CVE-2014-8142
Publication date 20 December 2014
Last updated 24 July 2024
Ubuntu priority
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
Status
Package | Ubuntu Release | Status |
---|---|---|
php5 | ||
14.04 LTS trusty |
Fixed 5.5.9+dfsg-1ubuntu4.6
|
|
Notes
mdeslaur
unserialize shouldn't be run on untrusted input Patch was incomplete, leading to CVE-2015-0231
Patch details
Package | Patch details |
---|---|
php5 |
References
Related Ubuntu Security Notices (USN)
- USN-2501-1
- PHP vulnerabilities
- 17 February 2015