CVE-2011-1153

Publication date 16 March 2011

Last updated 24 July 2024

Ubuntu priority

Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	11.04 natty	Fixed 5.3.5-1ubuntu7.1
	10.10 maverick	Fixed 5.3.3-1ubuntu9.4
	10.04 LTS lucid	Fixed 5.3.2-1ubuntu4.8
	9.10 karmic	Not affected
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

Notes

mdeslaur

reproducer in RH bug

sbeattie

php 5.2 does not include phar code

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://svn.php.net/viewvc?view=revision&revision=309221

CVE-2011-1153

Status

Notes

mdeslaur

sbeattie

Patch details

References

Related Ubuntu Security Notices (USN)

Other references