PHP 5.2

security flaw

php: Heap-based buffer overflow in the mbstring extension via crafted string containing a HTML entity (arb code execution)

PHP multibyte shell escape flaw

php: stack based buffer overflow in FastCGI SAPI

PHP crash in crypt() from long salt

php: $_SESSION usort() interruption corruption

php: Integer Signedness issues in _php_stream_scandir

php: Buffer overflow in com_print_typeinfo() by parsing certain variant types

Argument Injection in PHP-CGI

PHP weak 64 bit random seed

php: command line arguments injection when run in CGI mode (VU#520827)

php: type confusion issue in unserialize() with various SOAP methods

php: type confusion issue in Soap Client call() method

php: type confusion issue in unserialize() with various SOAP methods

php: Out-of-bounds access in locale_accept_from_http

php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input

php: xml_parse_into_struct() can crash when XML parser is re-used

php: Missing type check when unserializing SplArray

php: Out-of-bounds access in exif_process_IFD_in_MAKERNOTE

php: Use After Free Vulnerability in PHP's GC algorithm and unserialize

php: buffer overflow in handling of long link names in tar phar archives

php: Use after free in unserialize() with Unexpected Session Deserialization

php: Int/size_t confusion in SplFileObject::fread

php: bcpowmod accepts negative scale causing heap buffer overflow corrupting _one_ definition

php: multiple unserialization use-after-free issues

php: Incomplete Class unserialization type confusion

php: Use-after-free vulnerability in the spl_ptr_heap_insert function

php: Integer Overflows in mcrypt_generic() and mdecrypt_generic() resulting in heap overflows

php: Buffer over-read in php_url_parse_ex

php: select_colors write out-of-bounds

php: Use after free in unserialize()

php: Use after free in unserialize() via DateInterval::__wakeup()

php: buffer over-read in finish_nested_data function

oniguruma: Heap buffer overflow in next_state_val() during regular expression compilation

oniguruma: Out-of-bounds stack read in match_at() during regular expression searching

php: Stack-based buffer under-read in php_stream_url_wrap_http_ex() in http_fopen_wrapper.c when parsing HTTP response

php: Heap-based buffer over-read in PHAR reading functions

php: Heap-based buffer over-read in mbstring regular expression functions

php: Invalid memory access in function xmlrpc_decode()

php: Uninitialized read in exif_process_IFD_in_TIFF

php: Memory corruption when destructing deserialized object

php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used

php: Double free in _php_mb_regex_ereg_replace_exec

php: bypass __wakeup() in deserialization of an unexpected object

php: segmentation fault in Phar::convertToData on invalid file

php: use-after-free vulnerability in session deserializer

php: Double free vulnerability in error condition of format printer

php: Use after free in WDDX Deserialize when processing XML data

php: Heap buffer overflow vulnerability in simplestring_addn in simplestring.c

php: type confusion issue in unserialize() with various SOAP methods

php: Use after free in SNMP with GC and unserialize()

php: Out of bounds heap read when verifying signature of zip phar in phar_parse_zipfile

php: Double Free Corruption in wddx_deserialize

php: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize

php: integer overflow in ftp_genlist() resulting in heap overflow (improved fix for CVE-2015-4022)

php: Use after free in wddx_deserialize

php: Out-of-bounds heap memory read in exif_read_data() caused by malformed input

php: exception:: getTraceAsString type confusion issue after unserialize

php: OOB read in grapheme_stripos and grapheme_strpos when negative offset is used

php: Overflowing the length of string causes crash

php: Invalid read when wddx decodes empty boolean element

php: stack buffer overflow in locale_get_display_name

php: buffer overflow in a CGI path translation

gd: insufficient input validation in _gdGetColors()

php: Out-of-bounds memory read via gdImageRotateInterpolated

php: Out-of-bounds read in phar_parse_pharfile

php: out-of-bounds write in fpm_log.c

gd: Integer overflow in _gd2GetHeader() resulting in heap overflow

gd: Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow

php: Out-of-bounds read in ext/exif/exif.c:exif_read_data() when reading crafted JPEG data

gd: Heap-based buffer overflow in gdImageColorMatch() in gd_color_match.c

php: Stack-based buffer overflow vulnerability in php_stream_zip_opener

php: Uninitialized pointer in phar_make_dirstream()

php: use of uninitialized pointer in PharFileInfo::getContent

php: improper nul termination leading to out-of-bounds read in get_icu_value_internal

php: Integer overflow in php_filter_full_special_chars

php: Integer overflow in php_html_entities()

php: Integer underflow causing arbitrary null write in fread/gzread

php: Out-of-bounds read in phar_parse_zipfile()

php: Heap overflow in mysqlnd when not receiving UNSIGNED_FLAG in BIT field

security flaw

php: Integer overflow leads to buffer overflow in virtual_file_ex

php: Stack based 1-byte buffer over-write in zend_ini_do_op() function Zend/zend_ini_parser.c

php: Improper error handling in bzread()

gd: incorrect boundary adjustment in _gdContributionsCalc

security flaw

php tidy extension buffer overflow

php zend_alter_ini_entry() memory_limit interruption

security flaw

php imap_mail_compose() buffer overflow via type.parameters

php size calculation in chunk_split

php size calculation in chunk_split

php money_format format string issue

PHP buffer overflow

php libxmlrpc library overflow

t1lib font filename string overflow

security flaw

php: change to the FILTER_UNSAFE_RAW in 5.2.7 breaks magic_quotes_gpc

php: missing initialization of BG(page_uid) and BG(page_gid)

php: proc_open() safe mode restriction bypass

php: openssl extension: Incorrect verification of SSL certificate with NUL in name

php: gd - improper upper bound check in imagecolortransparent

php: exif extension: Multiple missing sanity checks in EXIF file processing

php: ZipArchive:: extractTo() Directory Traversal Vulnerability

php: incorrect php_value order for Apache configuration

PHP 32 bit weak random seed

php: safe_mode / open_basedir security fixes in 5.2.13/5.3.2

php: integer overflow in shmop_read()

php: several format string vulnerabilities in PHP's Phar extension

php: sqlite: use of uninitialized memory triggered by empty SQL query (MOPS-2010-012, MOPS-2010-013)

php: use-after-free vulnerability in substr_replace()

php: incomplete CVE-2012-1823 fix - incorrect check for =

php53: Arbitrary locations file write due absent validation of soap.wsdl_cache_dir configuration directive value

php: memory corruption in openssl_x509_parse()

php: Integer overflow leading to heap-buffer overflow in the Phar extension

php: xmlrpc ISO8601 date format parsing buffer overflow

php: use after free in opcache extension

php: integer overflow in unserialize()

php: use after free vulnerability in unserialize()

php: Double-free in zend_ts_hash_graceful_destroy()

php: use after free vulnerability in unserialize() with DateTimeZone

libzip: integer overflow when processing ZIP archives

php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)

php: use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re

php: heap buffer overflow in enchant_broker_request_dict()

file: malformed elf file causes access to uninitialized memory

php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

php: out of bounds read when parsing a crafted .php file

php: denial of service when processing a crafted file with Fileinfo

php: denial of service when processing a crafted file with Fileinfo

php: Integer overflow in php_raw_url_encode

php: integer overflow leading to heap overflow when reading FTP file listing

php: Files from archive can be extracted outside of destination directory using phar

php: SoapClient's __call() type confusion through unserialize()

php: invalid pointer free() in phar_tar_process_metadata()

php: wddx_deserialize null dereference in php_wddx_pop_element

php: wddx_deserialize null dereference

file: root_storage NULL pointer deference flaw in CDF parser

php: NULL pointer dereference in XSLTProcessor class

php: NULL pointer dereference in XSLTProcessor class

php: Null pointer dereference in php_wddx_push_element

php: Session Data Injection Vulnerability

gd: Stack overflow in gdImageFillToBorder on truecolor images

php: Incorrect return value check of OpenSSL sealing function leads to crash

php: Incorrect WDDX deserialization of boolean parameters leads to DoS

php: Denial-of-Service via injecting long form variables

php: Out-of-bound read in timelib_meridian()

php: wddx_deserialize() heap out-of-bound read via php_parse_date()

php: Incorrect handling of URI components in URL parser

php: Output of stream_get_meta_data can be falsified by its input

php: Infinite loop in ext/iconv/iconv.c when using stream filter with convert.incov on invalid sequence leads to denial-of-service

php: NULL pointer dereference due to mishandling of ldap_get_dn return value allows DoS via malicious LDAP server reply

php: Buffer over-read in PHAR reading functions

php: Out-of-bounds read in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c

php: exif: integer overflow leading to out-of-bound buffer read in exif_thumbnail_extract()

php: File rename across filesystems may allow unwanted access during processing

php: Uninitialized read in exif_process_IFD_in_MAKERNOTE

php: Uninitialized read in exif_process_IFD_in_MAKERNOTE

php: XMLWriter information leak

php: buffer overflow in phar_set_inode()

gd: gdImageScaleTwoPass function in gd_interpolation.c uses inconsistent allocate and free approaches

php: regressions in 5.4+

php: odbc_bindcols function mishandles driver behavior for SQL_WVARCHAR columns

php: wddx_deserialize null dereference with invalid xml

gd: gdImageFillToBorder deep recursion leading to stack overflow

php: pcntl_exec() accepts paths with NUL character

php: Stack based buffer overflow in msgfmt_format_message

php: Stack consumption vulnerability in Zend/zend_exceptions.c

php: NULL pointer dereference in php_pgsql_meta_data()

php: Unserialize Exception object can lead to infinite loop

php: Out-of-bounds heap read on unserialize in finish_nested_data()

php: Integer overflow in phar_parse_pharfile

php: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow

php: Zend OPCache code permission/sensitive data protection issues

php: Wrong calculation in exif_convert_any_to_int function

php: buffer overflow in the imageloadfont function in gd extension

pcre: heap overflow caused by incorrect option handling

php: SplObjectStorage unserialization flaws (MOPS-2010-061)

php: Serializing or unserializing COM objects crashes

php: potential SSRF via fsockopen

php: denial of service in libmagic/apprentice.c

php: Use After Free Vulnerability in unserialize()

php: buffer overflow and stack smashing error in phar_fix_filepath

file: Buffer over-write in finfo_open with malformed magic file

php: dangling pointer in the unserialization of ArrayObject items

php: SOAP serialize_function_call() type confusion

php user_filter_factory_create overflow

php: open_basedir restriction bypass

php: Type confusion vulnerability in make_http_soap_request()

security flaw

php multiple integer overflows in gd

php session extension global variable clobber

php: safe_mode / open_basedir security fixes in 5.3.1

php: Zend use-after-free certain methods are called on objects accessed by a reference

php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string

php: PG(magic_quote_gpc) was not restored on shutdown

php: XSS mitigation bypass via utf8_decode()

php: session fixation vulnerability allows remote hijacking of sessions

php: heap corruption issue in exif_thumbnail()

php: multiple buffer over-reads in php_parserr

php: multiple vulnerabilities in gdImageCrop()

php: Free called on unitialized pointer in exif.c

php: pipelined request executed in deinitialized interpreter under httpd 2.4

php: uninitialized pointer in phar_make_dirstream()

php: NULL pointer dereference in phar_get_fp_offset()

security flaw

php chunk_split integer overflow

file: cdf_read_short_sector insufficient boundary check

file: cdf_count_chain insufficient boundary check

file: mconvert incorrect handling of truncated pascal string size

php: Null pointer dereference in exif_process_user_comment

php: Buffer over-read from unitialized data in gdImageCreateFromGifCtx function

php: Infinite loop in php-fpm when restarting a child using program execution function

$_COOKIE names string replacement (. -> _): cookie integrity vulnerabilities

php: missing null byte checks for paths in various PHP extensions

php: missing null byte checks for paths in DOM and GD extensions

php htmlentities/htmlspecialchars multibyte sequences

php: dba_replace() file corruption vulnerability

php: XSLT file writing vulnerability

php: shm_put_var interruption vulnerability (MOPS-2010-009)

php: LCG entropy weakness

php: multiple interruption vulnerabilities (MOPS-2010-0[49,50,51,52,53,54,55])

php: file path injection vulnerability in RFC1867 file upload filename

php: buffer overflow in memnstr

php: HTTP response splitting in header() function

php: Reflected XSS on PHAR 404 page

php: Reflected XSS vulnerability on PHAR 403 and 404 error pages

php: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request

php: mysqlnd interface vulnerable to BACKRONYM

php: $_FILES array indexes corruption

php: buffer over-read in Phar metadata parsing

gd: Infinite loop in gdImageCreateFromGifCtx() in gd_gif_in.c

php: exif: Buffer over-read in exif_process_IFD_in_MAKERNOTE()

php: Memory Leakage In exif_process_IFD_in_TIFF

php: missing null byte checks for paths in various PHP extensions

php make_http_soap_request flaw

PHP: insecure random numbers

security flaw

php: curl safe mode bypass

security flaw

php floating point exception inside wordwrap

php crash in setlocale() function

php session extension information leak

php malformed cookie handling

php: crash when extracting zip file with relative paths

php: crash on malformed input in json_decode()

php: safe_mode / open_basedir security fixes in 5.3.1

PHP: resource exhaustion attack via upload requests with lots of files

php: preg_quote interruption vulnerability (MOPS-2010-017)

php: GD crash in imagepstext with invalid anti-aliasing argument

php: multiple interruption vulnerabilities (MOPS-2010-03[6789], MOPS-2010-040)

PHP error_log DoS

crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash

php: multiple NULL pointer dereferences

php: fnmatch long pattern stack memory exhaustion (MOPS-2010-021)

php: session serializer session data injection vulnerability (MOPS-2010-060)

php: iconv_mime_decode_headers skips headers using unsupported encoding

php: paths with NULL character were considered valid

php: mt_rand() does not check that max is greater than min

php: interruption vulnerabilities in trim and substr_replace (MOPS-2010-047, MOPS-2010-048)

php: getSymbol() integer overflow vulnerability

php: hash table collisions CPU usage DoS (oCERT-2011-003)

PHP: Context stream use-after-free on request shutdown (MOPS-2010-022)

php: html_entity_decode interruption vulnerability (MOPS-2010-010)

php: safe_mode / open_basedir security fixes in 5.2.13/5.3.2

php: crash when unserializing serialized PDORow object

php: Crash by converting serial day numbers (SDN) into Julian calendar

php: DoS via unserialize

php: chunk_split interruption vulnerability (MOPS-2010-008)

php: bitwise operators interruption vulnerabilities (MOPS-2010-014, MOPS-2010-015, MOPS-2010-016)

php: strtotime timezone memory leak

php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE

php: addcslashes interruption vulnerability (MOPS-2010-006)

PHP: iconv_mime_decode(), iconv_substr(), iconv_mime_encode() interruption flaws (MOPS-2010-032 MOPS-2010-033 MOPS-2010-034)

php: NumberFormatter: set a symbol value crash (DoS) on bogus values

php: multiple interruption vulnerabilities (MOPS-2010-04[123456])

php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h

php: Ability to read arbitrary files due use of external entities while parsing SOAP WSDL files

php: Integer overflow in SndToJewish - DoS (excessive CPU use, interpreter hang)

php: open_basedir bypass via SQLite functionality

php: heap-based buffer over-read in DateInterval

php: Heap-based buffer overflow in quoted_printable_encode()

php: NULL pointer dereference in pgsql extension

file: CDF property info parsing nelements infinite loop

php: libxml RSHUTDOWN function disables the hooks which are used to implement open_basedir

file: cdf_unpack_summary_info() excessive looping DoS

php: xmlrpc ISO8601 date format parsing out-of-bounds read in mkgmtime()

file: out of bounds read in mconvert()

php: move_uploaded_file() NUL byte injection in file name

php: multiple vulnerabilities in gdImageCrop()

php: SoapClient's do_soap_call() type confusion after unserialize()

php: multipart/form-data request parsing CPU usage DoS

php: memory corruption in phar_parse_tarfile caused by empty entry file name

php: ext/imap legacy routine buffer overflow

php: FastCGI module DoS via multiple dots preceding the extension

php: chdir(), ftok() (standard ext) safe_mode bypass safe_mode bypass

php: posix_access() (posix ext) safe_mode bypass

php: libgd imagerotate() array index error memory disclosure

php: strrchr() interruption vulnerability

php: open_basedir bypass via fopen_wrappers.c

php: Double free in the imap extension

php: hang on numeric value 2.2250738585072011e-308 with x87 fpu

php: Dumpable FPM child processes allow bypassing opcache access controls

php: predictable file name used for cache in world writeable directory

php: SPL Iterators use-after-free

php cross-site cookie insertion

security flaw

php session ID leakage

php: exif_read_data crash on corrupted JPEG files

php: DoS when using HTTP proxy with the FTP wrapper

php: htmlspecialchars() insufficient checking of input for multi-byte encodings

php/libzip: segfault with FL_UNCHANGED on empty archive in zip_name_locate()

php: buffer over-read in Exif extension

php: DoS (excessive CPU consumption) by processing certain Zip archive files

php: crash when processing certain Zip archives

php: race condition when handling many concurrent signals may lead to memory corruption

php: Crash by retrieving string value of a variable, when high precision used

php: DoS in filter_var() via long email string

php: Multiple memory leaks in the OpenSSL extension

crypt(): DES encrypted password weakness

php: hostname check bypassing vulnerability in SSL client

PHP: sapi_header_op() %0D sequence handling security bypass

file: incomplete fix for CVE-2012-1571 in cdf_read_property_info

file: out-of-bounds access in search rules with offsets from input file

file: cdf_read_property_info insufficient boundary check

file: cdf_check_stream_offset insufficient boundary check

gd: NULL pointer dereference in gdImageCreateFromXpm()

php: ZipArchive:: extractTo allows for directory traversal when creating directories

php: information leak vulnerability in var_export()

php: NULL pointer dereference in ZipArchive::getArchiveComment

php-pear: insecure temporary file use for cache data

php: insecure temporary file use in the configure script

php CRLF injection

php: XSS via PHP error messages

php: PDO array over-read crash

phar wrapper can occur dos when using quine gzip file