ELA-227-1 php5 security update

fix for several out of bounds read/write

2020-04-30
Packagephp5
Version5.4.45-0+deb7u29
Related CVEs CVE-2019-18218 CVE-2020-7064 CVE-2020-7066 CVE-2020-7067

Four issues have been found in php5, a server-side, HTML-embedded scripting language.

CVE-2020-7064 A one byte out-of-bounds read, which could potentially lead to information disclosure or crash.

CVE-2020-7066 An URL containing zero (\0) character will be truncated at it, which may cause some software to make incorrect assumptions and possibly send some information to a wrong server.

CVE-2020-7067 Using a malformed url-encoded string an Out-of-Bounds read can occur.

CVE-2019-18218 Fix to restrict the number of CDF_VECTOR elements to prevent a heap-based buffer overflow (4-byte out-of-bounds write). (originally this CVE was filed against package “file” but php5 contains an embedded version of that package)

For Debian 7 Wheezy, these problems have been fixed in version 5.4.45-0+deb7u29.

We recommend that you upgrade your php5 packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/