It was found that if object deserialization fails, object's properties will be cleaned, but the object will still remain stored in objects_store. When calling desctructor with uninitialized properties, memory corruption may happen. Upstream bug: https://bugs.php.net/bug.php?id=73052 Upstream patch: https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1 CVE assignment: http://seclists.org/oss-sec/2016/q3/518
Created php tracking bugs for this issue: Affects: fedora-all [bug 1377366]
This issue happens when untrusted input is unserialized. Doing so it documented as being unsafe: http://php.net/manual/en/function.unserialize.php Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.