CVE-2015-2331
published 2015-03-30CVE-2015-2331: Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
ITWVulnCheck KEV
Exploited in the wild
EPSS
27.87%
97.9th percentile
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
Affected
42 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_v10.11 | — | — |
| debian | debian_linux | — | — |
| debian | libzip | < libzip 0.11.2-1.2 (bookworm) | libzip 0.11.2-1.2 (bookworm) |
| fedoraproject | fedora | — | — |
| libzip | libzip | >= 0 < 0.11.2-1.2 | 0.11.2-1.2 |
| libzip | libzip | >= 0 < 0.11.2-1.2 | 0.11.2-1.2 |
| libzip | libzip | >= 0 < 0.11.2-1.2 | 0.11.2-1.2 |
| libzip | libzip | >= 0 < 0.11.2-1.2 | 0.11.2-1.2 |
| nih | libzip | <= 0.11.2 | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| php | php | <= 5.4.38 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by a ZIP archive containing many entries (Zip64 format), causing an integer overflow in _zip_cdir_new() in zip_dirent.c, leading to a heap-based buffer overflow. Detect suspicious ZIP files with an abnormally large number of central directory entries, especially those using Zip64 extensions. ↗
- →The overflow is only triggerable via the Zip64 central directory code path (_zip_read_eocd64), where the number of entries is stored as a 64-bit value. Inspect ZIP files for Zip64 end-of-central-directory records with extremely large entry counts as a detection signal. ↗
- →Affected function is _zip_cdir_new() in zip_dirent.c in libzip 0.11.2 and earlier (specifically versions 0.11+). Monitor for crashes or anomalous memory allocation failures in processes parsing ZIP files using libzip 0.11.x. ↗
- →PHP versions before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 embed vulnerable libzip. Monitor PHP processes handling ZIP file uploads for crashes or unexpected code execution. ↗
- ·The integer overflow is only exploitable on 32-bit systems for libzip versions between the Zip64 nentry-type change commit and the fix, because on 64-bit systems the nentry type is zip_uint64_t and overflow arithmetic differs. ↗
- ·libzip versions prior to 0.11 are not affected because the entry count is read as a 16-bit value (max 65535), which is insufficient to trigger the overflow when multiplied by sizeof(struct zip_dirent). ↗
- ·Red Hat Enterprise Linux 5, 6, and 7 PHP and libzip packages are NOT affected, as they ship libzip versions 0.9.x and 0.10.1 which predate the vulnerable Zip64 code path. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vulncheck7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfcw-88hm-m2xm: Integer overflow in the _zip_cdir_new function in zip_dirent
ghsa_unreviewed·2022-05-14
CVE-2015-2331 [HIGH] GHSA-wfcw-88hm-m2xm: Integer overflow in the _zip_cdir_new function in zip_dirent
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
OSV
CVE-2015-2331: Integer overflow in the _zip_cdir_new function in zip_dirent
osv·2015-03-30·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331: Integer overflow in the _zip_cdir_new function in zip_dirent
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
VulnCheck
PHP ZIP Extension _zip_cdir_new Integer Overflow
vulncheck·2015·CVSS 7.5
CVE-2015-2331 [HIGH] PHP ZIP Extension _zip_cdir_new Integer Overflow
PHP ZIP Extension _zip_cdir_new Integer Overflow
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
Affected: nih libzip
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-landscape-report-2h-2023.pdf
Red Hat
libzip: integer overflow when processing ZIP archives
vendor_redhat·2015-03-18·CVSS 7.5
CVE-2015-2331 [HIGH] CWE-190 libzip: integer overflow when processing ZIP archives
libzip: integer overflow when processing ZIP archives
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is also embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code.
Stat
Debian
CVE-2015-2331: libzip - Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 ...
vendor_debian·2015·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331: libzip - Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 ...
Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip 0.11.2 and earlier, as used in the ZIP extension in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow.
Scope: local
bookworm: resolved (fixed in 0.11.2-1.2)
bullseye: resolved (fixed in 0.11.2-1.2)
forky: resolved (fixed in 0.11.2-1.2)
sid: resolved (fixed in 0.11.2-1.2)
trixie: resolved (fixed in 0.11.2-1.2)
Apple
CVE-2015-2331: OS X El Capitan v10.11
vendor_apple·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331: OS X El Capitan v10.11
Apple Security Update: About the security content of OS X El Capitan v10.11
Product: OS X El Capitan v10.11
CVE: CVE-2015-2331
Component: CVE-2015-2331
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-2331 php: libzip: integer overflow when processing ZIP archives [fedora-all]
bugzilla·2015-03-23·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331 php: libzip: integer overflow when processing ZIP archives [fedora-all]
CVE-2015-2331 php: libzip: integer overflow when processing ZIP archives [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported vers
Bugzilla
CVE-2015-2331 libzip: integer overflow when processing ZIP archives
bugzilla·2015-03-23·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331 libzip: integer overflow when processing ZIP archives
CVE-2015-2331 libzip: integer overflow when processing ZIP archives
An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way libzip, which is embedded in PHP, processed certain ZIP archives. If an attacker were able to supply a specially crafted ZIP archive to an application using libzip, it could cause the application to crash or, possibly, execute arbitrary code.
Upstream patch:
https://github.com/php/php-src/commit/ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5
Upstream issue:
https://bugs.php.net/bug.php?id=69253
According to http://seclists.org/oss-sec/2015/q1/885 , libzip upstream has been notified of this issue.
Discussion:
Created libzip tracking bugs for this issue:
Affects: fedora-all [bug 1204677]
---
Created mingw-libzip tracking bugs for thi
Bugzilla
CVE-2015-2331 mingw-libzip: php: libzip: integer overflow when processing ZIP archives [fedora-all]
bugzilla·2015-03-23·CVSS 7.5
CVE-2015-2331 [HIGH] CVE-2015-2331 mingw-libzip: php: libzip: integer overflow when processing ZIP archives [fedora-all]
CVE-2015-2331 mingw-libzip: php: libzip: integer overflow when processing ZIP archives [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5http://hg.nih.at/libzip/rev/9f11d54f692ehttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154266.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154276.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155299.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155622.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/153983.htmlhttp://lists.opensuse.org/opensuse-updates/2015-03/msg00083.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00002.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3198http://www.mandriva.com/security/advisories?name=MDVSA-2015:079http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securitytracker.com/id/1031985https://bugs.php.net/bug.php?id=69253https://support.apple.com/HT205267http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5http://hg.nih.at/libzip/rev/9f11d54f692ehttp://lists.apple.com/archives/security-announce/2015/Sep/msg00008.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154266.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154276.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/154666.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155299.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-April/155622.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/153983.htmlhttp://lists.opensuse.org/opensuse-updates/2015-03/msg00083.htmlhttp://lists.opensuse.org/opensuse-updates/2015-04/msg00002.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3198http://www.mandriva.com/security/advisories?name=MDVSA-2015:079http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.htmlhttp://www.securitytracker.com/id/1031985https://bugs.php.net/bug.php?id=69253https://support.apple.com/HT205267
2015-03-30
Published
Exploited in the wild