Debian Security Advisory

DSA-2723-1 php5 -- heap corruption

Date Reported:
17 Jul 2013
Affected Packages:
php5
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 717139.
In Mitre's CVE dictionary: CVE-2013-4113.
More information:

It was discovered that PHP could perform an invalid free request when processing crafted XML documents, corrupting the heap and potentially leading to arbitrary code execution. Depending on the PHP application, this vulnerability could be exploited remotely.

For the oldstable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze16.

For the stable distribution (wheezy), this problem has been fixed in version 5.4.4-14+deb7u3.

For the unstable distribution (sid), this problem has been fixed in version 5.5.0+dfsg-15.

We recommend that you upgrade your php5 packages.