CVE-2015-6838
published 2016-05-16CVE-2015-6838: The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is…
PriorityP337high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
7.28%
93.6th percentile
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_el_capitan_10.11.1_security_update_2015-004_yosemite_and_security_update_20 | — | — |
| php | php | <= 5.4.44 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_ubuntu9.8CRITICAL
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6mjv-wh4q-f383: The xsl_ext_function_php function in ext/xsl/xsltprocessor
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-6837 [HIGH] GHSA-6mjv-wh4q-f383: The xsl_ext_function_php function in ext/xsl/xsltprocessor
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
GHSA
GHSA-q5x2-3h44-rh43: The xsl_ext_function_php function in ext/xsl/xsltprocessor
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-6838 [HIGH] GHSA-q5x2-3h44-rh43: The xsl_ext_function_php function in ext/xsl/xsltprocessor
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
OSV
CVE-2015-6837: The xsl_ext_function_php function in ext/xsl/xsltprocessor
osv·2015-09-09·CVSS 7.5
CVE-2015-6837 [HIGH] CVE-2015-6837: The xsl_ext_function_php function in ext/xsl/xsltprocessor
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
OSV
CVE-2015-6838: The xsl_ext_function_php function in ext/xsl/xsltprocessor
osv·2015-09-09·CVSS 7.5
CVE-2015-6838 [HIGH] CVE-2015-6838: The xsl_ext_function_php function in ext/xsl/xsltprocessor
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-09-30·CVSS 9.8
CVE-2015-5589 [CRITICAL] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP phar extension incorrectly handled certain
files. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service. (CVE-2015-5589)
It was discovered that the PHP phar extension incorrectly handled certain
filepaths. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-5590)
Taoguang Chen discovered that PHP incorrectly handled unserializing
objects. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-6831, CVE-2015-6834, CVE-2015-6835
Sean Heelan discovered that PHP inco
Red Hat
php: NULL pointer dereference in XSLTProcessor class
vendor_redhat·2015-06-09·CVSS 7.5
CVE-2015-6838 [HIGH] CWE-476 php: NULL pointer dereference in XSLTProcessor class
php: NULL pointer dereference in XSLTProcessor class
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the u
Red Hat
php: NULL pointer dereference in XSLTProcessor class
vendor_redhat·2015-06-09·CVSS 7.5
CVE-2015-6837 [HIGH] CWE-476 php: NULL pointer dereference in XSLTProcessor class
php: NULL pointer dereference in XSLTProcessor class
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation during initial error checking, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6838.
A NULL pointer dereference flaw was found in the XSLTProcessor class in PHP. An attacker could use this flaw to cause a PHP application to crash if it performed Extensible Stylesheet Language (XSL) transformations using untrusted XSLT files and allowed the use o
Apple
CVE-2015-6838: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
vendor_apple·CVSS 7.5
CVE-2015-6838 [HIGH] CVE-2015-6838: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Apple Security Update: About the security content of OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
Product: OS X El Capitan 10.11.1, Security Update 2015-004 Yosemite, and Security Update 2015-007 Mavericks
CVE: CVE-2015-6838
Component: CVE-2015-6838
No detection rules found.
arXiv
CAMP: Compiler and Allocator-based Heap Memory Protection
arxiv_fulltext·2024-06-04
CAMP: Compiler and Allocator-based Heap Memory Protection
empty
### Abstract
The heap is a critical and widely used component of many applications. Due to its dynamic nature, combined with the complexity of heap management algorithms, it is also a frequent target for security exploits. To enhance the heap's security, various heap protection techniques have been introduced, but they either introduce significant runtime overhead or have limited protection.
We present , a new sanitizer for detecting and capturing heap memory corruption. leverages a compiler and a customized memory allocator. The compiler adds boundary-checking and escape-tracking instructions to the target program, while the memory allocator tracks memory ranges, coordinates with the instrumentation, and neutralizes dangling pointers. With the novel error detection scheme, enable
Bugzilla
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
bugzilla·2015-09-07·CVSS 7.5
CVE-2015-6837 [HIGH] CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
CVE-2015-6837 CVE-2015-6838 php: NULL pointer dereference in XSLTProcessor class
The XSLTProcessor class misses a few checks on the input from the libxslt library. The valuePop() function call is able to return NULL pointer and php does not check that.
Upstream report:
https://bugs.php.net/bug.php?id=69782
Upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=1744be2d17befc69bf00033993f4081852a747d6
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1260712]
---
CVE assignment:
http://seclists.org/oss-sec/2015/q3/524
---
php-5.6.13-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
---
php-5.6.13-1.fc22 has been pushed to the Fedora 22 stable repository. If proble
http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76733http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=69782https://security.gentoo.org/glsa/201606-10http://php.net/ChangeLog-5.phphttp://www.debian.org/security/2015/dsa-3358http://www.securityfocus.com/bid/76733http://www.securitytracker.com/id/1033548https://bugs.php.net/bug.php?id=69782https://security.gentoo.org/glsa/201606-10
2016-05-16
Published