Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 399567 (CVE-2012-0788) - <dev-lang/php-5.3.9 PDORow to session bug (CVE-2012-0788)
Summary: <dev-lang/php-5.3.9 PDORow to session bug (CVE-2012-0788)
Alias: CVE-2012-0788
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on:
Reported: 2012-01-21 00:51 UTC by Viorel Tabara
Modified: 2012-09-24 00:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Viorel Tabara 2012-01-21 00:51:34 UTC

 [2011-09-24 19:21 UTC] grinyad at mail dot ru


// make a Pdo_Mysql statement before

$result = $stmt->fetch(PDO::FETCH_LAZY);


$_SESSION['PDORow'] = $result;

Is crashing on next request after saving PDORow to session on session_start()

[2011-09-24 19:24 UTC]

What do you mean by "crashing"? Is the actual PHP process crashing, or
are you just getting an error message because PDO statements aren't
serialisable (which is expected)?

 [2011-09-25 08:56 UTC] grinyad at mail dot ru

Is a Apache crash. It gives a CGI/FastCGI Send/Don't Send window.

After few minutes is crashing apache server:

 [2011-09-25 12:39 UTC]

PDORow objects may not be serialized and therefore not be put in a session. In
svn it was fixed to throw a warning and not crash anymore this will be in
future releases.
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2012-01-21 13:45:43 UTC
Fixed in dev-lang/php-5.3.9 - added to existing GLSA request.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:10:34 UTC
CVE-2012-0788 (
  The PDORow implementation in PHP before 5.3.9 does not properly interact
  with the session feature, which allows remote attackers to cause a denial of
  service (application crash) via a crafted application that uses a PDO driver
  for a fetch and then calls the session_start function, as demonstrated by a
  crash of the Apache HTTP Server.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-24 00:27:35 UTC
This issue was resolved and addressed in
 GLSA 201209-03 at
by GLSA coordinator Sean Amoss (ackle).