[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Ohh btw…

> I have walked the bug list for 5.3 mentioning suhosin[2] to actually
> at least partially support what I have just said. I have found few
> bugs where suhosin was causing a problems ([3],[4]) and a handful of
> bugs with "have suhosin, cannot help". I know this isn't (and can't
> be) a definitive list, but it just show that
> P.S.: Also see stas reply[5] about valgrind.
> Links:
> 1. http://www.hardened-php.net/hphp/faq.html#why_is_hardening-patch_not_part_of_php
> 2. https://bugs.php.net/search.php?search_for=suhosin&boolean=0&limit=90&order_by=&direction=DESC&cmd=display&status=All&bug_type=All&project=PHP&php_os=&phpver=5.3&cve_id=&assign=&author_email=&bug_age=0&bug_updated=0
> 3. https://bugs.php.net/bug.php?id=60216
> 4. https://bugs.php.net/bug.php?id=60935
> 5. http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/

1) You understand that Hardening-Patch is not Suhosin-Patch, do you?

2) Maybe you should also search for: Have Debian, then use a clean PHP not a broken Debian build

Bug 3 -> is not a bug in Suhosin, it is the fact that the suhosin.executor.max_depth function was not set correctly. Reading the documentation helps: http://www.hardened-php.net/suhosin/configuration.html#suhosin.executor.max_depth

Bug 4 -> the guy is actually writing inside the bug report that the problem occurs with and without Suhosin

5) You can just start PHP with the environment variable SUHOSIN_MM_USE_CANARY_PROTECTION=0 and can use valgrind.

So basically all points you bring up are no issues.

Stefan Esser

Reply to: