Fedora Account System
Red Hat Associate
Red Hat Customer
It was found that if object deserialization fails, object's properties will be cleaned, but the object will still remain stored in objects_store. When calling desctructor with uninitialized properties, memory corruption may happen. Upstream bug: https://bugs.php.net/bug.php?id=73052 Upstream patch: https://github.com/php/php-src/commit/6a7cc8ff85827fa9ac715b3a83c2d9147f33cd43?w=1 CVE assignment: http://seclists.org/oss-sec/2016/q3/518
Created php tracking bugs for this issue: Affects: fedora-all [bug 1377366]
This issue happens when untrusted input is unserialized. Doing so it documented as being unsafe: http://php.net/manual/en/function.unserialize.php Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user.