From the PHP 5.2.6 changelog: * Fixed security issue detailed in CVE-2008-0599 identified by Ryan Permeh. The fix for this is here: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.50.2.12&r2=1.267.2.15.2.50.2.13&diff_format=u
This issue seems to have been introduced in the following commit: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?diff_format=u&view=diff&r1=1.323&r2=1.324 Affected code first occurred in released PHP version 5.2.3. In previous versions, env_path_info was not checked to be non-NULL, possibly causing crash of php interpreter launched to handle CGI request (unlikely, as PATH_INFO environment variable is set by web server).
Whether or not PATH_INFO is present in the environment is under the control of the remote user. But this code path can only be reached if DOCUMENT_ROOT is not set (the preceding "if" condition on env_document_root). That will never happen if /usr/bin/php-cgi is being executed via httpd mod_cgi. It does look like it's normal that DOCUMENT_ROOT is not passed through if php-cgi is being executed via FastCGI, however. In that case, it could cause a NULL pointer dereference and the php-cgi process would be recycled by the fastcgi parent; a very minor DoS. Not sure if we actually ship any FastCGI servers, though. So I'd say, this is severity=Low.
This issue does not affect the version of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.
php-5.2.6-2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
php-5.2.6-2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.