Vigil@nce - PHP: integer overflow of ZipArchive-getFrom
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a malicious ZIP file, to generate an
integer overflow in ZipArchive::getFromIndex() or
ZipArchive::getFromName() of PHP, in order to trigger a denial of
service, and possibly to run code.
Impacted products: PHP, Ubuntu.
Severity: 2/4.
Creation date: 28/04/2016.
DESCRIPTION OF THE VULNERABILITY
The PHP product offers a ZipArchive module, which extracts ZIP
archives.
However, if a size is too large, the getFromIndex() and
getFromName() functions use an integer which overflows.
An attacker can therefore create a malicious ZIP file, to generate
an integer overflow in ZipArchive::getFromIndex() or
ZipArchive::getFromName() of PHP, in order to trigger a denial of
service, and possibly to run code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/PHP-integer-overflow-of-ZipArchive-getFrom-19479