UPDATE: CVE-2008-1488 has been opened for this vulnerability

So I was noticing apache segfaulting today when I was accidentally attempting to include() a Savant3 Error object. Attached strace, and saw that it was trying to stat the string representation of Savant3 (woops!) and was getting back -1 and name too long as the errorno, but then shortly after it was segfaulting.

There's a bug in the version of gdb that ships with the FreeBSD I had running on my desktop (see http://lists.freebsd.org/pipermail/freebsd-questions/2006-July/125895.ht...) so I had to install gdb 6.6 and start httpd -X under it to get a backtrace.

Around the time I was setting that up, I noticed that if I turned off APC the crash didn't occur (I decided to check because I knew APC tied into that mechanism) - so with only a relatively small amount of code to look through, I manually built an APC module and installed it unstripped, then was able to break in APC code before the stat and walk it through.

It turns out the bug is caused by use of strcpy where strncpy would have been the better choice. When will people learn?

Patch: http://papasian.org/~dannyp/apc.patch.dpapasian
Proof of concept: http://papasian.org/~dannyp/apc-vuln.php
Bug report on pecl.php.net: http://pecl.php.net/bugs/bug.php?id=13415