CVE-2014-9653

PHP <5.4.37, 5.5.x <5.5.21, 5.6.x <5.6.5 - DoS

Title source: llm
STIX 2.1

Description

readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.

References (15)

Core 15
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=144050155601375&w=2
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/3686-1/
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2015/02/05/13
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2015/dsa-3196
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=143748090628601&w=2
Various Sources x_refsource_confirm
http://php.net/ChangeLog-5.php
Various Sources mailing-list x_refsource_mlist
http://mx.gw.com/pipermail/file/2014/001649.html
Various Sources x_refsource_confirm
http://bugs.gw.com/view.php?id=409
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/72516
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201701-42
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-0760.html

Scores

EPSS 0.0683
EPSS Percentile 91.4%

Details

CWE
CWE-20
Status published
Products (29)
debian/debian_linux 7.0
file_project/file < 5.21
php/php 5.5.0 (13 CPE variants)
php/php 5.5.1
php/php 5.5.2
php/php 5.5.3
php/php 5.5.4
php/php 5.5.5
php/php 5.5.6
php/php 5.5.7
... and 19 more
Published Mar 30, 2015
Tracked Since Feb 18, 2026