Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399567 (CVE-2012-0788) - <dev-lang/php-5.3.9 PDORow to session bug (CVE-2012-0788)
Summary: <dev-lang/php-5.3.9 PDORow to session bug (CVE-2012-0788)
Status: RESOLVED FIXED
Alias: CVE-2012-0788
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugs.php.net/bug.php?id=55776
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-21 00:51 UTC by Viorel Tabara
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Viorel Tabara 2012-01-21 00:51:34 UTC
https://bugs.php.net/bug.php?id=55776

 [2011-09-24 19:21 UTC] grinyad at mail dot ru

Description:
------------
<?php

// make a Pdo_Mysql statement before

$result = $stmt->fetch(PDO::FETCH_LAZY);

session_start();

$_SESSION['PDORow'] = $result;
?>

Is crashing on next request after saving PDORow to session on session_start()

[2011-09-24 19:24 UTC] aharvey@php.net

What do you mean by "crashing"? Is the actual PHP process crashing, or
are you just getting an error message because PDO statements aren't
serialisable (which is expected)?

 [2011-09-25 08:56 UTC] grinyad at mail dot ru

Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window.

http://img171.imageshack.us/img171/3953/57126366.jpg

After few minutes is crashing apache server:

http://img840.imageshack.us/img840/2981/21231006.jpg

 [2011-09-25 12:39 UTC] johannes@php.net

PDORow objects may not be serialized and therefore not be put in a session. In
svn it was fixed to throw a warning and not crash anymore this will be in
future releases.
Comment 1 Sean Amoss gentoo-dev Security 2012-01-21 13:45:43 UTC
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:10:34 UTC
CVE-2012-0788 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788):
  The PDORow implementation in PHP before 5.3.9 does not properly interact
  with the session feature, which allows remote attackers to cause a denial of
  service (application crash) via a crafted application that uses a PDO driver
  for a fetch and then calls the session_start function, as demonstrated by a
  crash of the Apache HTTP Server.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:35 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml
by GLSA coordinator Sean Amoss (ackle).