Bug 471223

Summary:	php: incorrect patch for CVE-2006-3016 [rhel-2.1]
Product:	Red Hat Enterprise Linux 2.1	Reporter:	Tomas Hoger <thoger>
Component:	php	Assignee:	Joe Orton <jorton>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	2.1	CC:	mjc
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-06-01 08:32:08 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Tomas Hoger 2008-11-12 14:55:01 UTC

Description of problem:
The patch applied to PHP packages in RHEL-2.1 to address security issue CVE-2006-3016 contain a bug.  When user-supplied session identifier is dropped in php_session_initialize() because of the invalid characters used in the identifier, new safe session identifier is not generated by PHP.  This later causes NULL pointer dereference and PHP interpreter crash.  This bug is not a security flaw, as it only causes one httpd child to crash.  New child is spawned by master httpd process to replace the dead child.

Version-Release number of selected component (if applicable):
php-4.1.2-2.20

Additional info:
id should be generated in a similar was as is in php_session_start():
    if (!PS(id))
        PS(id) = _php_create_id(NULL TSRMLS_CC);

This does not affect RHEL3+ php packages.