Ubuntu
php5 package

[php5] [CVE-2007-4887] possible denial of service

Bug #162170 reported by disabled.user on 2007-11-12

Affects		Status	Importance	Assigned to	Milestone
	php5 (Ubuntu)	Won't Fix	Wishlist	Unassigned

Bug Description

Binary package hint: php5

References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4887
[2] http://www.php.net/releases/5_2_5.php

From [1]:
"The dl function in PHP 5.2.4 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long string in the library parameter. NOTE: there are limited usage scenarios under which this would be a vulnerability."

CVE References

2007-4887

Revision history for this message

Kees Cook (kees) wrote on 2007-12-01:

Thanks for the report. This CVE is not considered a real security issue since it is just a script-author-local crash of a PHP instance without evidence of controllable memory corruption.

Changed in php5:
importance:	Undecided → Wishlist
status:	New → Confirmed

Revision history for this message

Michael Lueck (mlueck) wrote on 2008-04-02:

Since Hardy 8.04 is going to be a LTS release, I find it odd that Ubuntu has not moved to the 5.2.5 version which per www.php.net was released back on 08-Nov-2007.

Could someone please shed some light on this point? Thanks!

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

Per the ubuntu-cve-tracker: this is a local php instance crasher, not a serious security issue. We do not plan to fix this in Ubuntu.

Changed in php5 (Ubuntu):
status:	Confirmed → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuphp5 package

[php5] [CVE-2007-4887] possible denial of service

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
php5 package