Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2010-4645

Published: 11 January 2011

strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and 5.3 before 5.3.5, and other products, allows context-dependent attackers to cause a denial of service (infinite loop) via a certain floating-point value in scientific notation, which is not properly handled in x87 FPU registers, as demonstrated using 2.2250738585072011e-308.

Notes

AuthorNote
sbeattie 
unabele to reproduce on 9.10 and before; however, the code in
question looks like it ought to be vulnerable. Looking at the compiler
flag differences between lucid and karmic's builds didn't show any obvious
reason why karmic wouldn't be affected. Released an update for all
releases anyway.

Priority

Medium

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian 		dapper
Released (5.1.2-1ubuntu3.20)
hardy
Released (5.2.4-2ubuntu5.13)
karmic
Released (5.2.10.dfsg.1-2ubuntu6.6)
lucid
Released (5.3.2-1ubuntu4.6)
maverick
Released (5.3.3-1ubuntu9.2)
upstream
Released (5.2.17)

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading