PHP 4.4.0-r1 Segfaults on my script. SECURITY ?

Message

jonaswidarsson · Post by **jonaswidarsson** » Fri Oct 14, 2005 12:04 pm

I have managed to make php-4.4.0-r1 Segfault during some crazy object juggling.
I can provide the complete script. I am not sure what causes the crash but at least I know in which function.

It isn't very large so I figure giving it all to some devs.

I guess a segfault is some kind of a security issue, which is why I want to know how to best report this.

llongi · Post by **llongi** » Fri Oct 14, 2005 1:57 pm

A segfault isn't necessarily a security-issue, but surely one of the "big bugs".

If the problem comes up using normal PHP stuff, report directly to bugs.php.net since it's most probably an upstream PHP bug, in Gentoo we don't really modify PHP; we just add fixes, and the Hardened-PHP patch (so, if you emerged without the hardenedphp USE flag, and it crashes on PHP code, it's most probably an upstream PHP bug). If you somehow think this is something _only_ Gentoo has, report it to bugs.gentoo.org, you could anyway do this and then file also the bug upstream, and then say in the Gentoo bug what url and status the upstream bug has, so we can track it easily and release a -r2 PHP package to fix this once upstream has fixed it in their CVS.
Anyway, when reporting the bug, also to bugs.php.net, follow at least some of those indications:
http://www.gentoo.org/doc/en/bugzilla-howto.xml
Since especially with segfaults, providing a strace and a backtrace with gdb are _really_ helpful and often the only way for devs to know where the problem is and fix it.
Best regards, CHTEKK.