CVE-2014-3538

file anterior a 5.19 no restringe debidamente la cantidad de datos leídos durante una búsqueda regex, lo que permite a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de un fichero manipulado que provoca un retroceso durante el procesamiento de una norma awk. NOTA: esta vulnerabilidad existe debido a una soluciona incompleta para CVE-2013-7345.

Multiple flaws were found in the File Information (fileinfo) extension regular expression rules for detecting various files. A remote attacker could use either of these flaws to cause a PHP application using fileinfo to consume an excessive amount of CPU.

Use-after-free vulnerability in ext/spl/spl_array.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted ArrayIterator usage within applications in certain web-hosting environments. Use-after-free vulnerability in ext/spl/spl_dllist.c in the SPL component in PHP through 5.5.14 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact via crafted iterator usage within applications in certain web-hosting environments. file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345. The updated php packages have been upgraded to the 5.5.15 version and patched to resolve these security flaws. Additionally, the jsonc extension has been upgraded to the 1.3.6 version and the PECL packages which requires so has been rebuilt for php-5.5.15.