1
PublicDateAtUSN: 2015-03-30
2
Candidate: CVE-2015-2348
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2348
6
http://php.net/ChangeLog-5.php
7
https://usn.ubuntu.com/usn/usn-2572-1
9
The move_uploaded_file implementation in ext/standard/basic_functions.c in
10
PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a
11
pathname upon encountering a \x00 character, which allows remote attackers
12
to bypass intended extension restrictions and create files with unexpected
13
names via a crafted second argument. NOTE: this vulnerability exists
14
because of an incomplete fix for CVE-2006-7243.
17
mdeslaur> fixed in lucid's php5-CVE-2006-7243.patch, and is fixed in
18
mdeslaur> precise also. Seems to be a regression in 5.4+
20
https://bugs.php.net/bug.php?id=69207
22
Discovered-by: Paulos Yibelo
26
upstream: http://git.php.net/?p=php-src.git;a=commit;h=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1
27
upstream_php5: released (5.6.7)
28
lucid_php5: not-affected (5.3.2-1ubuntu4.29)
29
precise_php5: not-affected (5.3.10-1ubuntu3.17)
30
trusty_php5: released (5.5.9+dfsg-1ubuntu4.9)
31
utopic_php5: released (5.5.12+dfsg-2ubuntu4.4)
32
devel_php5: released (5.6.4+dfsg-4ubuntu5)