First Last Prev Next    This bug is not in your last search results.
Bug 79868 - define STDIN dumps core - Segmentation Fault
define STDIN dumps core - Segmentation Fault
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-17 12:38 EST by Timothy Burt
Modified: 2007-04-18 12:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-03 07:09:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Timothy Burt 2002-12-17 12:38:40 EST 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
If executed from a shell prompt.

The following code fragment dumps core:

#!/usr/bin/php 
<?
define('STDIN',fopen("php://stdin","r"));
?>

This has been tested with PHP Version 4.1.2 on a fully patched up:
Red Hat Linux release 7.0 (Guinness)
Kernel 2.2.19-7.0.16 on an i686

and:
Red Hat Linux release 7.3 (Valhalla)
Kernel 2.4.18-3




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. create the three line script
2. ./scriptname
3. Segmentation fault (core dumped) OR 
    Segmentation fault

Actual Results:  Segmentation fault

Additional info:

My scripts are broken.  I don't know of a workaround.

Does anybody know of a way to capture STDIN without core dumping?

Core Dumps = Potential for exploit.
Comment 1 Mark J. Cox (Product Security) 2002-12-18 09:29:41 EST 
Removing security status, this isn't a security issue.  A segmentation fault you
cause by crashing a program that is running as yourself isn't a vulnerability.
Comment 2 Timothy Burt 2002-12-18 10:05:07 EST 
Thanks for the quick reply.

However, if this script is called from a webpage (php is after all a web 
scripting language), and it creates a segmentation fault, then isn't there the 
possibility that this could become a remote exploit?  Not a root exploit, since 
Apache no longer runs as root, but at least to the privlege level of the 
webserver (Apache)?

Could a hosting client ftp the example script to a server and possibly obtain 
Apache privleges by running the script from a browser?

Is this a security issue?

Thanks again for the prompt reply.  I will let you be the judge.
Comment 3 Timothy Burt 2002-12-18 10:14:22 EST 
I just finished a compile of PHP 4.2.2 from the RH 8.0 distribution, and it 
does not core dump.

I copied the executable to /usr/bin/php422, and I call it explicitly from my 
scripts.

This is a satisfactory workaround for me.

You can go ahead and close this bug with the usual "Fixed in Rawhide".
Comment 4 Alan Cox 2002-12-18 13:54:56 EST 
Works for me in 8.0

I agree its security since hosting sites for example may allow secure php stuff
but this might allow shell access. Until we know why it crashes I think its a bug
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.