Bug 548532 (CVE-2009-4143) - CVE-2009-4143 php: $_SESSION usort() interruption corruption
Summary: CVE-2009-4143 php: $_SESSION usort() interruption corruption
Status: CLOSED DUPLICATE of bug 169857
Alias: CVE-2009-4143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On:
TreeView+ depends on / blocked
Reported: 2009-12-17 17:59 UTC by Vincent Danen
Modified: 2021-11-12 20:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-12-23 15:15:00 UTC

Attachments (Terms of Use)

Description Vincent Danen 2009-12-17 17:59:51 UTC
PHP 5.2.12 was released with the following reference:

Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)

There is no referring bug report and I cannot currently find any further information on this issue.

Comment 1 Vincent Danen 2009-12-17 21:19:10 UTC
This issue is documented here, beginning at page 50:


Comment 2 Tomas Hoger 2009-12-22 14:25:39 UTC
Relevant upstream commit should be this:

+ NEWS file updates in 291703 and 291804.

Comment 3 Tomas Hoger 2009-12-23 15:03:00 UTC
More on using interruption flaws to compromise PHP interpreter from the script:


Comment 4 Tomas Hoger 2009-12-23 15:15:00 UTC
This flaw can be used by PHP script author to bypass restrictions such as safe_mode or open_basedir.  Red Hat does not treat such issue as security flaws:


Additionally, fix in 5.2.12 adds protection for $_SESSION.  In older PHP versions, usort() interruptions can be used to corrupt any array.

*** This bug has been marked as a duplicate of bug 169857 ***

Note You need to log in before you can comment on or make changes to this bug.