Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
> I have walked the bug list for 5.3 mentioning suhosin to actually
> at least partially support what I have just said. I have found few
> bugs where suhosin was causing a problems (,) and a handful of
> bugs with "have suhosin, cannot help". I know this isn't (and can't
> be) a definitive list, but it just show that
> P.S.: Also see stas reply about valgrind.
> 1. http://www.hardened-php.net/hphp/faq.html#why_is_hardening-patch_not_part_of_php
> 2. https://bugs.php.net/search.php?search_for=suhosin&boolean=0&limit=90&order_by=&direction=DESC&cmd=display&status=All&bug_type=All&project=PHP&php_os=&phpver=5.3&cve_id=&assign=&author_email=&bug_age=0&bug_updated=0
> 3. https://bugs.php.net/bug.php?id=60216
> 4. https://bugs.php.net/bug.php?id=60935
> 5. http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/
1) You understand that Hardening-Patch is not Suhosin-Patch, do you?
2) Maybe you should also search for: Have Debian, then use a clean PHP not a broken Debian build
Bug 3 -> is not a bug in Suhosin, it is the fact that the suhosin.executor.max_depth function was not set correctly. Reading the documentation helps: http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.max_depth
Bug 4 -> the guy is actually writing inside the bug report that the problem occurs with and without Suhosin
5) You can just start PHP with the environment variable SUHOSIN_MM_USE_CANARY_PROTECTION=0 and can use valgrind.
So basically all points you bring up are no issues.