{"id":"CVE-2016-4343","details":"The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.","modified":"2026-04-11T04:02:12.375180Z","published":"2016-05-22T01:59:17.477Z","references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-updates/2016-05/msg00086.html"},{"type":"ADVISORY","url":"http://php.net/ChangeLog-5.php"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2750.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/04/28/2"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/89179"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149"},{"type":"ADVISORY","url":"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722"},{"type":"ADVISORY","url":"http://php.net/ChangeLog-7.php"},{"type":"REPORT","url":"https://bugs.php.net/bug.php?id=71331"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/php/php-src","events":[{"introduced":"0"},{"fixed":"527e8e73c97e282b1efde24cfb95dc0942e0ad59"},{"introduced":"fc1df8e7a6886e29a6ed5bef3f674ac61164e847"},{"fixed":"62cf13d3aa08b15107b02a0505a4f30142fa37b4"},{"introduced":"60fffd296abce5fc071f3c173c25a2696cf683c6"},{"fixed":"4e1b8701573698f56e12672e4991d7e6239138d2"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.5.36"},{"introduced":"5.6.0"},{"fixed":"5.6.18"},{"introduced":"7.0.0"},{"fixed":"7.0.3"}]}}],"versions":["POST_64BIT_BRANCH_MERGE","POST_AST_MERGE","POST_PHP7_NSAPI_REMOVAL","POST_PHP7_REMOVALS","POST_PHPNG_MERGE","PRE_64BIT_BRANCH_MERGE","PRE_AST_MERGE","PRE_PHP7_EREG_MYSQL_REMOVALS","PRE_PHP7_NSAPI_REMOVAL","PRE_PHP7_REMOVALS"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4343.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"13.2"}]}],"vanir_signatures_modified":"2026-04-11T04:02:12Z","vanir_signatures":[{"signature_type":"Function","deprecated":false,"id":"CVE-2016-4343-1be520b7","source":"https://github.com/php/php-src/commit/4e1b8701573698f56e12672e4991d7e6239138d2","signature_version":"v1","digest":{"length":231,"function_hash":"295037734266504677848102670698206975725"},"target":{"function":"PHP_MINIT_FUNCTION","file":"ext/standard/exec.c"}},{"signature_type":"Line","deprecated":false,"id":"CVE-2016-4343-998c6db5","source":"https://github.com/php/php-src/commit/4e1b8701573698f56e12672e4991d7e6239138d2","signature_version":"v1","digest":{"line_hashes":["47536493921292488180503894855773419194","114465696917561743629200732476751433886","328867887628948915816274583623244400274","297376920111133995317562874093014086385","168934627128843040351700635521553019231","258560438346906560143303805605521795951","2153196558742618628732246770820228434"],"threshold":0.9},"target":{"file":"ext/standard/exec.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}