MGASA-2014-0430
Vulnerability Summary
Timeline
Description
Updated php packages fix security vulnerabilities An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure (CVE-2014-3669). A heap corruption issue was reported in PHP's exif_thumbnail() function. A specially-crafted JPEG image could cause the PHP interpreter to crash or, potentially, execute arbitrary code (CVE-2014-3670). If client-supplied input was passed to PHP's cURL client as a URL to download, it could return local files from the server due to improper handling of null bytes (PHP#68089). PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4, which fix these issues and other bugs. Additionally, the suhosin PHP extension has been updated to version 0.9.36 and a bug in the php zip extension that could cause a crash on Mageia 4 has been fixed (mga#13820)
Affected Systems
- mageia•php
< 5.4.34-1.mga3
- mageia•php-apc
< 3.1.14-7.13.mga3
- mageia•php-gd-bundled
< 5.4.34-1.mga3
- mageia•php-suhosin
< 0.9.36-1.mga3
- mageia•php
< 5.5.18-1.1.mga4
- mageia•php-apc
< 3.1.15-4.8.mga4
- mageia•php-suhosin
< 0.9.36-1.mga4
References (8)
- https://advisories.mageia.org/MGASA-2014-0430.html
- https://bugs.mageia.org/show_bug.cgi?id=14326
- http://www.php.net/ChangeLog-5.php#5.5.18
- http://www.php.net/ChangeLog-5.php#5.4.34
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3669
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3670
- https://bugs.php.net/bug.php?id=68089
- https://bugs.mageia.org/show_bug.cgi?id=13820