crafted TAR
archive.
Assigned-to
mdeslaur
Notes
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.18)
Ubuntu 14.04 ESM (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.17)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://git.php.net/?p=php-src.git;a=commit;h=4c2424eb24b0178456acc404dbfff528cdc44197
Upstream:https://git.php.net/?p=php-src.git;a=commit;h=9649ca1630433473a307d015ba1a79a4a7a779f5 (5.5)
Package
Upstream:released (7.0.3)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (7.0.4-7ubuntu2)
Patches:
Upstream:https://git.php.net/?p=php-src.git;a=commit;h=4c2424eb24b0178456acc404dbfff528cdc44197
More Information

Updated: 2019-12-05 18:45:12 UTC (commit dd38ff22974aae499eb50644b9d5a2817483cbdb)