Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation. Upstream bugs: https://bugs.php.net/bug.php?id=69737 https://bugs.php.net/bug.php?id=69721 Upstream fix: http://git.php.net/?p=php-src.git;a=commit;h=1cbd25ca15383394ffa9ee8601c5de4c0f2f90e1
This flaw is triggered by a fatal error generated in SplMinHeap::compare. To achieve that reporters created a PHP script which overrides compare method with a custom one that throws such error. Triggering this without a malicious script is unlikely. Upstream did not consider this to be a security issue - type of both upstream bug was changed form Security to Bug. Reporters also assume local attack vector, which implies malicious script author. PHP has never been safe against malicious scripts, and removal of the safe mode feature in PHP 5.4 acknowledges that: http://php.net/manual/en/features.safe-mode.php There is no plan to address this in Red Hat products.