1
PublicDateAtUSN: 2015-06-17
2
Candidate: CVE-2015-4604
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4604
6
https://usn.ubuntu.com/usn/usn-2658-1
8
The mget function in softmagic.c in file 5.x, as used in the Fileinfo
9
component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before
10
5.6.8, does not properly maintain a certain pointer relationship, which
11
allows remote attackers to cause a denial of service (application crash) or
12
possibly execute arbitrary code via a crafted string that is mishandled by
13
a "Python script text executable" rule.
16
mdeslaur> introduced by http://git.php.net/?p=php-src.git;a=commit;h=eeaec70
17
mdeslaur> can't reproduce with file
19
https://bugs.php.net/bug.php?id=68819
20
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783099 (php5)
21
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783108 (file)
27
upstream: http://git.php.net/?p=php-src.git;a=commit;h=f938112c495b0d26572435c0be73ac0bfe642ecd (5.4-5.6)
28
upstream_php5: released (5.6.9+dfsg-1)
29
precise_php5: not-affected (5.3.10-1ubuntu3.18)
30
trusty_php5: not-affected (5.5.9+dfsg-1ubuntu4.9)
31
utopic_php5: not-affected (5.5.12+dfsg-2ubuntu4.4)
32
vivid_php5: released (5.6.4+dfsg-4ubuntu6.2)
33
vivid/stable-phone-overlay_php5: DNE
34
vivid/ubuntu-core_php5: DNE
35
wily_php5: released (5.6.9+dfsg-1ubuntu1)
40
upstream_file: needs-triage
41
precise_file: not-affected
42
trusty_file: not-affected
43
utopic_file: ignored (reached end-of-life)
44
vivid_file: ignored (reached end-of-life)
45
vivid/stable-phone-overlay_file: not-affected
46
vivid/ubuntu-core_file: DNE
47
wily_file: not-affected
48
xenial_file: not-affected
49
devel_file: not-affected