CVE-2016-5399

NameCVE-2016-5399
DescriptionThe bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-628-1, DSA-3631-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5sourcewheezy5.4.45-0+deb7u5DLA-628-1
php5sourcejessie5.6.24+dfsg-0+deb8u1DSA-3631-1
php5source(unstable)5.6.24+dfsg-1
php7.0source(unstable)7.0.9-1

Notes

PHP Bug: https://bugs.php.net/bug.php?id=72613
Partial fixes in 7.0.9, 5.6.24, 5.5.38
CVE is assigned for the issue in PHP in adequate error handling in the
bzread() function. Disputed by PHP upstream, which considers that the
underlying bzip2 library is at fault.

Search for package or bug name: Reporting problems