CVE-2015-3412

Publication date 23 June 2015

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	15.04 vivid	Fixed 5.6.4+dfsg-4ubuntu6.2
	14.10 utopic	Fixed 5.5.12+dfsg-2ubuntu4.6
	14.04 LTS trusty	Fixed 5.5.9+dfsg-1ubuntu4.11
	12.04 LTS precise	Fixed 5.3.10-1ubuntu3.19

Notes

tyhicks

Related to CVE-2015-3411. Represents the additional vulnerability discoveries found in the upstream fixes, outside of what Neal Poole originally disclosed in PHP bug 69353.

mdeslaur

same commits as CVE-2015-3411

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://git.php.net/?p=php-src.git;a=commit;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Upstream: http://git.php.net/?p=php-src.git;a=commit;h=4435b9142ff9813845d5c97ab29a5d637bedb257

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-2658-1
PHP vulnerabilities
6 July 2015