CVE-2014-0185

Priority
Medium
Description
sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before
5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket,
which allows local users to gain privileges via a crafted FastCGI client.
References
Bugs
Notes
mdeslaur> allows local users to run php scripts with www-data permissions
mdeslaur> php5-fpm binary package is in universe
Assigned-to
mdeslaur
Package
Source: php5 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (code not present)
Ubuntu 12.04 LTS (Precise Pangolin):released (5.3.10-1ubuntu3.12)
Ubuntu 13.10 (Saucy Salamander):released (5.5.3+dfsg-1ubuntu2.4)
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.1)
Ubuntu 14.10 (Utopic Unicorn):not-affected (5.5.12+dfsg-2ubuntu1)
Patches:
Upstream:https://github.com/php/php-src/commit/35ceea928b12373a3b1e3eecdc32ed323223a40d
More Information

Valid XHTML 1.0 Strict

Updated: 2014-06-23 13:14:30 UTC (commit 8165)