| Name | CVE-2016-5399 |
| Description | The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-628-1, DSA-3631-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| php5 (PTS) | jessie, jessie (lts) | 5.6.40+dfsg-0+deb8u21 | fixed |
| php7.0 (PTS) | stretch (security) | 7.0.33-0+deb9u12 | fixed |
| stretch (lts), stretch | 7.0.33-0+deb9u19 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| php5 | source | wheezy | 5.4.45-0+deb7u5 | | DLA-628-1 | |
| php5 | source | jessie | 5.6.24+dfsg-0+deb8u1 | | DSA-3631-1 | |
| php5 | source | (unstable) | 5.6.24+dfsg-1 | | | |
| php7.0 | source | (unstable) | 7.0.9-1 | | | |
Notes
PHP Bug: https://bugs.php.net/bug.php?id=72613
Partial fixes in 7.0.9, 5.6.24, 5.5.38
CVE is assigned for the issue in PHP in adequate error handling in the
bzread() function. Disputed by PHP upstream, which considers that the
underlying bzip2 library is at fault.