Bug 79868 - define STDIN dumps core - Segmentation Fault
define STDIN dumps core - Segmentation Fault
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-17 12:38 EST by Timothy Burt
Modified: 2007-04-18 12:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-03 07:09:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Timothy Burt 2002-12-17 12:38:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
If executed from a shell prompt.

The following code fragment dumps core:

#!/usr/bin/php 
<?
define('STDIN',fopen("php://stdin","r"));
?>

This has been tested with PHP Version 4.1.2 on a fully patched up:
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19-7.0.16 on an i686

and:
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create the three line script
2. ./scriptname
3. Segmentation fault (core dumped) OR 
    Segmentation fault

Actual Results:  Segmentation fault

Additional info:

My scripts are broken.  I don't know of a workaround.

Does anybody know of a way to capture STDIN without core dumping?

Core Dumps = Potential for exploit.
Comment 1 Mark J. Cox (Product Security) 2002-12-18 09:29:41 EST
Removing security status, this isn't a security issue.  A segmentation fault you
cause by crashing a program that is running as yourself isn't a vulnerability.
Comment 2 Timothy Burt 2002-12-18 10:05:07 EST
Thanks for the quick reply.

However, if this script is called from a webpage (php is after all a web 
scripting language), and it creates a segmentation fault, then isn't there the 
possibility that this could become a remote exploit?  Not a root exploit, since 
Apache no longer runs as root, but at least to the privlege level of the 
webserver (Apache)?

Could a hosting client ftp the example script to a server and possibly obtain 
Apache privleges by running the script from a browser?

Is this a security issue?

Thanks again for the prompt reply.  I will let you be the judge.
Comment 3 Timothy Burt 2002-12-18 10:14:22 EST
I just finished a compile of PHP 4.2.2 from the RH 8.0 distribution, and it 
does not core dump.

I copied the executable to /usr/bin/php422, and I call it explicitly from my 
scripts.

This is a satisfactory workaround for me.

You can go ahead and close this bug with the usual "Fixed in Rawhide".
Comment 4 Alan Cox 2002-12-18 13:54:56 EST
Works for me in 8.0

I agree its security since hosting sites for example may allow secure php stuff
but this might allow shell access. Until we know why it crashes I think its a bug

Note You need to log in before you can comment on or make changes to this bug.