CVE-2016-5399 (retired)

Priority
Description
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before
5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of
service (out-of-bounds write) or execute arbitrary code via a crafted bz2
archive.
Notes
 sarnold> PHP position seems to suggest they'll fix bzread() to ensure
  it conforms to the documented behaviour but they won't take any steps
  to 'safe' an improper use of API by applications. Since the API was
  apparently not honoured before I don't know how an application could be
  expected to be correct.
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.19)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=f3feddb5b45b5abd93abb1a95044b7e099d51c84
Package
Upstream:released (7.0.9)
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.8-0ubuntu0.16.04.2)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=f3feddb5b45b5abd93abb1a95044b7e099d51c84
More Information

Updated: 2019-03-26 12:22:10 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)