CVE-2014-3669

NameCVE-2014-3669
DescriptionInteger overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-94-1, DSA-3064-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
php5sourcesqueeze5.3.3-7+squeeze23DLA-94-1
php5sourcewheezy5.4.34-0+deb7u1DSA-3064-1
php5source(unstable)5.6.2+dfsg-1

Notes

https://bugs.php.net/bug.php?id=68044

Search for package or bug name: Reporting problems