[Bug 895658] New: Suhosin Crashed if used with with php session_set_save_handler()
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c0 Summary: Suhosin Crashed if used with with php session_set_save_handler() Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: All OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: ih@kroesa-maja.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 I tried to install webmailer roundcube. It uses by default datebase to store the sessions. They implemented a own session_handler with session_set_save_handler(). But it wont work with suhosin, it crashed. Setting suhosin simulation on wont work. Only removing suhosin from the system is a solution. Another workaround is setting session storage to db at the roundcube config. I have only default installation of OpenSuSE 13.1 and the normal patches. Here some additional Links: https://github.com/stefanesser/suhosin/pull/26 http://trac.roundcube.net/ticket/1488786 Reproducible: Always Steps to Reproduce: 1. Install apache with suhosin, php etc. 2. install roundcube 3. Try login, look at roundcube logfile the error is "Warning: session_write_close():Failed to write session data (user)....." -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de AssignedTo|bnc-team-apache@forge.provo |pgajdos@suse.com |.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c1 --- Comment #1 from Bernhard Wiedemann <bwiedemann@suse.com> 2014-09-10 13:00:14 CEST --- This is an autogenerated message for OBS integration: This bug (895658) was mentioned in https://build.opensuse.org/request/show/248305 13.1+12.3 / php5 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c Petr Gajdos <pgajdos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c2 Petr Gajdos <pgajdos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |ih@kroesa-maja.de --- Comment #2 from Petr Gajdos <pgajdos@suse.com> 2014-09-10 11:12:15 UTC --- Hi Ingo, please test suhosin from http://download.opensuse.org/repositories/home:/pgajdos:/maintenance:/php5/o... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c3 --- Comment #3 from Ingo Holewczuk <ih@kroesa-maja.de> 2014-09-10 12:26:47 UTC --- (In reply to comment #2)
Hi Ingo,
please test suhosin from http://download.opensuse.org/repositories/home:/pgajdos:/maintenance:/php5/o...
Hi, i extract php5-suhosin-5.4.20-39.1.x86_64.rpm 10-Sep-2014 13:00 92K And replaced my /usr/lib64/php5/extensions/suhosin.so with yours. Roundcube is now working with db session. Thanks a lot. Good work :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c4 Petr Gajdos <pgajdos@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|ih@kroesa-maja.de | AssignedTo|pgajdos@suse.com |security-team@suse.de --- Comment #4 from Petr Gajdos <pgajdos@suse.com> 2014-09-10 12:41:49 UTC --- Ok, reassigning to security team as this will be part of security related update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:2999:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c5 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED CC| |meissner@suse.com Resolution| |FIXED --- Comment #5 from Marcus Meissner <meissner@suse.com> 2014-09-11 07:34:03 UTC --- accepted for update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c6 --- Comment #6 from Swamp Workflow Management <swamp@suse.de> 2014-09-16 13:06:55 UTC --- openSUSE-SU-2014:1133-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 893849,893853,893855,895658 CVE References: CVE-2014-3597,CVE-2014-5120,CVE-2014-5459 Sources used: openSUSE 13.1 (src): php5-5.4.20-30.1 openSUSE 12.3 (src): php5-5.3.17-3.34.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=895658 https://bugzilla.novell.com/show_bug.cgi?id=895658#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2014-09-19 00:02:07 CEST --- Thanks for adding this patch - it works :-) (tested with the Typo3 installtool login, which didn't work before) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=895658 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2999:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com