CVE-2017-6441

Metadata

medium
5.0
php7.0, php7.1, php5
CVE-2017-6441
cve.mitre.org, bugs.php.net
2017-04-03
2017-06-16 19:22
2017-05-26 20:03
2017-05-10 23:46
2017-05-06 02:16
2017-05-01 19:03
2017-04-14 10:20
2017-04-04 14:03
2017-04-04 02:03

Description

** DISPUTED ** The _zval_get_long_func_ex in Zend/zend_operators.c in PHP 7.1.2 allows attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted use of "declare(ticks=" in a PHP script. NOTE: the vendor disputes the classification of this as a vulnerability, stating "Please do not request CVEs for ordinary bugs. CVEs are relevant for security issues only."

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
upstream php7.0 7.0.18
php7.1 7.1.4

Unaffected

Release Package Reason
precise php5 ignored
php7.0 DNE
php7.1 DNE
precise/esm php5 ignored
php7.0 DNE
php7.1 DNE
trusty php5 ignored
php7.0 DNE
php7.1 DNE
vivid/ubuntu-core php5 DNE
php7.0 DNE
php7.1 DNE
vivid/stable-phone-overlay php5 DNE
php7.0 DNE
php7.1 DNE
xenial php5 DNE
php7.0 ignored
php7.1 DNE
yakkety php5 DNE
php7.0 ignored
php7.1 DNE
zesty php5 DNE
php7.0 ignored
php7.1 DNE
devel php5 DNE
php7.0 DNE
php7.1 not-affected

Needs Triage

Release Package Reason
upstream php5 needs-triage