CVE-2009-3292

NameCVE-2009-3292
DescriptionUnspecified vulnerability in PHP before 5.2.11, and 5.3.x before 5.3.1, has unknown impact and attack vectors related to "missing sanity checks around exif processing."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1940-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2fixed
wheezy (security)5.4.45-0+deb7u4fixed
jessie5.6.20+dfsg-0+deb8u1fixed
jessie (security)5.6.24+dfsg-0+deb8u1fixed
sid5.6.24+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5source(unstable)5.2.11.dfsg.1-1low
php5sourceetch5.2.0+dfsg-8+etch16highDSA-1940-1
php5sourcelenny5.2.6.dfsg.1-1+lenny4highDSA-1940-1

Notes

unknown impact, it is related to missing sanity checks
when determining the length of sections of jpg headers
a missing limit on the nesting level of TIFF files, and
missing EOF checks, possibly leading to NULL dereferences
experimental is likely to be affected (as of 5.3.0)

Search for package or bug name: Reporting problems