Bug 783605 (CVE-2012-0788)

Summary: CVE-2012-0788 php: crash when unserializing serialized PDORow object
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: fedora, jorton, ldimaggi, rpm, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 5.3.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 16:03:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 782956    

Description Kurt Seifried 2012-01-21 00:16:45 UTC 
https://bugs.php.net/bug.php?id=55776

 [2011-09-24 19:21 UTC] grinyad at mail dot ru

Description:
------------
<?php

// make a Pdo_Mysql statement before

$result = $stmt->fetch(PDO::FETCH_LAZY);

session_start();

$_SESSION['PDORow'] = $result;
?>

Is crashing on next request after saving PDORow to session on session_start()

[2011-09-24 19:24 UTC] aharvey

What do you mean by "crashing"? Is the actual PHP process crashing, or
are you just getting an error message because PDO statements aren't
serialisable (which is expected)?

 [2011-09-25 08:56 UTC] grinyad at mail dot ru

Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window.

http://img171.imageshack.us/img171/3953/57126366.jpg

After few minutes is crashing apache server:

http://img840.imageshack.us/img840/2981/21231006.jpg

 [2011-09-25 12:39 UTC] johannes

PDORow objects may not be serialized and therefore not be put in a session. In svn it was fixed to throw a warning and not crash anymore this will be in future releases.
Comment 3 Stefan Cornelius 2012-05-15 16:02:53 UTC 
Statement:

Red Hat does not consider this flaw to be a security issue. The bug can only be triggered by the PHP script author, which does not cross trust boundary.