CVE-2010-2950

Publication date 27 May 2010

Last updated 24 July 2024

Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2094.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	10.04 LTS lucid	Fixed 5.3.2-1ubuntu4.5
	9.10 karmic	Not affected
	9.04 jaunty	Not affected
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

Notes

mdeslaur

See second patch in CVE-2010-2094 This is MOPS-2010-024 5.3 only, not fixed in 5.3.3

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://svn.php.net/viewvc?view=revision&revision=302565

References

Related Ubuntu Security Notices (USN)