Lucene search

K
ubuntucve
Ubuntu.comUB:CVE-2010-4645
HistoryJan 11, 2011 - 12:00 a.m.

CVE-2010-4645

2011-01-1100:00:00
ubuntu.com
ubuntu.com
14

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.021 Low

EPSS

Percentile

88.9%

strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and
5.3 before 5.3.5, and other products, allows context-dependent attackers to
cause a denial of service (infinite loop) via a certain floating-point
value in scientific notation, which is not properly handled in x87 FPU
registers, as demonstrated using 2.2250738585072011e-308.

Notes

Author Note
sbeattie unabele to reproduce on 9.10 and before; however, the code in question looks like it ought to be vulnerable. Looking at the compiler flag differences between lucid and karmic’s builds didn’t show any obvious reason why karmic wouldn’t be affected. Released an update for all releases anyway.
OSVersionArchitecturePackageVersionFilename
ubuntu06.06noarchphp5< 5.1.2-1ubuntu3.20UNKNOWN
ubuntu08.04noarchphp5< 5.2.4-2ubuntu5.13UNKNOWN
ubuntu09.10noarchphp5< 5.2.10.dfsg.1-2ubuntu6.6UNKNOWN
ubuntu10.04noarchphp5< 5.3.2-1ubuntu4.6UNKNOWN
ubuntu10.10noarchphp5< 5.3.3-1ubuntu9.2UNKNOWN
How to protect your server from attacks?

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.021 Low

EPSS

Percentile

88.9%

Related for UB:CVE-2010-4645