A format string vulnerability in the phar extension in PHP 5.3 before 5.3.4 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush() Reference: http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html Upstream commit (which was supposed to fix this issue): http://svn.php.net/viewvc?view=revision&revision=298667 This upstream however commit does not fix phar_stream_flush() case mentioned in MOPS-2010-024. The issue was however fixed now in: http://svn.php.net/viewvc?view=revision&revision=302565 and was assigned CVE-2010-2950
Related CVE-2010-2094 is tracked via bug #598537.
Fixed upstream in 5.3.4: http://www.php.net/archive/2010.php#id2010-12-10-1
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1047 https://rhn.redhat.com/errata/RHSA-2012-1047.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1046 https://rhn.redhat.com/errata/RHSA-2012-1046.html
This issue was originally fixed with CVE-2010-2094 (bug #598537) in PHP 5.3.2 packages that were included in the Red Hat Enterprise Linux 6 in its initial release. However, PHP was updated to version 5.3.3 in Red Hat Enterprise Linux 6.1 via RHBA-2011:0615: https://rhn.redhat.com/errata/RHBA-2011-0615.html In that update, the fix for this issue was inadvertently removed along with the fix for CVE-2010-2094, which was fixed upstream in 5.3.3. However, CVE-2010-2950 issue was only fixed upstream in version 5.3.4. Refer to bug #598537, comment #4 and bug #598537, comment #7 to 10 for more details.