CVE-2016-5399

NameCVE-2016-5399
DescriptionThe bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-628-1, DSA-3631-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2vulnerable
wheezy (security)5.4.45-0+deb7u11fixed
jessie (security), jessie5.6.30+dfsg-0+deb8u1fixed
php7.0 (PTS)stretch7.0.19-1fixed
buster, sid7.0.22-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)5.6.24+dfsg-1medium
php5sourcejessie5.6.24+dfsg-0+deb8u1mediumDSA-3631-1
php5sourcewheezy5.4.45-0+deb7u5mediumDLA-628-1
php7.0source(unstable)7.0.9-1medium

Notes

PHP Bug: https://bugs.php.net/bug.php?id=72613
Partial fixes in 7.0.9, 5.6.24, 5.5.38
CVE is assigned for the issue in PHP in adequate error handling in the
bzread() function. Disputed by PHP upstream, which considers that the
underlying bzip2 library is at fault.

Search for package or bug name: Reporting problems