Public Date:
688378: CVE-2011-1153 php: several format string vulnerabilities in PHP's Phar extension

The MITRE CVE dictionary describes this issue as:

Multiple format string vulnerabilities in phar_object.c in the phar extension in PHP 5.3.5 and earlier allow context-dependent attackers to obtain sensitive information from process memory, cause a denial of service (memory corruption), or possibly execute arbitrary code via format string specifiers in an argument to a class method, leading to an incorrect zend_throw_exception_ex call.

Find out more about CVE-2011-1153 from the MITRE CVE dictionary dictionary and NIST NVD.


Red Hat does not consider this flaw to be a security issue. It is improbable that a script would accept untrusted user input or unvalidated script input data as a PHAR archive file name to load. The file name passed to the PHAR-handling functions is therefore under the full control of the script author and no trust boundary is crossed.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 6 php Will not fix
Red Hat Enterprise Linux 5 php Not affected
Red Hat Enterprise Linux 5 php53 Will not fix
Red Hat Enterprise Linux 4 php Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation