PublicDateAtUSN: 2014-05-06
Candidate: CVE-2014-0185
PublicDate: 2014-05-06 10:44:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0185
 http://www.openwall.com/lists/oss-security/2014/04/29/5
 https://ubuntu.com/security/notices/USN-2254-1
Description:
 sapi/fpm/fpm/fpm_unix.c in the FastCGI Process Manager (FPM) in PHP before
 5.4.28 and 5.5.x before 5.5.12 uses 0666 permissions for the UNIX socket,
 which allows local users to gain privileges via a crafted FastCGI client.
Ubuntu-Description:
Notes:
 mdeslaur> allows local users to run php scripts with www-data permissions
 mdeslaur> php5-fpm binary package is in universe
Bugs:
 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0185
 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1307027
 https://bugs.php.net/bug.php?id=67060
Priority: medium
Discovered-by: Christian Hoffmann
Assigned-to: mdeslaur
CVSS: 

Patches_php5:
 upstream: https://github.com/php/php-src/commit/35ceea928b12373a3b1e3eecdc32ed323223a40d
Tags_php5: universe-binary
upstream_php5: needs-triage
lucid_php5: not-affected (code not present)
precise_php5: released (5.3.10-1ubuntu3.12)
quantal_php5: ignored (reached end-of-life)
saucy_php5: released (5.5.3+dfsg-1ubuntu2.4)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.1)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.1)
devel_php5: not-affected (5.5.12+dfsg-2ubuntu1)