CVE-2014-8142
Published: 20 December 2014
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
Notes
| Author | Note |
|---|---|
| mdeslaur | unserialize shouldn't be run on untrusted input Patch was incomplete, leading to CVE-2015-0231 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
php5 Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(5.3.2-1ubuntu4.28)
|
| precise |
Released
(5.3.10-1ubuntu3.16)
|
|
| trusty |
Released
(5.5.9+dfsg-1ubuntu4.6)
|
|
| upstream |
Needs triage
|
|
| utopic |
Released
(5.5.12+dfsg-2ubuntu4.2)
|
|
|
Patches: upstream: http://git.php.net/?p=php-src.git;a=commit;h=630f9c33c23639de85c3fd306b209b538b73b4c9 |
||