CVE-2010-2225
Published: 24 June 2010
Use-after-free vulnerability in the SplObjectStorage unserializer in PHP 5.2.x and 5.3.x through 5.3.2 allows remote attackers to execute arbitrary code or obtain sensitive information via serialized data, related to the PHP unserialize function.
Notes
Author | Note |
---|---|
mdeslaur | SplObjectStorage doesn't have an unserializer in php 5.1.x |
Priority
Status
Package | Release | Status |
---|---|---|
php5 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(5.1.2-1ubuntu3.18)
|
hardy |
Released
(5.2.4-2ubuntu5.12)
|
|
jaunty |
Released
(5.2.6.dfsg.1-3ubuntu4.6)
|
|
karmic |
Released
(5.2.10.dfsg.1-2ubuntu6.5)
|
|
lucid |
Released
(5.3.2-1ubuntu4.5)
|
|
upstream |
Released
(5.3.3)
|
|
Patches: upstream: http://svn.php.net/viewvc?view=revision&revision=300843 |
References
- http://twitter.com/i0n1c/status/16447867829
- http://php-security.org/2010/06/25/mops-2010-061-php-splobjectstorage-deserialization-use-after-free-vulnerability/
- http://nibbles.tuxfamily.org/?p=1837
- https://ubuntu.com/security/notices/USN-989-1
- https://www.cve.org/CVERecord?id=CVE-2010-2225
- NVD
- Launchpad
- Debian