Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 3 product line. The current stable release is 3.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 127642

Summary: CAN-2004-0594 PHP memory_limit issue
Product: Red Hat Enterprise Linux 3 Reporter: Josh Bressers <bressers>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 3.0CC: barryn, chrismcc, holger, mjc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-07-19 15:23:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
RHEL3 php patch.
none
RHEL2.1 patch none

Description Josh Bressers 2004-07-12 01:56:44 UTC 
An issue has been found in PHP memory_limit.  When the memory_limit is
reached, PHP simply starts request termination, which can abort in
unsafe places.  Reported to vendor-sec on July 07 2004.

This issue also affects RHEL 2.1

This issue has been designated CAN-2004-0594
Comment 3 Josh Bressers 2004-07-12 03:06:08 UTC 
This is going to be RHSA-2004:392
Comment 6 Joe Orton 2004-07-12 15:19:12 UTC 
Issue description and mitigating factors:

A memory handling bug in versions of PHP 4 earlier than 4.3.8 has been
discovered by Stefan Esser.  If a remote attacker can force the PHP
interpreter to allocate more memory than the "memory_limit" setting in
the PHP configuration before script execution begins, then the
attacker may be able to exploit the interpreter to execute arbitrary
code as the 'apache' user.
                                                                     
                        
The remote attacker may be able to force a large memory allocation
necessary to exploit this issue if using a non-default PHP
configuration with the "register_defaults" setting changed to "On", or
if using a version of Apache httpd 2.0 which is vulnerable to CVE
CAN-2004-0493. In the default configuration, there are no known
methods for exploiting this bug.
Comment 7 Mark J. Cox 2004-07-14 06:50:12 UTC 
These issues are public:

CAN-2004-0595 http://security.e-matters.de/advisories/122004.html
CAN-2004-0594 http://security.e-matters.de/advisories/122004.html
Comment 8 Christopher McCrory 2004-07-14 17:49:31 UTC 
since you are rebuilding, adding back the -devel package "would be
cool".   Even if it is not released to RHN, being able to 'rpm
--rebuild' would work
Comment 9 Joe Orton 2004-07-15 11:42:41 UTC 
The devel package is produced by rebuilding the PHP source rpm even in
the U2 package; the plan is to include it in RHN from U3 onwards.
Comment 10 Holger Eilhard 2004-07-15 13:56:46 UTC 
Second one is:
http://security.e-matters.de/advisories/112004.html
Comment 11 Rob Lanphier 2004-07-16 01:30:24 UTC 
Per this URL:
http://security.e-matters.de/advisories/112004.html

...the synopsis above in comment #6 isn't quite correct.  It's
"register_globals", not "register_defaults", if I'm reading it properly.
Comment 12 Josh Bressers 2004-07-19 15:23:05 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-395.html