Advisories ยป MGASA-2014-0430

Updated php packages fix security vulnerabilities

Publication date: 28 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-2014-3669 , CVE-2014-2014-3670


An integer overflow flaw in PHP's unserialize() function was reported. If
unserialize() were used on untrusted data, this issue could lead to a crash or
potentially information disclosure (CVE-2014-3669).

A heap corruption issue was reported in PHP's exif_thumbnail() function. A
specially-crafted JPEG image could cause the PHP interpreter to crash or,
potentially, execute arbitrary code (CVE-2014-3670).

If client-supplied input was passed to PHP's cURL client as a URL to download,
it could return local files from the server due to improper handling of null
bytes (PHP#68089).

PHP has been updated to version 5.4.34 for Mageia 3 and 5.5.18 for Mageia 4,
which fix these issues and other bugs.

Additionally, the suhosin PHP extension has been updated to version 0.9.36
and a bug in the php zip extension that could cause a crash on Mageia 4 has
been fixed (mga#13820)