CVE-2015-6832

NameCVE-2015-6832
DescriptionUse-after-free vulnerability in the SPL unserialize implementation in ext/spl/spl_array.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 allows remote attackers to execute arbitrary code via crafted serialized data that triggers misuse of an array field.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-341-1, DSA-3344-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5sourcesqueeze5.3.3.1-7+squeeze28DLA-341-1
php5sourcewheezy5.4.44-0+deb7u1DSA-3344-1
php5sourcejessie5.6.12+dfsg-0+deb8u1DSA-3344-1
php5source(unstable)5.6.12+dfsg-1

Notes

https://bugs.php.net/bug.php?id=70068
https://www.openwall.com/lists/oss-security/2015/08/19/3
Fixed upstream in 5.4.44 and 5.6.12

Search for package or bug name: Reporting problems