CVE-2010-4657

Publication date 13 November 2019

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

PHP5 before 5.4.4 allows passing invalid utf-8 strings via the xmlTextWriterWriteAttribute, which are then misparsed by libxml2. This results in memory leak into the resulting output.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	16.04 LTS xenial	Not in release
	15.10 wily	Not affected
	15.04 vivid	Not affected
	14.10 utopic	Not affected
	14.04 LTS trusty	Not affected
	13.10 saucy	Not affected
	13.04 raring	Not affected
	12.10 quantal	Not affected
	12.04 LTS precise	Ignored
	11.10 oneiric	Ignored
	11.04 natty	Ignored
	10.10 maverick	Ignored
	10.04 LTS lucid	Ignored
	8.04 LTS hardy	Ignored

Notes

jdstrand

per Debian, This was initially reported to be a bug in libxml2, but it later showed that PHP

can't reproduce on quantal+ The reproducer only displays garbage if the suhosin patch is applied, which is why it doesn't appear to work on quantal+ Need to check if libxml2 still walks past the end of the string if the suhosin patch isn't applied. we will not be fixing this issue

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2010-4657