Name | CVE-2015-2331 |
Description | Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-212-1, DSA-3198-1 |
Debian Bugs | 780713, 780756 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
libzip (PTS) | jessie | 0.11.2-1.2 | fixed |
stretch (security), stretch (lts), stretch | 1.1.2-1.1+deb9u1 | fixed | |
buster | 1.5.1-4 | fixed | |
bullseye, bookworm | 1.7.3-1 | fixed | |
sid, trixie | 1.11.2-1 | fixed | |
php5 (PTS) | jessie, jessie (lts) | 5.6.40+dfsg-0+deb8u21 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
libzip | source | squeeze | (not affected) | |||
libzip | source | wheezy | (not affected) | |||
libzip | source | (unstable) | 0.11.2-1.2 | 780756 | ||
php5 | source | squeeze | 5.3.3.1-7+squeeze26 | DLA-212-1 | ||
php5 | source | wheezy | 5.4.39-0+deb7u1 | DSA-3198-1 | ||
php5 | source | (unstable) | 5.6.7+dfsg-1 | 780713 |
[wheezy] - libzip <not-affected> (Vulnerable code introduced with added Zip64 support in 0.11)
[squeeze] - libzip <not-affected> (Vulnerable code introduced with added Zip64 support in 0.11)
https://bugs.php.net/bug.php?id=69253
https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
https://www.openwall.com/lists/oss-security/2015/03/18/1
libzip patch: http://hg.nih.at/libzip/rev/9f11d54f692e