An integer overflow flaw in PHP's unserialize() function was reported. If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure. It is not clear if code execution is possible or not. It was reported that this issue only affects 32-bit systems. It has been fixed in upstream versions 5.4.34, 5.5.18, and 5.6.2. References: http://git.php.net/?p=php-src.git;a=commit;h=56754a7f9eba0e4f559b6ca081d9f2a447b3f159 https://bugs.php.net/bug.php?id=68044 http://php.net/ChangeLog-5.php
5.5.18 is already in Fedora testing, so no Fedora trackers for this (or bug 1154502 and bug 1154503)
(In reply to Murray McAllister from comment #0) > It was reported that this issue only affects 32-bit systems. This issue does not seem to be 32-bit specific per se. Problematic code check is: pointer1 + long >= pointer2 Attacker providing crafted serialized input has full control over the long value. As the variable is signed, and there is another check to ensure that its value is not negative, overflow can happen if pointer1 + long overflow. That can only happen if pointer1 points to the upper half of the address range, as the maximum long value is approximately half of the maximum pointer value. That is lot more likely on 32-bit systems than on 64-bit systems. Attacker has limited control over pointer1.
IssueDescription: An integer overflow flaw was found in the way custom objects were unserialized. Specially crafted input processed by the unserialize() function could cause a PHP application to crash.
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1768 https://rhn.redhat.com/errata/RHSA-2014-1768.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html
This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1767 https://rhn.redhat.com/errata/RHSA-2014-1767.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1824 https://rhn.redhat.com/errata/RHSA-2014-1824.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0021 https://rhn.redhat.com/errata/RHSA-2015-0021.html