This is due to i remaining uninitialised in the case of input data of zero size.
I also think this is a security issue, since it results in the "encrypted data" containing arbitrary memory contents which could subsequently be leaked to a web user. This could contain things like a mysql password or other secrets.
The attached debdiff fixes this bug. I've tested that it builds and upgrading fixes the issue. Adding ~ubuntu-security-sponsors and removing importance for re-triaging by the security team.
Confirmed, and I've found the fix. This is https:/ /bugs.php. net/bug. php?id= 61413 fixed in http:// git.php. net/?p= php-src. git;a=commit; h=270a406ac94b5 fc5cc9ef59fc61e 3b4b95648a3e and released upstream in 5.3.14.
This is due to i remaining uninitialised in the case of input data of zero size.
I also think this is a security issue, since it results in the "encrypted data" containing arbitrary memory contents which could subsequently be leaked to a web user. This could contain things like a mysql password or other secrets.
The attached debdiff fixes this bug. I've tested that it builds and upgrading fixes the issue. Adding ~ubuntu- security- sponsors and removing importance for re-triaging by the security team.