[php-maint] Bug#657698:

Ondřej Surý ondrej at debian.org
Mon Jan 30 22:26:05 UTC 2012

Before the flame begins... I urge everybody who cares enough to not
feed the flame beast.

Responding in a civic manner is ok though, but personally discouraged.


On Mon, Jan 30, 2012 at 23:02, Stefan Esser <stefan.esser at sektioneins.de> wrote:
> Hello Christoph,
>> Unfortunately Debian's php maintainers had to drop the suhosin core
>> patches (for now), as far as I understand mainly because of lack of
>> man-power.
> Yeah it is really amusing that Debian's PHP maintainers spend hours/days on writing emails about dropping Suhosin and voting on it. Then spend more time on patching their build scripts to no longer ship Suhosin by default. Then spend even more time because they broke the build by removing Suhosin… Instead of just leaving the patch inside which would have eaten no time at all.
>> I've opened a bug:
>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698
>> where I asked (or begged ;) ) them to add it back or (even better),
> I can understand that you as a Debian user are sad about the fact that Debian's PHP maintainers decided that security is not important.
> However from my point of view it is actually better if Debian does not ship Suhosin by default. That might stop them from spreading nonsense like Suhosin is unmaintained/upstream is not responsive etc…
>> Now the question arose, whether any php extensions would notice and
>> would have to be (re-)compiled for each of the two?
>> So basically, is the ABI identical or not?
> The Suhosin ABI is identical. However the Suhosin patch increases the security of PHP extensions if they are compiled against the Suhosin PHP source, because different macros are defined so that PHP's internal format string functions are used, instead of the system's. This is a protection against format string vulnerabilities.
>> Ideally of course, suhosin core patch would get merged upstream, perhaps
>> with a runtime option to disable it, but I guess this remains dreaming,
>> right?
> No that will never happen, which is a good thing. You can already disable/enable several Suhosin-Patch features like the memory canaries by just defining different environment variables before starting PHP.
> The Debian PHP maintainers should know all about this, because they patched that code some years ago and made it insecure.
>> btw: As long as Debian no longer applies suhosin core patch,...
>> somewhere on the suhosin website you note that it would be automatically
>> part of PHP in Debian; perhaps one should note that this may no longer
>> be the case, in order not to lead users to wrong assumtions.
> No such message is anywhere on the website. The website only says that there are Suhosin packages in Debian, not that it is automatically selected.
> Therefore there is no need to fix it.
> Regards,
> Stefan Esser

Ondřej Surý <ondrej at sury.org>

More information about the pkg-php-maint mailing list