Bug 471223 - php: incorrect patch for CVE-2006-3016 [rhel-2.1]
php: incorrect patch for CVE-2006-3016 [rhel-2.1]
Product: Red Hat Enterprise Linux 2.1
Classification: Red Hat
Component: php (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Joe Orton
Depends On:
  Show dependency treegraph
Reported: 2008-11-12 09:55 EST by Tomas Hoger
Modified: 2009-06-01 04:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-01 04:32:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2008-11-12 09:55:01 EST
Description of problem:
The patch applied to PHP packages in RHEL-2.1 to address security issue CVE-2006-3016 contain a bug.  When user-supplied session identifier is dropped in php_session_initialize() because of the invalid characters used in the identifier, new safe session identifier is not generated by PHP.  This later causes NULL pointer dereference and PHP interpreter crash.  This bug is not a security flaw, as it only causes one httpd child to crash.  New child is spawned by master httpd process to replace the dead child.

Version-Release number of selected component (if applicable):

Additional info:
id should be generated in a similar was as is in php_session_start():
    if (!PS(id))
        PS(id) = _php_create_id(NULL TSRMLS_CC);

This does not affect RHEL3+ php packages.

Note You need to log in before you can comment on or make changes to this bug.