5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.021 Low
EPSS
Percentile
88.9%
strtod.c, as used in the zend_strtod function in PHP 5.2 before 5.2.17 and
5.3 before 5.3.5, and other products, allows context-dependent attackers to
cause a denial of service (infinite loop) via a certain floating-point
value in scientific notation, which is not properly handled in x87 FPU
registers, as demonstrated using 2.2250738585072011e-308.
Author | Note |
---|---|
sbeattie | unabele to reproduce on 9.10 and before; however, the code in question looks like it ought to be vulnerable. Looking at the compiler flag differences between lucid and karmic’s builds didn’t show any obvious reason why karmic wouldn’t be affected. Released an update for all releases anyway. |