471223 – php: incorrect patch for CVE-2006-3016 [rhel-2.1]

Bug 471223 - php: incorrect patch for CVE-2006-3016 [rhel-2.1]

Summary: php: incorrect patch for CVE-2006-3016 [rhel-2.1]

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 2.1
Classification:	Red Hat
Component:	php
Sub Component:
Version:	2.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-11-12 14:55 UTC by Tomas Hoger
Modified:	2009-06-01 08:32 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-06-01 08:32:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tomas Hoger 2008-11-12 14:55:01 UTC

Description of problem:
The patch applied to PHP packages in RHEL-2.1 to address security issue CVE-2006-3016 contain a bug.  When user-supplied session identifier is dropped in php_session_initialize() because of the invalid characters used in the identifier, new safe session identifier is not generated by PHP.  This later causes NULL pointer dereference and PHP interpreter crash.  This bug is not a security flaw, as it only causes one httpd child to crash.  New child is spawned by master httpd process to replace the dead child.

Version-Release number of selected component (if applicable):
php-4.1.2-2.20

Additional info:
id should be generated in a similar was as is in php_session_start():
    if (!PS(id))
        PS(id) = _php_create_id(NULL TSRMLS_CC);

This does not affect RHEL3+ php packages.

Note You need to log in before you can comment on or make changes to this bug.