Bug 127642 - CAN-2004-0594 PHP memory_limit issue
CAN-2004-0594 PHP memory_limit issue
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: php (Show other bugs)
3.0
All Linux
high Severity medium
: ---
: ---
Assigned To: Joe Orton
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-11 21:56 EDT by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-07-19 11:23:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RHEL3 php patch. (9.00 KB, patch)
2004-07-12 02:59 EDT, Josh Bressers
no flags Details | Diff
RHEL2.1 patch (8.49 KB, patch)
2004-07-12 03:01 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2004-07-11 21:56:44 EDT
An issue has been found in PHP memory_limit.  When the memory_limit is
reached, PHP simply starts request termination, which can abort in
unsafe places.  Reported to vendor-sec on July 07 2004.

This issue also affects RHEL 2.1

This issue has been designated CAN-2004-0594
Comment 3 Josh Bressers 2004-07-11 23:06:08 EDT
This is going to be RHSA-2004:392
Comment 6 Joe Orton 2004-07-12 11:19:12 EDT
Issue description and mitigating factors:

A memory handling bug in versions of PHP 4 earlier than 4.3.8 has been
discovered by Stefan Esser.  If a remote attacker can force the PHP
interpreter to allocate more memory than the "memory_limit" setting in
the PHP configuration before script execution begins, then the
attacker may be able to exploit the interpreter to execute arbitrary
code as the 'apache' user.
                                                                     
                        
The remote attacker may be able to force a large memory allocation
necessary to exploit this issue if using a non-default PHP
configuration with the "register_defaults" setting changed to "On", or
if using a version of Apache httpd 2.0 which is vulnerable to CVE
CAN-2004-0493. In the default configuration, there are no known
methods for exploiting this bug.
Comment 8 Christopher McCrory 2004-07-14 13:49:31 EDT
since you are rebuilding, adding back the -devel package "would be
cool".   Even if it is not released to RHN, being able to 'rpm
--rebuild' would work
Comment 9 Joe Orton 2004-07-15 07:42:41 EDT
The devel package is produced by rebuilding the PHP source rpm even in
the U2 package; the plan is to include it in RHN from U3 onwards.
Comment 10 Holger Eilhard 2004-07-15 09:56:46 EDT
Second one is:
http://security.e-matters.de/advisories/112004.html
Comment 11 Rob Lanphier 2004-07-15 21:30:24 EDT
Per this URL:
http://security.e-matters.de/advisories/112004.html

...the synopsis above in comment #6 isn't quite correct.  It's
"register_globals", not "register_defaults", if I'm reading it properly.
Comment 12 Josh Bressers 2004-07-19 11:23:05 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-395.html

Note You need to log in before you can comment on or make changes to this bug.