Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 79868 - define STDIN dumps core - Segmentation Fault
Summary: define STDIN dumps core - Segmentation Fault
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-17 17:38 UTC by Timothy Burt
Modified: 2007-04-18 16:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-02-03 12:09:13 UTC


Attachments (Terms of Use)

Description Timothy Burt 2002-12-17 17:38:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
If executed from a shell prompt.

The following code fragment dumps core:

#!/usr/bin/php 
<?
define('STDIN',fopen("php://stdin","r"));
?>

This has been tested with PHP Version 4.1.2 on a fully patched up:
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19-7.0.16 on an i686

and:
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create the three line script
2. ./scriptname
3. Segmentation fault (core dumped) OR 
    Segmentation fault

Actual Results:  Segmentation fault

Additional info:

My scripts are broken.  I don't know of a workaround.

Does anybody know of a way to capture STDIN without core dumping?

Core Dumps = Potential for exploit.

Comment 1 Mark J. Cox 2002-12-18 14:29:41 UTC
Removing security status, this isn't a security issue.  A segmentation fault you
cause by crashing a program that is running as yourself isn't a vulnerability.

Comment 2 Timothy Burt 2002-12-18 15:05:07 UTC
Thanks for the quick reply.

However, if this script is called from a webpage (php is after all a web 
scripting language), and it creates a segmentation fault, then isn't there the 
possibility that this could become a remote exploit?  Not a root exploit, since 
Apache no longer runs as root, but at least to the privlege level of the 
webserver (Apache)?

Could a hosting client ftp the example script to a server and possibly obtain 
Apache privleges by running the script from a browser?

Is this a security issue?

Thanks again for the prompt reply.  I will let you be the judge.

Comment 3 Timothy Burt 2002-12-18 15:14:22 UTC
I just finished a compile of PHP 4.2.2 from the RH 8.0 distribution, and it 
does not core dump.

I copied the executable to /usr/bin/php422, and I call it explicitly from my 
scripts.

This is a satisfactory workaround for me.

You can go ahead and close this bug with the usual "Fixed in Rawhide".

Comment 4 Alan Cox 2002-12-18 18:54:56 UTC
Works for me in 8.0

I agree its security since hosting sites for example may allow secure php stuff
but this might allow shell access. Until we know why it crashes I think its a bug



Note You need to log in before you can comment on or make changes to this bug.