Package: php4 Version: 4:4.1.2-7 Severity: normal Tags: patch woody Basically, there's a repeatable segfault in session.c in php 4.1.2 It's documented in PHP4 bug 15168 [1], although they claim it only happens with the mm session handler, and I triggered it with the file session handler. (Same segfault as in the bug report.)
Anyway, I've fetched the changes that appeared in the relevant branch of PHP CVS [2], and integrated them with a couple of fixes that appear in the Debian/stable latest PHP4 package, and included the patch below. It appears that this package _has_ an attempt to fix this problem already, but I'm guessing it didn't work, so I've replaced it. The below patch applies to ext/session/session.c. Hunk 1 is just because that's the CVS version it's closes too (end of the line for that branch) and Hunk 3 is whitespace fixes for consistency in the existing Debian patch. Hunk 2 depends on the existing Debian patch, and it and Hunk 4 are the important ones. Anyway, I can't really justify this as a security bug, since it just causes segfaults in Apache, and short output on the screen, but it's here in case anyone _can_ build such a case, and for documentation purposes. As such, I don't mind if it goes +wontfix. ^_^ --- session.c.org Fri Mar 18 22:18:05 2005 +++ session.c Sat Mar 19 00:56:19 2005 @@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: session.c,v 1.237.2.8 2002/02/26 19:32:52 derick Exp $ */ +/* $Id: session.c,v 1.237.2.11 2002/03/05 22:07:15 zeev Exp $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -426,20 +426,20 @@ static void php_session_track_init(TSRMLS_D) { zval **old_vars = NULL; - zval *session_vars = NULL; if (zend_hash_find(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), (void **)&old_vars) == SUCCESS && Z_TYPE_PP(old_vars) == IS_ARRAY) { - PS(http_session_vars) = *old_vars; - zend_hash_clean(Z_ARRVAL_P(PS(http_session_vars))); + PS(http_session_vars) = *old_vars; + zend_hash_clean(Z_ARRVAL_P(PS(http_session_vars))); } else { - if(old_vars) { - zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); - } - MAKE_STD_ZVAL(session_vars); - array_init(session_vars); - PS(http_session_vars) = session_vars; - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 1, 0); - ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 1, 0); + if(old_vars) { + zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS")); + } + MAKE_STD_ZVAL(PS(http_session_vars)); + array_init(PS(http_session_vars)); + PS(http_session_vars)->refcount = 2; + PS(http_session_vars)->is_ref = 1; + zend_hash_update(&EG(symbol_table), "HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), &PS(http_session_vars), sizeof(zval *), NULL); + zend_hash_update(&EG(symbol_table), "_SESSION", sizeof("_SESSION"), &PS(http_session_vars), sizeof(zval *), NULL); } } @@ -1288,17 +1288,17 @@ void session_adapt_uris(const char *src, size_t srclen, char **new, size_t *newlen TSRMLS_DC) { if (PS(define_sid) && (PS(session_status) == php_session_active)) { - char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL); + char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL); *new = url_adapt_ext_ex(src, srclen, PS(session_name), encoded_id, newlen TSRMLS_CC); - } + } } void session_adapt_url(const char *url, size_t urllen, char **new, size_t *newlen TSRMLS_DC) { if (PS(define_sid) && (PS(session_status) == php_session_active)) { - char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL); + char *encoded_id = php_url_encode(PS(id), strlen(PS(id)), NULL); *new = url_adapt_single_url(url, urllen, PS(session_name), encoded_id, newlen TSRMLS_CC); - } + } } void session_adapt_flush(int (*write)(const char *, uint TSRMLS_DC) TSRMLS_DC) @@ -1343,6 +1343,7 @@ PS(id) = NULL; PS(session_status) = php_session_none; PS(mod_data) = NULL; + PS(http_session_vars) = NULL; } static void php_rshutdown_session_globals(TSRMLS_D) [1] http://bugs.php.net/bug.php?id=15168 - Ignore the random tag-on bug on May 14th. >_< [2] http://cvs.php.net/php-src/ext/session/session.c?r1=1.237.2.8&onb=1.237.2 -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux yurika 2.4.26 #1 Mon Aug 9 23:25:59 EST 2004 i686 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 Versions of packages php4 depends on: ii apache-common 1.3.27-0.1.ipv6.r2 Support files for all Apache webse ii fileutils 4.1-10 GNU file management utilities ii libbz2-1.0 1.0.2-1 A high-quality block-sorting file ii libc6 2.2.5-11.8 GNU C Library: Shared libraries an ii libdb2 2:2.7.7.0-7 The Berkeley database routines (ru ii libexpat1 1.95.2-6 XML parsing C library - runtime li ii libmm11 1.1.3-6.2 Shared memory library ii libpam0g 0.72-35 Pluggable Authentication Modules l ii libpcre3 3.4-1.1 Philip Hazel's Perl Compatible Reg ii mime-support 3.18-1.3 MIME files 'mime.types' & 'mailcap ii zlib1g 1:1.1.4-1.0woody0 compression library - runtime -- Paul "TBBle" Hampson, on an alternate email client. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]