Descriptionext/wddx/wddx.c in PHP before 5.6.25 and 7.x before 7.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly have unspecified other impact via an invalid wddxPacket XML document that is mishandled in a wddx_deserialize call, as demonstrated by a stray element inside a boolean element, leading to incorrect pop processing.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-749-1, DSA-3689-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
php5 (PTS)wheezy5.4.45-0+deb7u2vulnerable
wheezy (security)5.4.45-0+deb7u12fixed
jessie (security)5.6.33+dfsg-0+deb8u1fixed
php7.0 (PTS)stretch (security), stretch7.0.27-0+deb9u1fixed
buster, sid7.0.28-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


PHP Bug:
Fixed in 7.0.10, 5.6.25
72790 and 72799 are associated with the same commit. Not all of the
commit is about the pop issue in 72799.

Search for package or bug name: Reporting problems