Suhosin Patch 0.9.8 for PHP 5.3.0 *BETA* - Please Test

August 13th, 2009 | by Stefan Esser |

It has been several weeks between the release of PHP 5.3.0 and now and I haven’t released a stable Suhosin Patch for PHP 5.3.0 yet. The reason for this was that I was away from my development machine with a half ready new generation of Suhosin Patch waiting to be fixed.

With PHP 5.3.0 the need for a realpath() protection is gone, because PHP 5.3.0 has a far better implementation by default now. Therefore the code for the realpath() protection was completely removed from Suhosin 0.9.8. Another problem people often ran into was that Suhosin’s memory manager canary protection was alerting them of memory corruptions that did no visible harm to PHP installations without the Suhosin Patch. Because of this I decided to add support for environment variables that will be evaluated when PHP starts and allow to configure how Suhosin Patch works. To protect the settings they are stored in a memory page that is set to read-only after it has been initialized.

The following environment variables are supported by now:

  • SUHOSIN_MM_USE_CANARY_PROTECTION
    • default: 1
    • Set to 0 to disable canary protection. A copy of the MM will be used that does not have canaries. This is nearly the same as the MM of vanilla PHP.
  • SUHOSIN_MM_DESTROY_FREE_MEMORY
    • default: 0
    • Set to 1 to enable free memory destruction. Every piece of free memory will be overwritten. This allows debugging e.g. use after free memory corruption bugs easier without using a debug PHP.
  • SUHOSIN_MM_IGNORE_CANARY_VIOLATION
    • default: 0
    • Set to 1 stops Suhosin from aborting the process when it detects canary violations. The violations will be logged and the canary restored. It is strongly recommended to NOT use this feature. But it is more secure to use this feature instead of disabling Suhosin completely which happend in the past when people saw canary violation error messages
  • SUHOSIN_HT_IGNORE_INVALID_DESTRUCTOR
    • default: 0
    • Set to 1 stops Suhosin from aborting the process when it detects an invalid Hashtable destructor. It is strongly recommended to NOT use this feature.
  • SUHOSIN_LL_IGNORE_INVALID_DESTRUCTOR
    • default: 0
    • Set to 1 stops Suhosin from aborting the process when it detects an invalid LinkedList destructor. It is strongly recommended to NOT use this feature.

Because the new features of Suhosin Patch contains new code and some hacks I release the BETA version of the new Suhosin Patch to the public and hope people will test it in different OS/CPU/… and mail me the results to <stefan.esser@sektioneins.de>.

The patch can be downloaded here.

  1. 8 Responses to “Suhosin Patch 0.9.8 for PHP 5.3.0 *BETA* - Please Test”

  2. By trophaeum on Aug 14, 2009 | Reply

    now we just get to wait for zend optimizer and ioncube to release versions for 5.3 then hosts can start upgrading… sigh, hurry up zend and ioncube, im sick of waiting for you guys to put 5.3 onto my hosting environments!!! 5.3 rocks, specially now that suhosin is availabe :)

  3. By Pierre on Aug 14, 2009 | Reply

    The patch seems to work fine but the suhosin extension does make some trouble with PHP 5.3. Most scripts work fine but MediaWiki 1.15.1 makes php to just segfault. This happens with or without the suhosin patch and with both suhosin extension 0.9.27 and 0.9.28. I am testing with lighttpd/1.4.23 on Arch Linux. Disabling the extension or downgrading to php-5.2.10 “solves” the issue.

    I did not look any further but maybe somone can cofirm that php 5.3+suhosion extesnion+mediawiki either works or is just doing fine.

    Greetings,

    Pierre

  4. By Florian on Aug 17, 2009 | Reply

    Pierre, I have
    - lighttpd/1.4.20
    - PHP 5.3.0 with this patch as fcgi
    and when I installed MediaWiki 1.15.1 I had no problems.

  5. By Pierrre on Aug 17, 2009 | Reply

    @Florian: The issue is fixed with the latest extension 0.9.29. The segfault was triggerd by calling extract() somehwere in the DBLoadBalancer; maybe due to your configuration this was never called.

  1. 4 Trackback(s)

  2. Aug 14, 2009: Suspekt Blog: Suhosin Patch 0.9.8 for PHP 5.3.0 *BETA* – Please Test | PHP
  3. Aug 15, 2009: Suspekt Blog: Suhosin Patch 0.9.8 for PHP 5.3.0 *BETA* - Please Test | Webs Developer
  4. Feb 27, 2010: Suspekt… » Blog Archive » Debian breaks Suhosin Security Feature
  5. Feb 28, 2010: Debian breaks Suhosin Security Feature | BrainPair - the Techno Blog

Post a Comment