Bug 127642 - CAN-2004-0594 PHP memory_limit issue
Summary: CAN-2004-0594 PHP memory_limit issue
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: php (Show other bugs)
(Show other bugs)
Version: 3.0
Hardware: All Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-07-12 01:56 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-07-19 15:23:04 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RHEL3 php patch. (9.00 KB, patch)
2004-07-12 06:59 UTC, Josh Bressers
no flags Details | Diff
RHEL2.1 patch (8.49 KB, patch)
2004-07-12 07:01 UTC, Josh Bressers
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2004:392 high SHIPPED_LIVE Important: php security update 2004-07-19 04:00:00 UTC
Red Hat Product Errata RHSA-2004:395 high SHIPPED_LIVE Important: php security update 2004-07-19 04:00:00 UTC

Description Josh Bressers 2004-07-12 01:56:44 UTC
An issue has been found in PHP memory_limit.  When the memory_limit is
reached, PHP simply starts request termination, which can abort in
unsafe places.  Reported to vendor-sec on July 07 2004.

This issue also affects RHEL 2.1

This issue has been designated CAN-2004-0594

Comment 3 Josh Bressers 2004-07-12 03:06:08 UTC
This is going to be RHSA-2004:392

Comment 6 Joe Orton 2004-07-12 15:19:12 UTC
Issue description and mitigating factors:

A memory handling bug in versions of PHP 4 earlier than 4.3.8 has been
discovered by Stefan Esser.  If a remote attacker can force the PHP
interpreter to allocate more memory than the "memory_limit" setting in
the PHP configuration before script execution begins, then the
attacker may be able to exploit the interpreter to execute arbitrary
code as the 'apache' user.
The remote attacker may be able to force a large memory allocation
necessary to exploit this issue if using a non-default PHP
configuration with the "register_defaults" setting changed to "On", or
if using a version of Apache httpd 2.0 which is vulnerable to CVE
CAN-2004-0493. In the default configuration, there are no known
methods for exploiting this bug.

Comment 8 Christopher McCrory 2004-07-14 17:49:31 UTC
since you are rebuilding, adding back the -devel package "would be
cool".   Even if it is not released to RHN, being able to 'rpm
--rebuild' would work

Comment 9 Joe Orton 2004-07-15 11:42:41 UTC
The devel package is produced by rebuilding the PHP source rpm even in
the U2 package; the plan is to include it in RHN from U3 onwards.

Comment 10 Holger Eilhard 2004-07-15 13:56:46 UTC
Second one is:

Comment 11 Rob Lanphier 2004-07-16 01:30:24 UTC
Per this URL:

...the synopsis above in comment #6 isn't quite correct.  It's
"register_globals", not "register_defaults", if I'm reading it properly.

Comment 12 Josh Bressers 2004-07-19 15:23:05 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.