CVE-2010-2093

Publication date 27 May 2010

Last updated 24 July 2024

Description

Use-after-free vulnerability in the request shutdown functionality in PHP 5.2 before 5.2.13 and 5.3 before 5.3.2 allows context-dependent attackers to cause a denial of service (crash) via a stream context structure that is freed before destruction occurs.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	11.10 oneiric	Ignored
	11.04 natty	Ignored
	10.10 maverick	Ignored
	10.04 LTS lucid	Ignored
	9.10 karmic	Ignored end of life
	9.04 jaunty	Ignored end of life
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Ignored end of life

How can I get the fixes?
What do statuses mean?

Notes

jdstrand

PoC: http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html

mdeslaur

unfixed in 5.3.3 This is MOPS-2010-022

sbeattie

upstream considers a fix invasive, according to referenced oss-security post

mdeslaur

upstream is ignoring this, so are we.

References

MITRE
NVD
Launchpad
Debian

Other references

http://php-security.org/2010/05/12/mops-2010-022-php-stream-context-use-after-free-on-request-shutdown-vulnerability/index.html
http://openwall.com/lists/oss-security/2010/08/20/4
https://www.cve.org/CVERecord?id=CVE-2010-2093