CVE-2015-4026
Publication date 9 June 2015
Last updated 24 July 2024
Ubuntu priority
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
Status
Package | Ubuntu Release | Status |
---|---|---|
php5 | ||
14.04 LTS trusty |
Fixed 5.5.9+dfsg-1ubuntu4.11
|
|
Notes
References
Related Ubuntu Security Notices (USN)
- USN-2658-1
- PHP vulnerabilities
- 6 July 2015