CVE-2016-10161

Priority
Low
Description
The object_common1 function in ext/standard/var_unserializer.c in PHP
before 5.6.30, 7.0.x before 7.0.15, and 7.1.x before 7.1.1 allows remote
attackers to cause a denial of service (buffer over-read and application
crash) via crafted serialized data that is mishandled in a
finish_nested_data call.
References
Bugs
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.30)
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.21)
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=16b3003ffc6393e250f069aa28a78dc5a2c064b2
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=fa2125df6766bb7edac0a0bf433940465da9af4b
Package
Upstream:released (7.0.15)
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.15-0ubuntu0.16.04.2)
Ubuntu 17.04 (Zesty Zapus):released (7.0.15-1ubuntu2)
Patches:
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=16b3003ffc6393e250f069aa28a78dc5a2c064b2
Upstream:http://git.php.net/?p=php-src.git;a=commit;h=9f560baef5eacbe3fdb6a23a2d4e1996a30a2d2c
More Information

Updated: 2017-08-11 23:54:19 UTC (commit 13081)