CVE-2010-2531: Infoleak
First published: Fri Jul 09 2010(Updated: )
The upstream PHP 5.2.14 and 5.3.3 releases corrected an information disclosure flaw where the var_export() function would disclose data if a fatal error occurred due to recursion, memory_limit, or execution time. The buffer is never cleared and is flushed to the user, regardless of the configured display_errors setting, because it is considered part of the output. This could lead to a disclosure of possibly sensitive information. The name <a href="https://access.redhat.com/security/cve/CVE-2010-2531">CVE-2010-2531</a> has been assigned to this issue. An example to test: % cat test.php #!/usr/bin/php <?php @$obj->p =& $obj; var_export($obj, true); ?> % php test.php PHP Fatal error: Nesting level too deep - recursive dependency? in test.php on line 4 stdClass::__set_state(array( 'p' => stdClass::__set_state(array( 'p' => stdClass::__set_state(array( 'p' => stdClass::__set_state(array( % cat test2.php #!/usr/bin/php <?php $a[] =& $a; var_export($a, true); ?> % php test2.php PHP Fatal error: Nesting level too deep - recursive dependency? in test.php on line 4 array ( 0 => array ( 0 => array ( 0 => array ( 0 => array ( The upstream changes prevent any output from displaying, so should only display the "PHP Fatal error". The upstream fix: <a href="http://svn.php.net/viewvc?view=revision&revision=301143">http://svn.php.net/viewvc?view=revision&revision=301143</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/php | <0:5.1.6-27.el5_5.3 | 0:5.1.6-27.el5_5.3 |
| PHP PHP | >=5.2.0<5.2.14 | |
| PHP PHP | >=5.3.0<5.3.3 | |
| Debian Debian Linux | =5.0 | |
| Debian Debian Linux | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2010-2531 https://nvd.nist.gov/vuln/detail/CVE-2010-2531
- https://bugzilla.redhat.com/show_bug.cgi?id=617673
- https://access.redhat.com/errata/RHSA-2010:0919
- https://access.redhat.com/security/cve/CVE-2010-2531
- http://svn.php.net/viewvc?view=revision&revision=301143
- https://rhn.redhat.com/errata/RHSA-2010-0919.html
- http://www.redhat.com/security/updates/errata
- http://www.php.net/archive/2010.php#id2010-07-22-1
- http://www.php.net/archive/2010.php#id2010-07-22-2
- http://www.openwall.com/lists/oss-security/2010/07/16/3
- http://www.openwall.com/lists/oss-security/2010/07/13/1
- http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/tests/general_functions/var_export_error2.phpt?view=log&pathrev=301143
- http://support.apple.com/kb/HT4312
- http://lists.apple.com/archives/security-announce/2010//Aug/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://support.apple.com/kb/HT4435
- http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
- http://www.redhat.com/support/errata/RHSA-2010-0919.html
- http://www.vupen.com/english/advisories/2010/3081
- http://secunia.com/advisories/42410
- http://marc.info/?l=bugtraq&m=130331363227777&w=2
- http://www.debian.org/security/2011/dsa-2266
- http://marc.info/?l=bugtraq&m=133469208622507&w=2
- collector/redhat-cve
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/author
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-2531
- package-manager/redhat
- vendor/php
- canonical/php php
- version/php php/5.2.0
- version/php php/5.3.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/5.0
- version/debian debian linux/6.0