CVE-2015-0273

Name of the Vulnerable Software and Affected Versions PHP versions prior to 5.4.38 PHP versions 5.5.x prior to 5.5.22 PHP versions 5.6.x prior to 5.6.6

Description The issue allows remote attackers to execute arbitrary code via crafted serialized input containing a (1) R or (2) r type specifier in (a) DateTimeZone data handled by the php date timezone initialize from hash function or (b) DateTime data handled by the php date initialize from hash function. This is due to multiple use-after-free vulnerabilities in the ext/date/php date.c component of PHP.

Recommendations For PHP versions prior to 5.4.38, update to version 5.4.38 or later. For PHP versions 5.5.x prior to 5.5.22, update to version 5.5.22 or later. For PHP versions 5.6.x prior to 5.6.6, update to version 5.6.6 or later. As a temporary workaround, consider restricting the use of the php date timezone initialize from hash and php date initialize from hash functions until a patch is available. Avoid using crafted serialized input containing R or r type specifiers in DateTimeZone and DateTime data.