[php-maint] Bug#397179: Bug#397179: Bug#397179: Bug#397179: Bug#397179: Please don't add this patch

Jan Wagner waja at cyconet.org
Wed May 23 07:18:11 UTC 2007


On Wednesday 23 May 2007 08:25, sean finney wrote:
> hey guys,
> just ftr,
> On Tuesday 22 May 2007 10:41, Ondřej Surý wrote:
> > > so I'm not that enthousiastic. But I'll do some more research and
> > > experimenting with this patch and a set of PHP applications, and see
> > > whether it's something to worry about or not.
> >
> > I suggest you read the patch :-).
> i've have actually heard of different breakages caused by the suhosin
> patch, but it seems that in such cases it's usually a matter of tweaking
> some variables here and there to increase certain limits, etc.  also,
> there's a master toggle switch which turns errors into warnings.

Since I'm one of the php-suhosin maintainers, I can confirm, that with 
restrictive (some of the defaults settings seems to restrictive for some 
applications) settings some applications doesn't work smart anymore, but this 
will leed us into the problem, that most of the applications are bad written 
(like PHP anyways).

> so, we could hypothetically ship with it turned off first to see how it's
> recieved, and then assuming we're still early enough in the release cycle
> we could turn it on and ship lenny with an active, suhosin-patched php.

Looking into the feature list[¹], the patch for PHP provides only the "Engine 
Protection" with the following features:

* Protects the internal memory manager against bufferoverflows with Canary and 
SafeUnlink Protection
* Protects Destructors of Zend Hashtables
* Protects Destructors of Zend Linked-Lists
* Protects the PHP core and extensions against format string vulnerabilities
* Protects against errors in certain libc realpath() implementations

The rest of the feature set is provided by php-suhosin[²].

With kind regards, Jan.
[¹] http://www.hardened-php.net/suhosin/a_feature_list.html
[²] http://packages.qa.debian.org/p/php-suhosin.html
Never write mail to <waja at spamfalle.info>, you have been warned!
Version: 3.1
GIT d-- s+: a- C+++ UL++++ P+ L+++ E- W+++ N+++ o++ K++ w--- O M V- PS PE
Y++ PGP++ t-- 5 X R tv- b+ DI- D++ G++ e++ h-- r+++ y+++
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070523/187574e5/attachment-0001.pgp 

More information about the pkg-php-maint mailing list