MDVSA-2011:004
- Package name
- php-phar
- Date
- 2011-01-10
- Advisory ID
- MDVSA-2011:004
- Affected versions
- MES5 i586 , MES5 x86_64
Problem description
A vulnerability has been found and corrected in php-phar:
Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code
via a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or
(4) phar_wrapper_open_url functions in ext/phar/stream.c; and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function (CVE-2010-2094).
The updated packages have been upgraded to the latest version (2.0.0)
and patched to correct this issue.
Updated packages
MES5 i586
18ac572d36b85d01b8d2887b5ac66306 mes5/i586/php-phar-2.0.0-0.1mdvmes5.1.i586.rpm 66fed8527abc284d6b41e547fa9f7fe5 mes5/SRPMS/php-phar-2.0.0-0.1mdvmes5.1.src.rpm
MES5 x86_64
64664dc1a71b0b0df61a14faf178d737 mes5/x86_64/php-phar-2.0.0-0.1mdvmes5.1.x86_64.rpm 66fed8527abc284d6b41e547fa9f7fe5 mes5/SRPMS/php-phar-2.0.0-0.1mdvmes5.1.src.rpm