In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler could be used by attackers supplying malicious archive files to crash the PHP interpreter or potentially disclose information due to a buffer over-read in the phar_parse_pharfile function in ext/phar/phar.c. Upstream bug: https://bugs.php.net/bug.php?id=73773 Upstream patch: http://git.php.net/?p=php-src.git;a=commit;h=e5246580a85f031e1a3b8064edbaa55c1643a451
For some reason, example_hostile.phar provided at php bug report does not trigger this vulnerability, but CVE-2016-10159.phar does. This vulnerability is exactly the same problem as in CVE-2016-10159, it was reported again because the fix was not enough and it was still vulnerable.
About security issues in .phar file .phar is an archive format designed to distribution application (code, mostly as .war for java) The format also includes metadata which are stored as serialized strings (so which are affected by all serialized issues, including class leak and wakeup) In the future, the PHP security team will not manage such issue as security Serious applications will never allow upload of such file (for ex, I checked Wordpress and GLPI)
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Via RHSA-2018:1296 https://access.redhat.com/errata/RHSA-2018:1296