CVE-2016-5114 (retired)

Priority
Description
sapi/fpm/fpm/fpm_log.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x
before 7.0.2 misinterprets the semantics of the snprintf return value,
which allows attackers to obtain sensitive information from process memory
or cause a denial of service (out-of-bounds read and buffer overflow) via a
long string, as demonstrated by a long URI in a configuration with custom
REQUEST_URI logging.
Notes
 tyhicks> "The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2"
Package
Source: php5 (LP Ubuntu Debian)
Upstream:released (5.6.17+dfsg-1)
Ubuntu 14.04 LTS (Trusty Tahr):released (5.5.9+dfsg-1ubuntu4.19)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Patches:
Upstream:https://git.php.net/?p=php-src.git;a=commit;h=be19dbcb84fea0001e53cea2732c00de7ae6c371
Package
Upstream:released (7.0.2)
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (7.0.4-7ubuntu2.1)
Patches:
Upstream:https://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f
More Information

Updated: 2019-03-26 12:21:52 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)