PublicDateAtUSN: 2014-12-20
Candidate: CVE-2014-8142
PublicDate: 2014-12-20 11:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8142
 https://ubuntu.com/security/notices/USN-2501-1
Description:
 Use-after-free vulnerability in the process_nested_data function in
 ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20,
 and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code
 via a crafted unserialize call that leverages improper handling of
 duplicate keys within the serialized properties of an object, a different
 vulnerability than CVE-2004-1019.
Ubuntu-Description:
Notes:
 mdeslaur> unserialize shouldn't be run on untrusted input
 mdeslaur> Patch was incomplete, leading to CVE-2015-0231
Bugs:
 https://bugs.php.net/bug.php?id=68594
Priority: low
Discovered-by: Stefan Esser
Assigned-to: mdeslaur
CVSS: 

Patches_php5:
 upstream: http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9
upstream_php5: needs-triage
lucid_php5: not-affected (5.3.2-1ubuntu4.28)
precise_php5: released (5.3.10-1ubuntu3.16)
trusty_php5: released (5.5.9+dfsg-1ubuntu4.6)
trusty/esm_php5: released (5.5.9+dfsg-1ubuntu4.6)
utopic_php5: released (5.5.12+dfsg-2ubuntu4.2)
devel_php5: not-affected (5.6.4+dfsg-4ubuntu1)