CVE-2012-3450

2012-08-0600:00:00

ubuntu.com

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.062 Low

EPSS

Percentile

93.5%

JSON

pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x
before 5.4.4 does not properly determine the end of the query string during
parsing of prepared statements, which allows remote attackers to cause a
denial of service (out-of-bounds read and application crash) via a crafted
parameter value.

Bugs

Notes

Author	Note
mdeslaur	pdo_sql_parser.re generates pdo_sql_parser.c, so both need to be patched.

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchphp5< 5.2.4-2ubuntu5.26UNKNOWN
ubuntu10.04noarchphp5< 5.3.2-1ubuntu4.18UNKNOWN
ubuntu11.04noarchphp5< 5.3.5-1ubuntu7.11UNKNOWN
ubuntu11.10noarchphp5< 5.3.6-13ubuntu3.9UNKNOWN
ubuntu12.04noarchphp5< 5.3.10-1ubuntu3.4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	php5	< 5.2.4-2ubuntu5.26	UNKNOWN
ubuntu	10.04	noarch	php5	< 5.3.2-1ubuntu4.18	UNKNOWN
ubuntu	11.04	noarch	php5	< 5.3.5-1ubuntu7.11	UNKNOWN
ubuntu	11.10	noarch	php5	< 5.3.6-13ubuntu3.9	UNKNOWN
ubuntu	12.04	noarch	php5	< 5.3.10-1ubuntu3.4	UNKNOWN