|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73524 segfault in scandir over ssh2
Submitted: 2016-11-15 09:25 UTC Modified: 2018-11-24 17:44 UTC
Avg. Score:4.8 ± 0.5
Reproduced:29 of 30 (96.7%)
Same Version:24 (82.8%)
Same OS:9 (31.0%)
From: af at ins dot de Assigned:
Status: Closed Package: ssh2 (PECL)
PHP Version: 7.2.12 OS: linux 4.4.27-gentoo
Private report: No CVE-ID: None
 [2016-11-15 09:25 UTC] af at ins dot de
When using scandir() over a ssh2-stream scandir creates a segmentation fault.

We have tested this with libSSH2 1.7.0 and libSSH 1.8.0.

When we downgrade to PHP 5.6.27 (tested with libSSH2 1.7.0 and libSSH 1.8.0) the segmentation fault does not occur and the script works as expected.

Test script:
$ssh2 = ssh2_connect('', 22);
if (!ssh2_auth_password($ssh2, 'yourusername','yourpassword')) {
  echo("auth error\n");
$sftp = ssh2_sftp($ssh2);

echo("before scandir!\n");
$files = scandir($te,SCANDIR_SORT_ASCENDING );
echo("after scandir!\n");

if ($files===false)
  echo("scandir error\n");
  echo("scandir success\n");

Expected result:
te=ssh2.sftp://Resource id #5/receive/
before scandir!
after scandir!
scandir success

Actual result:
te=ssh2.sftp://Resource id #5/receive/
before scandir!
Segmentation fault


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-16 16:15 UTC] portale at partyerleben dot de
I have got the same issue when using is_dir, dir and fopen.
- php 5.6.28
- php5-ssh2 1:0.12-2~dotdeb+7.1
- libSSH 1.4.2.-1.1+deb7u2

Downgrading to php 5.6.27 solves the problem as already described.
In addition to that I removed php5-ssh2 and installed ssh2 from pecl (v. 0.13). It causes no segmentation fault, but could not find the sftp-path with php 5.6.28. With version 5.6.27 it works fine.
 [2016-11-16 16:28 UTC] jerome dot auge at anakeen dot com
Since upgrading to 5.6.28, I experience problems with mkdir("ssh2.sftp://$conn/$dir") and ssh2_sftp_mkdir($conn, $dir) calls always returning bool(false):

- mkdir("ssh2.sftp://$conn/$dir") returns bool(false), no error messages are printed on error_log, and the directory is not created.
- ssh2_sftp_mkdir($conn_sftp, $dir) returns bool(false), no error messages are printed on error_log, but the directory is correctly created.

Reverting to PHP 5.6.27 corrects these problems.

- Ubuntu   12.04
- PHP      5.6.28 (from Ondřej Surý)
- php-ssh2 0.13 (from Ondřej Surý)
- libssh2  1.2.8-2 (from Ubuntu)
 [2016-11-18 07:45 UTC] liborm85 at gmail dot com
This bug is probably fixed in ssh2 Git, but not version released.

Commit in PHP 5 branch:

Commit PHP 7 branch:
 [2016-11-21 14:08 UTC]
In my case, the patch mentioned here fixed the problem with both v5.6.28 and v7.0.13.
Without the patch, opendir() on v5.6.27 and v7.0.12 worked fine, while v5.6.28 and v7.0.13 returned "false" without any error.
 [2016-12-14 22:35 UTC] sistemas at consorcioabierto dot com
Same issue when using scandir() over a ssh2 stream.

- Debian 8
- PHP 5.6.28
- php5-ssh2 0.12-3
- libssh2 1.4.3-4.1+deb8u1

Downgrading php solves the problem.
 [2016-12-15 09:47 UTC] ovoelker at wavecon dot de
this is a short note on downgrading PHP on Debian 8 with 5.6.28, because 5.6.27 seems to have vanished from their repos:

add this to sources.list:
deb jessie/updates main

then: "apt-get -o Acquire::Check-Valid-Until=false update"

then downgrade like that (add other packages if needed):

apt-get install php5=5.6.27+dfsg-0+deb8u1 php5-sqlite=5.6.27+dfsg-0+deb8u1 php5-common=5.6.27+dfsg-0+deb8u1 libapache2-mod-php5=5.6.27+dfsg-0+deb8u1 php5-cli=5.6.27+dfsg-0+deb8u1 php5=5.6.27+dfsg-0+deb8u1 php5-sqlite=5.6.27+dfsg-0+deb8u1 php5-gd=5.6.27+dfsg-0+deb8u1 php5-cli=5.6.27+dfsg-0+deb8u1 php5-imap=5.6.27+dfsg-0+deb8u1 php5-pgsql=5.6.27+dfsg-0+deb8u1 php5-mcrypt=5.6.27+dfsg-0+deb8u1 php5-intl=5.6.27+dfsg-0+deb8u1 php5-curl=5.6.27+dfsg-0+deb8u1 php5-mysql=5.6.27+dfsg-0+deb8u1 libapache2-mod-php5=5.6.27+dfsg-0+deb8u1 php-pear=5.6.27+dfsg-0+deb8u1
 [2016-12-15 22:13 UTC] m dot zygmuntowicz at onet dot pl
The segfault happens whenever an "ssh2.sftp://Resource id #NNN/..."
wrapper is used.
Changing it to "ssh2.sftp://NNN/..." seems to workaround the issue.
I can confirm 5.6.27 is not affected by this bug.
 [2016-12-18 16:52 UTC] edvsb at gmx dot de
Same problem with PHP 5.6.29-0+deb8u1.

Segfaults, if the ssh2.sftp-Wrapper is used. Like "if(!is_dir('ssh2.sftp://'.$this->sftp_con.$dir))"
 [2018-11-24 17:44 UTC] af at ins dot de
-Status: Open +Status: Closed -PHP Version: 5.6.28 +PHP Version: 7.2.12
 [2018-11-24 17:44 UTC] af at ins dot de
Tested the Bug again with 7.2.10 and 7.2.12. The bug is fixed.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 20:01:23 2020 UTC