https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1398
https://bugs.php.net/bug.php?id=60227

http://git.php.net/?p=php-src.git;a=commitdiff;h=61088ce7296f2a3b4b53e60bdf413455b870664d
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e82bda330264d290a5e55580eea2eb875d4cb69
http://git.php.net/?p=php-src.git;a=commitdiff;h=ca58cd01fc329f907a13b82370427715d9c5bf70

diff -up php-5.3.3/main/SAPI.c.cve1398 php-5.3.3/main/SAPI.c
--- php-5.3.3/main/SAPI.c.cve1398	2012-10-16 14:30:26.758985400 +0200
+++ php-5.3.3/main/SAPI.c	2012-10-16 14:34:03.096505458 +0200
@@ -587,16 +587,26 @@ SAPI_API int sapi_header_op(sapi_header_
 			return FAILURE;
 		}
 	} else {
-		/* new line safety check */
-		char *s = header_line, *e = header_line + header_line_len, *p;
-		while (s < e && (p = memchr(s, '\n', (e - s)))) {
-			if (*(p + 1) == ' ' || *(p + 1) == '\t') {
-				s = p + 1;
-				continue;
+		/* new line/NUL character safety check */
+		int i;
+		for (i = 0; i < header_line_len; i++) {
+			/* RFC 2616 allows new lines if followed by SP or HT */
+			int illegal_break =
+					(header_line[i+1] != ' ' && header_line[i+1] != '\t')
+					&& (
+						header_line[i] == '\n'
+						|| (header_line[i] == '\r' && header_line[i+1] != '\n'));
+			if (illegal_break) {
+				efree(header_line);
+				sapi_module.sapi_error(E_WARNING, "Header may not contain "
+						"more than a single header, new line detected");
+				return FAILURE;
+			}
+			if (header_line[i] == '\0') {
+				efree(header_line);
+				sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes");
+				return FAILURE;
 			}
-			efree(header_line);
-			sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected.");
-			return FAILURE;
 		}
 	}