Comment 5 for bug 1099793

Confirmed, and I've found the fix. This is https://bugs.php.net/bug.php?id=61413 fixed in http://git.php.net/?p=php-src.git;a=commit;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e and released upstream in 5.3.14.

This is due to i remaining uninitialised in the case of input data of zero size.

I also think this is a security issue, since it results in the "encrypted data" containing arbitrary memory contents which could subsequently be leaked to a web user. This could contain things like a mysql password or other secrets.

The attached debdiff fixes this bug. I've tested that it builds and upgrading fixes the issue. Adding ~ubuntu-security-sponsors and removing importance for re-triaging by the security team.