Bug 79868 - define STDIN dumps core - Segmentation Fault
Summary: define STDIN dumps core - Segmentation Fault
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: php
Version: 7.3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-17 17:38 UTC by Timothy Burt
Modified: 2007-04-18 16:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-02-03 12:09:13 UTC
Embargoed:


Attachments (Terms of Use)

Description Timothy Burt 2002-12-17 17:38:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
If executed from a shell prompt.

The following code fragment dumps core:

#!/usr/bin/php 
<?
define('STDIN',fopen("php://stdin","r"));
?>

This has been tested with PHP Version 4.1.2 on a fully patched up:
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19-7.0.16 on an i686

and:
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create the three line script
2. ./scriptname
3. Segmentation fault (core dumped) OR 
    Segmentation fault

Actual Results:  Segmentation fault

Additional info:

My scripts are broken.  I don't know of a workaround.

Does anybody know of a way to capture STDIN without core dumping?

Core Dumps = Potential for exploit.

Comment 1 Mark J. Cox 2002-12-18 14:29:41 UTC
Removing security status, this isn't a security issue.  A segmentation fault you
cause by crashing a program that is running as yourself isn't a vulnerability.

Comment 2 Timothy Burt 2002-12-18 15:05:07 UTC
Thanks for the quick reply.

However, if this script is called from a webpage (php is after all a web 
scripting language), and it creates a segmentation fault, then isn't there the 
possibility that this could become a remote exploit?  Not a root exploit, since 
Apache no longer runs as root, but at least to the privlege level of the 
webserver (Apache)?

Could a hosting client ftp the example script to a server and possibly obtain 
Apache privleges by running the script from a browser?

Is this a security issue?

Thanks again for the prompt reply.  I will let you be the judge.

Comment 3 Timothy Burt 2002-12-18 15:14:22 UTC
I just finished a compile of PHP 4.2.2 from the RH 8.0 distribution, and it 
does not core dump.

I copied the executable to /usr/bin/php422, and I call it explicitly from my 
scripts.

This is a satisfactory workaround for me.

You can go ahead and close this bug with the usual "Fixed in Rawhide".

Comment 4 Alan Cox 2002-12-18 18:54:56 UTC
Works for me in 8.0

I agree its security since hosting sites for example may allow secure php stuff
but this might allow shell access. Until we know why it crashes I think its a bug



Note You need to log in before you can comment on or make changes to this bug.