https://bugs.php.net/bug.php?id=55776 [2011-09-24 19:21 UTC] grinyad at mail dot ru Description: ------------ <?php // make a Pdo_Mysql statement before $result = $stmt->fetch(PDO::FETCH_LAZY); session_start(); $_SESSION['PDORow'] = $result; ?> Is crashing on next request after saving PDORow to session on session_start() [2011-09-24 19:24 UTC] aharvey@php.net What do you mean by "crashing"? Is the actual PHP process crashing, or are you just getting an error message because PDO statements aren't serialisable (which is expected)? [2011-09-25 08:56 UTC] grinyad at mail dot ru Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window. http://img171.imageshack.us/img171/3953/57126366.jpg After few minutes is crashing apache server: http://img840.imageshack.us/img840/2981/21231006.jpg [2011-09-25 12:39 UTC] johannes@php.net PDORow objects may not be serialized and therefore not be put in a session. In svn it was fixed to throw a warning and not crash anymore this will be in future releases.
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
CVE-2012-0788 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788): The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).
