79868 – define STDIN dumps core - Segmentation Fault

Bug 79868 - define STDIN dumps core - Segmentation Fault

Summary: define STDIN dumps core - Segmentation Fault

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	php
Sub Component:
Version:	7.3
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-12-17 17:38 UTC by Timothy Burt
Modified:	2007-04-18 16:49 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-02-03 12:09:13 UTC
Embargoed:

Attachments	(Terms of Use)

Description Timothy Burt 2002-12-17 17:38:40 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
If executed from a shell prompt.

The following code fragment dumps core:

#!/usr/bin/php 
<?
define('STDIN',fopen("php://stdin","r"));
?>

This has been tested with PHP Version 4.1.2 on a fully patched up:
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19-7.0.16 on an i686

and:
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create the three line script
2. ./scriptname
3. Segmentation fault (core dumped) OR 
    Segmentation fault

Actual Results:  Segmentation fault

Additional info:

My scripts are broken.  I don't know of a workaround.

Does anybody know of a way to capture STDIN without core dumping?

Core Dumps = Potential for exploit.

Comment 1 Mark J. Cox 2002-12-18 14:29:41 UTC

Removing security status, this isn't a security issue.  A segmentation fault you
cause by crashing a program that is running as yourself isn't a vulnerability.

Comment 2 Timothy Burt 2002-12-18 15:05:07 UTC

Thanks for the quick reply.

However, if this script is called from a webpage (php is after all a web 
scripting language), and it creates a segmentation fault, then isn't there the 
possibility that this could become a remote exploit?  Not a root exploit, since 
Apache no longer runs as root, but at least to the privlege level of the 
webserver (Apache)?

Could a hosting client ftp the example script to a server and possibly obtain 
Apache privleges by running the script from a browser?

Is this a security issue?

Thanks again for the prompt reply.  I will let you be the judge.

Comment 3 Timothy Burt 2002-12-18 15:14:22 UTC

I just finished a compile of PHP 4.2.2 from the RH 8.0 distribution, and it 
does not core dump.

I copied the executable to /usr/bin/php422, and I call it explicitly from my 
scripts.

This is a satisfactory workaround for me.

You can go ahead and close this bug with the usual "Fixed in Rawhide".

Comment 4 Alan Cox 2002-12-18 18:54:56 UTC

Works for me in 8.0

I agree its security since hosting sites for example may allow secure php stuff
but this might allow shell access. Until we know why it crashes I think its a bug

Note You need to log in before you can comment on or make changes to this bug.