CVE-2017-11143
Published: 10 July 2017
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
Priority
CVSS 3 base score: 7.5
Status
Package | Release | Status |
---|---|---|
php5 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(5.5.9+dfsg-1ubuntu4.22)
|
|
Patches: Upstream: http://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 |
||
php7.0 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Does not exist
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(5.6 only)
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
php7.1 Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(5.6 only)
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Does not exist
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
Notes
Author | Note |
---|---|
mdeslaur | only affected 5.6 |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11143
- http://openwall.com/lists/oss-security/2017/07/10/6
- http://php.net/ChangeLog-5.php
- https://usn.ubuntu.com/usn/usn-3382-1
- https://usn.ubuntu.com/usn/usn-3382-2
- NVD
- Launchpad
- Debian