iliaa Wed Mar 14 19:42:59 2007 UTC
Modified files: (Branch: PHP_4_4)
/php-src/ext/session session.c
/php-src NEWS
Log:
MFB: Fixed MOPB-22-2007 PHP session_regenerate_id() Double Free Vulnerability.
http://cvs.php.net/viewvc.cgi/php-src/ext/session/session.c?r1=1.336.2.53.2.14&r2=1.336.2.53.2.15&diff_format=u
Index: php-src/ext/session/session.c
diff -u php-src/ext/session/session.c:1.336.2.53.2.14
php-src/ext/session/session.c:1.336.2.53.2.15
--- php-src/ext/session/session.c:1.336.2.53.2.14 Thu Feb 15 09:41:30 2007
+++ php-src/ext/session/session.c Wed Mar 14 19:42:59 2007
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: session.c,v 1.336.2.53.2.14 2007/02/15 09:41:30 tony2001 Exp $ */
+/* $Id: session.c,v 1.336.2.53.2.15 2007/03/14 19:42:59 iliaa Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -1396,7 +1396,10 @@
RETURN_FALSE;
}
if (PS(session_status) == php_session_active) {
- if (PS(id)) efree(PS(id));
+ if (PS(id)) {
+ efree(PS(id));
+ PS(id) = NULL;
+ }
PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
@@ -1688,6 +1691,7 @@
}
if (PS(id)) {
efree(PS(id));
+ PS(id) = NULL;
}
PS(session_status)=php_session_none;
}
http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.1247.2.920.2.208&r2=1.1247.2.920.2.209&diff_format=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.920.2.208 php-src/NEWS:1.1247.2.920.2.209
--- php-src/NEWS:1.1247.2.920.2.208 Wed Mar 14 16:20:11 2007
+++ php-src/NEWS Wed Mar 14 19:42:59 2007
@@ -3,6 +3,8 @@
?? ??? 2007, Version 4.4.7
- Fixed MOPB-21-2007 An open_basedir/safe_mode bypass inside the
compress.bzip2 wraper. (Ilia)
+- Fixed MOPB-22-2007 PHP session_regenerate_id() Double Free Vulnerability.
+ (Ilia)
- Fixed CVE-2007-1001, GD wbmp used with invalid image size (Pierre)
- Fixed CVE-2007-0455, Buffer overflow in gdImageStringFTEx (used by imagettf
function) (Kees Cook, Pierre)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
