PHP 4.4

security flaw

php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution)

PHP multibyte shell escape flaw

php: stack based buffer overflow in FastCGI SAPI

PHP crash in crypt() from long salt

php: $_SESSION usort() interruption corruption

php: Integer Signedness issues in _php_stream_scandir

php: Buffer overflow in com_print_typeinfo() by parsing certain variant types

PHP weak 64 bit random seed

php: buffer overflow in a CGI path translation

php: command line arguments injection when run in CGI mode (VU#520827)

php: type confusion issue in unserialize() with various SOAP methods

php: type confusion issue in Soap Client call() method

php: type confusion issue in unserialize() with various SOAP methods

php: Out-of-bounds access in locale_accept_from_http

php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input

php: xml_parse_into_struct() can crash when XML parser is re-used

php: Missing type check when unserializing SplArray

php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE

php: Use After Free Vulnerability in PHP's GC algorithm and unserialize

php: buffer overflow in handling of long link names in tar phar archives

php: Use after free in unserialize() with Unexpected Session Deserialization

php: Int/size_t confusion in SplFileObject::fread

php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition

php: multiple unserialization use-after-free issues

php: Incomplete Class unserialization type confusion

php: Use-after-free vulnerability in the spl_ptr_heap_insert function

php: Integer Overflows in mcrypt_generic() and mdecrypt_generic() resulting in heap overflows

php: Buffer over-read in php_url_parse_ex

php: select_colors write out-of-bounds

php: Use after free in unserialize()

php: Use after free in unserialize() via DateInterval::__wakeup()

php: buffer over-read in finish_nested_data function

oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation

oniguruma: Out-of-bounds stack read in match_at() during regular expression searching

php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response

php: Heap-based buffer over-read in PHAR reading functions

php: Heap-based buffer over-read in mbstring regular expression functions

php: Invalid memory access in function xmlrpc_decode()

php: Uninitialized read in exif_process_IFD_in_TIFF

php: Memory corruption when destructing deserialized object

php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used

php: Double free in _php_mb_regex_ereg_replace_exec

php: bypass __wakeup() in deserialization of an unexpected object

php: segmentation fault in Phar::convertToData on invalid file

php: use-after-free vulnerability in session deserializer

php: Double free vulnerability in error condition of format printer

php: Use after free in WDDX Deserialize when processing XML data

php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c

php: type confusion issue in unserialize() with various SOAP methods

php: Use after free in SNMP with GC and unserialize()

php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile

php: Double Free Corruption in wddx_deserialize

php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize

php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022)

php: Use after free in wddx_deserialize

php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input

php: exception:: getTraceAsString type confusion issue after unserialize

php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used

php: Overflowing the length of string causes crash

php: Invalid read when wddx decodes empty boolean element

php: stack buffer overflow in locale_get_display_name

security flaw

security flaw

php: Out-of-bounds memory read via gdImageRotateInterpolated

php: Out-of-bounds read in phar_parse_pharfile

php: out-of-bounds write in fpm_log.c

gd: Integer overflow in _gd2GetHeader() resulting in heap overflow

gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data

gd: Heap-based buffer overflow in gdImageColorMatch() in gd_color_match.c

php: Stack-based buffer overflow vulnerability in php_stream_zip_opener

php: Uninitialized pointer in phar_make_dirstream()

php: use of uninitialized pointer in PharFileInfo::getContent

php: improper nul termination leading to out-of-bounds read in get_icu_value_internal

php: Integer overflow in php_filter_full_special_chars

php: Integer overflow in php_html_entities()

php: Integer underflow causing arbitrary null write in fread/gzread

php: Out-of-bounds read in phar_parse_zipfile()

php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field

security flaw

php: Integer overflow leads to buffer overflow in virtual_file_ex

php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c

php: Improper error handling in bzread()

gd: incorrect boundary adjustment in _gdContributionsCalc

security flaw

CVE-2005-3391 Two PHP safemode bypass issues (CVE-2005-3392)

security flaw

php zend_alter_ini_entry() memory_limit interruption

security flaw

php imap_mail_compose() buffer overflow via type.parameters

php size calculation in chunk_split

php money_format format string issue

PHP buffer overflow

php libxmlrpc library overflow

security flaw

php: proc_open() safe mode restriction bypass

php: openssl extension: Incorrect verification of SSL certificate with NUL in name

php: buffer overflow in the imageloadfont function in gd extension

php: gd - improper upper bound check in imagecolortransparent

php: exif extension: Multiple missing sanity checks in EXIF file processing

php: ZipArchive:: extractTo() Directory Traversal Vulnerability

php: incorrect php_value order for Apache configuration

PHP 32 bit weak random seed

php: integer overflow in shmop_read()

php: several format string vulnerabilities in PHP's Phar extension

php: use-after-free vulnerability in substr_replace()

php: incomplete CVE-2012-1823 fix - incorrect check for =

php53: Arbitrary locations file write due absent validation of soap.wsdl_cache_dir configuration directive value

php: memory corruption in openssl_x509_parse()

php: Integer overflow leading to heap-buffer overflow in the Phar extension

php: xmlrpc ISO8601 date format parsing buffer overflow

php: use after free in opcache extension

php: integer overflow in unserialize()

php: use after free vulnerability in unserialize()

php: Double-free in zend_ts_hash_graceful_destroy()

php: use after free vulnerability in unserialize() with DateTimeZone

libzip: integer overflow when processing ZIP archives

php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)

php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re

php: heap buffer overflow in enchant_broker_request_dict()

file: malformed elf file causes access to uninitialized memory

php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

php: out of bounds read when parsing a crafted .php file

php: denial of service when processing a crafted file with Fileinfo

php: denial of service when processing a crafted file with Fileinfo

php: Integer overflow in php_raw_url_encode

php: integer overflow leading to heap overflow when reading FTP file listing

php: Files from archive can be extracted outside of destination directory using phar

php: SoapClient's __call() type confusion through unserialize()

php: invalid pointer free() in phar_tar_process_metadata()

php: wddx_deserialize null dereference in php_wddx_pop_element

php: wddx_deserialize null dereference

file: root_storage NULL pointer deference flaw in CDF parser

php: NULL pointer dereference in XSLTProcessor class

php: NULL pointer dereference in XSLTProcessor class

php: Null pointer dereference in php_wddx_push_element

php: Session Data Injection Vulnerability

gd: Stack overflow in gdImageFillToBorder on truecolor images

php: Incorrect return value check of OpenSSL sealing function leads to crash

php: Incorrect WDDX deserialization of boolean parameters leads to DoS

php: Denial-of-Service via injecting long form variables

php: Out-of-bound read in timelib_meridian()

php: wddx_deserialize() heap out-of-bound read via php_parse_date()

php: Incorrect handling of URI components in URL parser

php: Output of stream_get_meta_data can be falsified by its input

php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service

php: NULL pointer dereference due to mishandling of ldap_get_dn return value allows DoS via malicious LDAP server reply

php: Buffer over-read in PHAR reading functions

php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c

php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()

php: File rename across filesystems may allow unwanted access during processing

php: Uninitialized read in exif_process_IFD_in_MAKERNOTE

php: Uninitialized read in exif_process_IFD_in_MAKERNOTE

php: buffer overflow in phar_set_inode()

gd: gdImageScaleTwoPass function in gd_interpolation.c uses inconsistent allocate and free approaches

php: regressions in 5.4+

php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns

php: wddx_deserialize null dereference with invalid xml

gd: gdImageFillToBorder deep recursion leading to stack overflow

php: pcntl_exec() accepts paths with NUL character

php: Stack based buffer overflow in msgfmt_format_message

php: Stack consumption vulnerability in Zend/zend_exceptions.c

php: NULL pointer dereference in php_pgsql_meta_data()

php: Out-of-bounds heap read on unserialize in finish_nested_data()

php: Integer overflow in phar_parse_pharfile

php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow

php: Wrong calculation in exif_convert_any_to_int function

gd: buffer overrun

php: potential SSRF via fsockopen

php: denial of service in libmagic/apprentice.c

php: Use After Free Vulnerability in unserialize()

php: buffer overflow and stack smashing error in phar_fix_filepath

file: Buffer over-write in finfo_open with malformed magic file

php: dangling pointer in the unserialization of ArrayObject items

php: SOAP serialize_function_call() type confusion

php user_filter_factory_create overflow

php: Type confusion vulnerability in make_http_soap_request()

security flaw

security flaw

php multiple integer overflows in gd

security flaw

php chunk_split integer overflow

php session extension global variable clobber

php: Zend use-after-free certain methods are called on objects accessed by a reference

php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string

php: PG(magic_quote_gpc) was not restored on shutdown

php: XSS mitigation bypass via utf8_decode()

php: session fixation vulnerability allows remote hijacking of sessions

php: heap corruption issue in exif_thumbnail()

php: multiple buffer over-reads in php_parserr

php: multiple vulnerabilities in gdImageCrop()

php: Free called on unitialized pointer in exif.c

php: pipelined request executed in deinitialized interpreter under httpd 2.4

php: uninitialized pointer in phar_make_dirstream()

php: NULL pointer dereference in phar_get_fp_offset()

security flaw

file: cdf_read_short_sector insufficient boundary check

file: cdf_count_chain insufficient boundary check

file: mconvert incorrect handling of truncated pascal string size

php: Null pointer dereference in exif_process_user_comment

php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function

php: Infinite loop in php-fpm when restarting a child using program execution function

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

php: missing null byte checks for paths in various PHP extensions

php: missing null byte checks for paths in DOM and GD extensions

php htmlentities/htmlspecialchars multibyte sequences

php: dba_replace() file corruption vulnerability

php: buffer overflow in memnstr

php: XSLT file writing vulnerability

php: file path injection vulnerability in RFC1867 file upload filename

php: HTTP response splitting in header() function

php: Reflected XSS on PHAR 404 page

php: Reflected XSS vulnerability on PHAR 403 and 404 error pages

php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request

php: mysqlnd interface vulnerable to BACKRONYM

php: $_FILES array indexes corruption

php: buffer over-read in Phar metadata parsing

gd: Infinite loop in gdImageCreateFromGifCtx() in gd_gif_in.c

php: exif: Buffer over-read in exif_process_IFD_in_MAKERNOTE()

php: Memory Leakage In exif_process_IFD_in_TIFF

php: missing null byte checks for paths in various PHP extensions

php make_http_soap_request flaw

PHP: insecure random numbers

security flaw

security flaw

security flaw

security flaw

security flaw

security flaw

security flaw

security flaw

php floating point exception inside wordwrap

php crash in glob() and fnmatch() functions

php crash in setlocale() function

php session extension information leak

php malformed cookie handling

php: chdir(), ftok() (standard ext) safe_mode bypass safe_mode bypass

php: crash when extracting zip file with relative paths

php: FastCGI module DoS via multiple dots preceding the extension

php: libgd imagerotate() array index error memory disclosure

php: ext/imap legacy routine buffer overflow

php: safe_mode / open_basedir security fixes in 5.3.1

PHP error_log DoS

crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash

php: multiple NULL pointer dereferences

php: iconv_mime_decode_headers skips headers using unsupported encoding

php: paths with NULL character were considered valid

php: mt_rand() does not check that max is greater than min

php: getSymbol() integer overflow vulnerability

php: hash table collisions CPU usage DoS (oCERT-2011-003)

php: safe_mode / open_basedir security fixes in 5.2.13/5.3.2

php: crash when unserializing serialized PDORow object

php: Crash by converting serial day numbers (SDN) into Julian calendar

php: DoS via unserialize

php: strtotime timezone memory leak

php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE

php: NumberFormatter: set a symbol value crash (DoS) on bogus values

php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h

php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files

php: Integer overflow in SndToJewish - DoS (excessive CPU use, interpreter hang)

php: open_basedir bypass via SQLite functionality

php: heap-based buffer over-read in DateInterval

php: Heap-based buffer overflow in quoted_printable_encode()

php: NULL pointer dereference in pgsql extension

file: CDF property info parsing nelements infinite loop

file: cdf_unpack_summary_info() excessive looping DoS

php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime()

file: out of bounds read in mconvert()

php: move_uploaded_file() NUL byte injection in file name

php: multiple vulnerabilities in gdImageCrop()

php: SoapClient's do_soap_call() type confusion after unserialize()

php: multipart/form-data request parsing CPU usage DoS

php: memory corruption in phar_parse_tarfile caused by empty entry file name

php: Dumpable FPM child processes allow bypassing opcache access controls

security flaw

CVE-2006-3011 multiple PHP safe mode bypasses (CVE-2006-4481, CVE-2006-2563)

php: predictable file name used for cache in world writeable directory

php: SPL Iterators use-after-free

security flaw

security flaw

php cross-site cookie insertion

security flaw

php session ID leakage

php: exif_read_data crash on corrupted JPEG files

php: DoS when using HTTP proxy with the FTP wrapper

php: htmlspecialchars() insufficient checking of input for multi-byte encodings

php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()

php: buffer over-read in Exif extension

php: DoS (excessive CPU consumption) by processing certain Zip archive files

php: crash when processing certain Zip archives

php: race condition when handling many concurrent signals may lead to memory corruption

php: Crash by retrieving string value of a variable, when high precision used

php: Multiple memory leaks in the OpenSSL extension

crypt(): DES encrypted password weakness

php: hostname check bypassing vulnerability in SSL client

PHP: sapi_header_op() %0D sequence handling security bypass

file: incomplete fix for CVE-2012-1571 in cdf_read_property_info

file: out-of-bounds access in search rules with offsets from input file

file: cdf_read_property_info insufficient boundary check

file: cdf_check_stream_offset insufficient boundary check

gd: NULL pointer dereference in gdImageCreateFromXpm()

php: ZipArchive:: extractTo allows for directory traversal when creating directories

CVE-2006-4625 PHP safe mode bypass

php-pear: insecure temporary file use for cache data

php: insecure temporary file use in the configure script

security flaw

security flaw

php CRLF injection

php: XSS via PHP error messages

php: PDO array over-read crash

phar wrapper can occur dos when using quine gzip file

security flaw

CVE-2006-2660 tempnam() unique filename bypass

PHP mbstring.func_overload web server denial of service