Hi release team, the long awaiting new release of php-suhosin was just released a couple of days before the freeze and due the broken watch file we missed it by time. The new package would fix a bug (#584509,) severity important, and some other bugs. php-suhosin (0.9.32.1-1) UNRELEASED; urgency=low * New upstream version (Closes: #584509) - Improved random number seed generation more by adding /dev/urandom juice - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used - Added support for memory_limit > 2GB - Fixed missing header file resulting in compile errors * Drop 10_fix_function_prototype, integrated upstream * Update watch file -- Jan Wagner <waja@cyconet.org> Tue, 13 Apr 2010 13:51:22 +0200 packaging changes: changelog | 13 +++++++++++++ patches/00list | 1 - patches/10_fix_function_prototype.dpatch | 17 ----------------- watch | 2 +- 4 files changed, 14 insertions(+), 19 deletions(-) upstream changes: Changelog | 10 ++++++++++ execute.c | 14 +++++++++++++- memory_limit.c | 12 ++++++++++-- php_suhosin.h | 2 +- 4 files changed, 34 insertions(+), 4 deletions(-) Patches against 0.9.31-1 are attached. Could you please state, if we are allowed to update the package via unstable? Thanks and with kind regards, Jan. -- Never write mail to <waja@spamfalle.info>, you have been warned! -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++ ------END GEEK CODE BLOCK------
diff -Nurb suhosin-0.9.31/Changelog suhosin-0.9.32.1/Changelog --- suhosin-0.9.31/Changelog 2010-03-28 22:43:13.000000000 +0200 +++ suhosin-0.9.32.1/Changelog 2010-07-23 21:48:22.000000000 +0200 @@ -1,3 +1,13 @@ +2010-07-23 - 0.9.32.1 + + - Fixed missing header file resulting in compile errors + +2010-07-23 - 0.9.32 + + - Added support for memory_limit > 2GB + - Fixed missing header file resulting in wrong php_combined_lcg() prototype being used + - Improved random number seed generation more by adding /dev/urandom juice + 2010-03-28 - 0.9.31 - Fix ZTS build of session.c diff -Nurb suhosin-0.9.31/execute.c suhosin-0.9.32.1/execute.c --- suhosin-0.9.31/execute.c 2010-03-28 22:43:13.000000000 +0200 +++ suhosin-0.9.32.1/execute.c 2010-07-23 21:48:22.000000000 +0200 @@ -23,12 +23,14 @@ #include "config.h" #endif +#include <fcntl.h> #include "php.h" #include "php_ini.h" #include "zend_hash.h" #include "zend_extensions.h" #include "ext/standard/info.h" #include "ext/standard/php_rand.h" +#include "ext/standard/php_lcg.h" #include "php_suhosin.h" #include "zend_compile.h" #include "zend_llist.h" @@ -1314,6 +1316,7 @@ unsigned long stack_value = (unsigned long)&code_value; unsigned long heap_value = (unsigned long)SUHOSIN_G(r_state); suhosin_SHA256_CTX context; + int fd; code_value ^= code_value >> 32; stack_value ^= stack_value >> 32; @@ -1330,8 +1333,17 @@ #endif seedbuf[5] = (php_uint32) 0x7fffffff * php_combined_lcg(TSRMLS_C); +#ifndef PHP_WIN32 + fd = VCWD_OPEN("/dev/urandom", O_RDONLY); + if (fd >= 0) { + /* ignore error case - if urandom doesn't give us any/enough random bytes */ + read(fd, &seedbuf[6], 2 * sizeof(php_uint32)); + close(fd); + } +#endif + suhosin_SHA256Init(&context); - suhosin_SHA256Update(&context, (void *) seedbuf, sizeof(php_uint32) * 6); + suhosin_SHA256Update(&context, (void *) seedbuf, sizeof(php_uint32) * 8); suhosin_SHA256Final(seedbuf, &context); } /* }}} */ diff -Nurb suhosin-0.9.31/memory_limit.c suhosin-0.9.32.1/memory_limit.c --- suhosin-0.9.31/memory_limit.c 2010-03-28 22:43:13.000000000 +0200 +++ suhosin-0.9.32.1/memory_limit.c 2010-07-23 21:48:22.000000000 +0200 @@ -47,13 +47,21 @@ SUHOSIN_G(hard_memory_limit) = 0; } if (new_value) { - PG(memory_limit) = zend_atoi(new_value, new_value_length); - if (PG(memory_limit) > hard_memory_limit || PG(memory_limit) < 0) { + PG(memory_limit) = zend_atol(new_value, new_value_length); + if (hard_memory_limit > 0) { + if (PG(memory_limit) > hard_memory_limit) { suhosin_log(S_MISC, "script tried to increase memory_limit to %u bytes which is above the allowed value", PG(memory_limit)); if (!SUHOSIN_G(simulation)) { PG(memory_limit) = hard_memory_limit; return FAILURE; } + } else if (PG(memory_limit) < 0) { + suhosin_log(S_MISC, "script tried to disable memory_limit by setting it to a negative value %d bytes which is not allowed", PG(memory_limit)); + if (!SUHOSIN_G(simulation)) { + PG(memory_limit) = hard_memory_limit; + return FAILURE; + } + } } } else { PG(memory_limit) = hard_memory_limit; diff -Nurb suhosin-0.9.31/php_suhosin.h suhosin-0.9.32.1/php_suhosin.h --- suhosin-0.9.31/php_suhosin.h 2010-03-28 22:43:13.000000000 +0200 +++ suhosin-0.9.32.1/php_suhosin.h 2010-07-23 21:48:22.000000000 +0200 @@ -22,7 +22,7 @@ #ifndef PHP_SUHOSIN_H #define PHP_SUHOSIN_H -#define SUHOSIN_EXT_VERSION "0.9.31" +#define SUHOSIN_EXT_VERSION "0.9.32.1" /*#define SUHOSIN_DEBUG*/ #define SUHOSIN_LOG "/tmp/suhosin_log.txt"
diff -Nurb php-suhosin-0.9.31/debian/changelog php-suhosin-0.9.32.1/debian/changelog --- php-suhosin-0.9.31/debian/changelog 2010-08-12 09:45:25.000000000 +0200 +++ php-suhosin-0.9.32.1/debian/changelog 2010-08-12 09:45:32.000000000 +0200 @@ -1,3 +1,16 @@ +php-suhosin (0.9.32.1-1) UNRELEASED; urgency=low + + * New upstream version (Closes: #584509) + - Improved random number seed generation more by adding /dev/urandom juice + - Fixed missing header file resulting in wrong php_combined_lcg() prototype + being used + - Added support for memory_limit > 2GB + - Fixed missing header file resulting in compile errors + * Drop 10_fix_function_prototype, integrated upstream + * Update watch file + + -- Jan Wagner <waja@cyconet.org> Tue, 13 Apr 2010 13:51:22 +0200 + php-suhosin (0.9.31-1) unstable; urgency=low * New upstream version diff -Nurb php-suhosin-0.9.31/debian/patches/00list php-suhosin-0.9.32.1/debian/patches/00list --- php-suhosin-0.9.31/debian/patches/00list 2010-08-12 09:45:25.000000000 +0200 +++ php-suhosin-0.9.32.1/debian/patches/00list 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -10_fix_function_prototype diff -Nurb php-suhosin-0.9.31/debian/patches/10_fix_function_prototype.dpatch php-suhosin-0.9.32.1/debian/patches/10_fix_function_prototype.dpatch --- php-suhosin-0.9.31/debian/patches/10_fix_function_prototype.dpatch 2010-08-12 09:45:25.000000000 +0200 +++ php-suhosin-0.9.32.1/debian/patches/10_fix_function_prototype.dpatch 1970-01-01 01:00:00.000000000 +0100 @@ -1,17 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 10_fix_entropy.dpatch by Stefan <stefan.esser@sektioneins.de> -## -## DP: Fix entropy (http://bugs.debian.org/539307) - -@DPATCH@ -diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' php-suhosin-0.9.31~/execute.c php-suhosin-0.9.31/execute.c ---- php-suhosin-0.9.31~/execute.c 2010-04-13 11:36:29.000000000 +0200 -+++ php-suhosin-0.9.31/execute.c 2010-04-13 11:37:07.000000000 +0200 -@@ -28,6 +28,7 @@ - #include "zend_hash.h" - #include "zend_extensions.h" - #include "ext/standard/info.h" -+#include "ext/standard/php_lcg.h" - #include "ext/standard/php_rand.h" - #include "php_suhosin.h" - #include "zend_compile.h" diff -Nurb php-suhosin-0.9.31/debian/watch php-suhosin-0.9.32.1/debian/watch --- php-suhosin-0.9.31/debian/watch 2010-08-12 09:45:25.000000000 +0200 +++ php-suhosin-0.9.32.1/debian/watch 2010-08-12 09:45:32.000000000 +0200 @@ -1,2 +1,2 @@ version=3 -http://www.hardened-php.net/suhosin/download.html http://download.suhosin.org/suhosin-(.*)\.tgz +http://www.hardened-php.net/suhosin/download.html http://download.suhosin.org/suhosin-(.*)\.tar.gz
Attachment:
signature.asc
Description: This is a digitally signed message part.