CVE-2012-6113

Publication date 18 January 2013

Last updated 24 July 2024

Ubuntu priority

The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	12.10 quantal	Not affected
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.5
	11.10 oneiric	Not affected
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not affected

Notes

mdeslaur

introduced in 5.3.9, fixed in 5.3.14

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e

References

Related Ubuntu Security Notices (USN)

USN-1702-1
PHP vulnerability
22 January 2013

Other references

https://www.cve.org/CVERecord?id=CVE-2012-6113