Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 13 November 2019

PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output.


per Debian, This was initially reported to be a bug in libxml2, but
it later showed that PHP
can't reproduce on quantal+
The reproducer only displays garbage if the suhosin patch is
applied, which is why it doesn't appear to work on quantal+
Need to check if libxml2 still walks past the end of the string
if the suhosin patch isn't applied.
we will not be fixing this issue



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid Ignored
(end of life)
maverick Ignored
(end of life)
natty Ignored
(end of life)
oneiric Ignored
(end of life)
precise Ignored

quantal Not vulnerable
raring Not vulnerable
saucy Not vulnerable
trusty Not vulnerable
upstream Needs triage

utopic Not vulnerable
vivid Not vulnerable
wily Not vulnerable
xenial Does not exist

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N