libssh2-php segmentation fault

Bug #1712994 reported by Christian Thiemann on 2017-08-25
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
php-ssh2 (Ubuntu)
Undecided
Unassigned

Bug Description

Since the PHP security update on/around Aug 10 (5.5.9+dfsg-1ubuntu4.22), using the ssh2 wrappers causes a segmentation fault.

$host = "...";
$port = 22;
$user = "...";
$pubkeyfile = "...";
$privkeyfile = "...";
$path = "...";

$conn = ssh2_connect($host, $port);
ssh2_auth_pubkey_file($conn, $user, $pubkeyfile, $privkeyfile);
$handle = ssh2_sftp($conn);
scandir("ssh2.sftp://$handle/$path");

# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04

# apt-cache policy libssh2-php
libssh2-php:
  Installed: 0.12-1build1
  Candidate: 0.12-1build1
  Version table:
 *** 0.12-1build1 0
        500 http://ftp.halifax.rwth-aachen.de/ubuntu/ trusty/universe amd64 Packages
        500 http://de.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
        100 /var/lib/dpkg/status

# gdb backtrace
Program received signal SIGSEGV, Segmentation fault. [340/2496]
__strstr_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S:22
22 ../sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __strstr_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strstr-sse2-unaligned.S:22
#1 0x00007fffec0302d8 in php_ssh2_fopen_wraper_parse_path () from /usr/lib/php5/20121212/ssh2.so
#2 0x00007fffec0340b2 in ?? () from /usr/lib/php5/20121212/ssh2.so
#3 0x000000000069fd62 in _php_stream_opendir ()
#4 0x00000000006a05b4 in _php_stream_scandir ()
#5 0x0000000000612741 in zif_scandir ()
#6 0x00000000006d5c2b in dtrace_execute_internal ()
#7 0x0000000000795020 in ?? ()
...
#37 0x0000000000795670 in ?? ()
#38 0x000000000070f958 in execute_ex ()
#39 0x00000000006d5b29 in dtrace_execute_ex ()
#40 0x00000000006e71b0 in zend_execute_scripts ()

CVE References

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in php-ssh2 (Ubuntu):
status: New → Confirmed
Marco Scholl (traxanos) wrote :

Some Problem here. This bug affected many web applications in our data center. Why nobody fix this regression.

Christian Thiemann (thiemann) wrote :

FYI in case someone can't wait for a package update being shipped, the workaround mentioned in the other bug works for me:

$handle = ssh2_sftp($conn);
//scandir("ssh2.sftp://$handle/$path");
scandir("ssh2.sftp://".intval($handle)."/$path");

https://bugs.launchpad.net/ubuntu/+source/php-ssh2/+bug/1663281/comments/5

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers