NYCPHP Meetup

[nycphp-talk] Mythweb (php 5.2.10) doesn't work b/c of suhosin - canaries

Greg Rundlett (freephile) greg at freephile.com
Sat Jan 9 18:14:59 EST 2010


Anyone else have a problem with mythweb, suhosin or php5.2.10?

I've recently upgraded my mythbuntu setup to 9.10 (karmic koala) and
mythweb doesn't work b/c of a suhosin error.  I get a big white
screen.  The error found in apache's log is
 ALERT - canary mismatch on efree() - heap overflow detected (attacker
'::1', file '/usr/share/mythtv/mythweb/includes/errors.php', line 211
(generated by suhosin [1][2] )

line 211 is an innocuous $constant_list = get_defined_constants(true);

Supposedly this is fixed upstream, or in newer versions of either
apache or php5 [3] , but I don't see a lot of information about it.
There was a somewhat related bug [4][5] with a workaround where you
could turn off session encryption in the suhosin.ini but that doesn't
work in my case (there's not even a suhosin.ini config file b/c
suhosin is built in to php-common -- and if you create the config +
setting and/or install the compiled add-on (php5-suhosin), the problem
still manifests).  Some other bugs involve segfaults in debian for
php5.2.10 [6].  Still other problems have been reported that might be
due to a conflict between suhosin and xdebug, but I've made sure that
neither package is installed [7].

You  can't uninstall suhosin because it's compiled into the
php5-common package.  I guess I could either build from source [8], or
try to upgrade

Lucid has PHP 5.2.11 [9] so I guess I can use pinning [10] to upgrade
to that version, but I  haven't done that yet.

I did try installing xdebug, valgrind and kcachegrind to look for more
details, but it doesn't reveal anything.

== Details of my system ==

uname -a
Linux hybrid 2.6.31-16-generic #53-Ubuntu SMP Tue Dec 8 04:01:29 UTC
2009 i686 GNU/Linux

greg at hybrid:/var/www$ apache2 -v
Server version: Apache/2.2.12 (Ubuntu)
Server built:   Nov 12 2009 22:49:46
greg at hybrid:/var/www$ sudo apt-cache policy apache2
apache2:
  Installed: (none)
  Candidate: 2.2.12-1ubuntu2.1
  Version table:
     2.2.12-1ubuntu2.1 0
        500 http://us.archive.ubuntu.com karmic-updates/main Packages
        500 http://security.ubuntu.com karmic-security/main Packages
     2.2.12-1ubuntu2 0
        500 http://us.archive.ubuntu.com karmic/main Packages

greg at hybrid:/var/www$ apache2ctl -M
apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.1.1 for ServerName
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 rewrite_module (shared)
 setenvif_module (shared)
 status_module (shared)
Syntax OK

greg at hybrid:/var/www$ sudo apt-cache policy php5
php5:
  Installed: 5.2.10.dfsg.1-2ubuntu6.3
  Candidate: 5.2.10.dfsg.1-2ubuntu6.3
  Version table:
 *** 5.2.10.dfsg.1-2ubuntu6.3 0
        500 http://us.archive.ubuntu.com karmic-updates/main Packages
        500 http://security.ubuntu.com karmic-security/main Packages
        100 /var/lib/dpkg/status
     5.2.10.dfsg.1-2ubuntu6 0
        500 http://us.archive.ubuntu.com karmic/main Packages

greg at hybrid:/var/www$ php -v
PHP 5.2.10-2ubuntu6.3 with Suhosin-Patch 0.9.7 (cli) (built: Nov 26
2009 14:42:49)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

php -m
[PHP Modules]
bcmath
bz2
calendar
ctype
curl
date
dba
dom
exif
filter
ftp
gd
gettext
hash
iconv
imap
json
libxml
mbstring
mcrypt
mime_magic
mysql
mysqli
ncurses
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
posix
readline
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
SQLite
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
zip
zlib

[Zend Modules]



[1] http://ubuntuforums.org/showthread.php?t=1208437
[2] Stefan Esser's blog
http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/
[3] http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg197763.html
[4] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/424789
[5] http://www.uluga.ubuntuforums.org/showthread.php?p=7896618
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542514
[7]
sudo apt-get remove php5-suhosin
sudo apt-get remove php5-xdebug
[8] http://chrisblunt.com/blog/2009/05/01/php-fixing-mismatched-canaries-how-to-remove-suhosin-from-debianubuntu-packages/
[9] http://packages.ubuntu.com/lucid/php5-common
[10] http://superuser.com/questions/75052/how-do-i-get-apt-pinning-to-install-the-minimum-required-from-the-unstable-distri

Greg Rundlett

nbpt 978-225-8302
m. 978-764-4424
-skype/aim/irc/twitter freephile
http://profiles.aim.com/freephile



More information about the talk mailing list