Confirmed, and I've found the fix. This is https://bugs.php.net/bug.php?id=61413 fixed in http://git.php.net/?p =php-src.git;a=commit;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e and released upstream in 5.3.14.
This is due to i remaining uninitialised in the case of input data of zero size. I also think this is a security issue, since it results in the "encrypted data" containing arbitrary memory contents which could subsequently be leaked to a web user. This could contain things like a mysql password or other secrets. The attached debdiff fixes this bug. I've tested that it builds and upgrading fixes the issue. Adding ~ubuntu-security-sponsors and removing importance for re-triaging by the security team. ** Bug watch added: bugs.php.net/ #61413 http://bugs.php.net/bug.php?id=61413 ** Patch added: "php5.debdiff" https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793/+attachment/3484103/+files/php5.debdiff ** Changed in: php5 (Ubuntu) Importance: Medium => Undecided ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1099793 Title: php 5.3.10 openssl_encrypt empty data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
