CVE-2018-19396

Question

Closed this issue 2 years ago · 5 comments

Sir, do we need fix this in php 5.6? Some anti virus softwares (NSFOCUS etc.) report it as a high risk vulnerability.

Thank you for your work!

Answer 1 · 2022-07-18T03:41:17.000Z

Answer 2 · 2022-07-18T04:47:13.000Z

serialize / unserialize bug are not considered as security issue
See https://www.php.net/manual/en/function.unserialize.php

unserialize is unsecured by design.

This CVE was not affected by PHP project, see https://bugs.php.net/bug.php?id=77177

Answer 3 · 2022-07-18T04:56:39.000Z

Notice: bug was fixed in 7.2.14 in COM extension (so Windows only)

As I don't have any Windows env (and don't use it), need someone to work on it, btw don't think it worth the work.

Answer 4 · 2022-07-18T06:33:53.000Z

For anyone interested. It was fixed in 7.2.14 by @cmb69
php/php-src@115ee49

Answer 5 · 2022-07-18T08:42:02.000Z