CVE-2015-2331

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.4.39 PHP versions 5.5.x prior to 5.5.23 PHP versions 5.6.x prior to 5.6.7 libzip versions 0.11.2 and earlier

Description The issue is related to an integer overflow in the zip cdir new function, which can be exploited by remote attackers to cause a denial of service or possibly execute arbitrary code. This can be achieved by using a ZIP archive that contains many entries, leading to a heap-based buffer overflow.

Recommendations For PHP versions prior to 5.4.39, update to version 5.4.39 or later. For PHP versions 5.5.x prior to 5.5.23, update to version 5.5.23 or later. For PHP versions 5.6.x prior to 5.6.7, update to version 5.6.7 or later. For libzip versions 0.11.2 and earlier, update to a version later than 0.11.2. As a temporary workaround, consider restricting the use of ZIP archives with a large number of entries to minimize the risk of exploitation.