CVE-2016-7414

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.6.26 PHP versions 7.x prior to 7.0.11

Description The issue is related to the ZIP signature-verification feature, which does not ensure that the uncompressed filesize field is large enough. This allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have other unspecified impacts via a crafted PHAR archive. The problem is associated with the files ext/phar/util.c and ext/phar/zip.c.

Recommendations For PHP versions prior to 5.6.26, update to version 5.6.26 or later. For PHP versions 7.x prior to 7.0.11, update to version 7.0.11 or later. As a temporary workaround, consider restricting the use of PHAR archives until a patch is applied.