[nycphp-talk] Mythweb (php 5.2.10) doesn't work b/c of suhosin - canaries
Greg Rundlett (freephile)
greg at freephile.com
Sat Jan 9 18:14:59 EST 2010
Anyone else have a problem with mythweb, suhosin or php5.2.10?
I've recently upgraded my mythbuntu setup to 9.10 (karmic koala) and
mythweb doesn't work b/c of a suhosin error. I get a big white
screen. The error found in apache's log is
ALERT - canary mismatch on efree() - heap overflow detected (attacker
'::1', file '/usr/share/mythtv/mythweb/includes/errors.php', line 211
(generated by suhosin [1][2] )
line 211 is an innocuous $constant_list = get_defined_constants(true);
Supposedly this is fixed upstream, or in newer versions of either
apache or php5 [3] , but I don't see a lot of information about it.
There was a somewhat related bug [4][5] with a workaround where you
could turn off session encryption in the suhosin.ini but that doesn't
work in my case (there's not even a suhosin.ini config file b/c
suhosin is built in to php-common -- and if you create the config +
setting and/or install the compiled add-on (php5-suhosin), the problem
still manifests). Some other bugs involve segfaults in debian for
php5.2.10 [6]. Still other problems have been reported that might be
due to a conflict between suhosin and xdebug, but I've made sure that
neither package is installed [7].
You can't uninstall suhosin because it's compiled into the
php5-common package. I guess I could either build from source [8], or
try to upgrade
Lucid has PHP 5.2.11 [9] so I guess I can use pinning [10] to upgrade
to that version, but I haven't done that yet.
I did try installing xdebug, valgrind and kcachegrind to look for more
details, but it doesn't reveal anything.
== Details of my system ==
uname -a
Linux hybrid 2.6.31-16-generic #53-Ubuntu SMP Tue Dec 8 04:01:29 UTC
2009 i686 GNU/Linux
greg at hybrid:/var/www$ apache2 -v
Server version: Apache/2.2.12 (Ubuntu)
Server built: Nov 12 2009 22:49:46
greg at hybrid:/var/www$ sudo apt-cache policy apache2
apache2:
Installed: (none)
Candidate: 2.2.12-1ubuntu2.1
Version table:
2.2.12-1ubuntu2.1 0
500 http://us.archive.ubuntu.com karmic-updates/main Packages
500 http://security.ubuntu.com karmic-security/main Packages
2.2.12-1ubuntu2 0
500 http://us.archive.ubuntu.com karmic/main Packages
greg at hybrid:/var/www$ apache2ctl -M
apache2: Could not reliably determine the server's fully qualified
domain name, using 127.0.1.1 for ServerName
Loaded Modules:
core_module (static)
log_config_module (static)
logio_module (static)
mpm_prefork_module (static)
http_module (static)
so_module (static)
alias_module (shared)
auth_basic_module (shared)
auth_digest_module (shared)
authn_file_module (shared)
authz_default_module (shared)
authz_groupfile_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
cgi_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
mime_module (shared)
negotiation_module (shared)
php5_module (shared)
rewrite_module (shared)
setenvif_module (shared)
status_module (shared)
Syntax OK
greg at hybrid:/var/www$ sudo apt-cache policy php5
php5:
Installed: 5.2.10.dfsg.1-2ubuntu6.3
Candidate: 5.2.10.dfsg.1-2ubuntu6.3
Version table:
*** 5.2.10.dfsg.1-2ubuntu6.3 0
500 http://us.archive.ubuntu.com karmic-updates/main Packages
500 http://security.ubuntu.com karmic-security/main Packages
100 /var/lib/dpkg/status
5.2.10.dfsg.1-2ubuntu6 0
500 http://us.archive.ubuntu.com karmic/main Packages
greg at hybrid:/var/www$ php -v
PHP 5.2.10-2ubuntu6.3 with Suhosin-Patch 0.9.7 (cli) (built: Nov 26
2009 14:42:49)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
php -m
[PHP Modules]
bcmath
bz2
calendar
ctype
curl
date
dba
dom
exif
filter
ftp
gd
gettext
hash
iconv
imap
json
libxml
mbstring
mcrypt
mime_magic
mysql
mysqli
ncurses
openssl
pcntl
pcre
PDO
pdo_mysql
pdo_pgsql
pdo_sqlite
pgsql
posix
readline
Reflection
session
shmop
SimpleXML
soap
sockets
SPL
SQLite
standard
sysvmsg
sysvsem
sysvshm
tokenizer
wddx
xml
xmlreader
xmlwriter
zip
zlib
[Zend Modules]
[1] http://ubuntuforums.org/showthread.php?t=1208437
[2] Stefan Esser's blog
http://www.suspekt.org/2008/10/12/suhosin-canary-mismatch-on-efree-heap-overflow-detected/
[3] http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg197763.html
[4] https://bugs.launchpad.net/ubuntu/+source/php5/+bug/424789
[5] http://www.uluga.ubuntuforums.org/showthread.php?p=7896618
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542514
[7]
sudo apt-get remove php5-suhosin
sudo apt-get remove php5-xdebug
[8] http://chrisblunt.com/blog/2009/05/01/php-fixing-mismatched-canaries-how-to-remove-suhosin-from-debianubuntu-packages/
[9] http://packages.ubuntu.com/lucid/php5-common
[10] http://superuser.com/questions/75052/how-do-i-get-apt-pinning-to-install-the-minimum-required-from-the-unstable-distri
Greg Rundlett
nbpt 978-225-8302
m. 978-764-4424
-skype/aim/irc/twitter freephile
http://profiles.aim.com/freephile
More information about the talk
mailing list